Commissioned Internal Review Finds @StateDept’s Consular Consolidated Database With Security Gaps

Posted: 3:52 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

According to the Privacy Impact Assessment (PIA) of December 2009, the Consular Consolidated Database (CCD)  contained over 100 million visa cases and 75 million photographs, utilizing billions of rows of data, and has a current growth rate of approximately 35 thousand visa cases every day.  The 2010 Consular Consolidated Database (CCD) Privacy Impact Assessment (PIA) describes (pdf) the CCD as “one of the largest Oracle based data warehouses in the world that holds current and archived data from the Consular Affairs (CA) domestic and post databases around the world.”  The 2011 OIG report says that in 2010, the CCD contained over 137 million American and foreign case records and over 130 million photographs and is growing at approximately 40,000 visa and passport cases every day.

Related posts:

 

#

 

Advertisements

State/OIG Issues Report on @StateDept IT Incident Response and Reporting Deficiencies

Posted: 2:03 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

An independent accounting firm hired by State/OIG determined that the State Department’s IT incident response and reporting (IR&R) program was not operating effectively. Specifically, of the 25 cyber security incidents evaluated, Williams, Adley found that five were miscategorized, six were not remediated in a timely manner, one was not identified in a timely manner, one was missing incident information, four were not reported to the U.S. Computer Emergency Readiness Team (US-CERT) in a timely manner, and two were not reported to US-CERT as required.

The deficiencies in the IR&R program occurred primarily because of inadequate communication between the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS) and inadequate management oversight that would ensure that personnel within the Department’s incident response team fully complied with prescribed categorization guidelines, reporting requirements, and remediation timelines.

Without an effective IR&R program, the Department may be unable to properly identify weaknesses, restore IT operations in a timely manner, and identify and respond to cyber security incidents, which could potentially lead to interruptions of critical operations and hinder the Department’s ability to achieve its core mission.
[…]
Williams, Adley determined that the Department’s IR&R program was not operating effectively for the months of September and October 2014. Specifically, Williams, Adley reviewed the Department’s handling of 25 cyber security incidents out of 303 incidents (CAT 1 to CAT 6) reported during the scope period8 to determine whether the Department complied with its information security policies and procedures.

Screen Shot

According to the audit, remediation of one denial of service attack took over 200 hours, remediation of four malicious code attacks took between 174 hours and 312 hours, and remediation of one probe attack took over 175 hours.

Here’s the proposed solution according to the audit:

DS officials stated that a proposed solution was currently being developed that would improve the responsiveness of and communications between DS and IRM. Specifically, the Department would create a Joint Concept of Operations, via a Memorandum of Understanding, that would enhance the current capabilities of the DS Foreign Affairs Cybersecurity Center. Although the Memorandum of Understanding was in the initial drafting phase as of the date of this report, it is a proposed solution that, when fully implemented, will allow the Department to approve a Joint Security Operations Center concept that will potentially consolidate core IRM and DS cyber security functions and thus strengthen the responsiveness of and communications between IRM and DS. This effort will serve as the first step in improving communications between IRM and DS.

The State Department’s response to the OIG requests that the two recommendations be closed  due to agency actions but also expressed concerns over the OIG’s use of this press article from nextgov cited in the audit:

Screen Shot

WaPo reported about the down email system due to hacking concerns here and we did a blogpost of the incident here (see  State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?).

#

 

State/OIG Reminds @StateDept of IT Contingency Planning Deficiencies

Posted: 12:59 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week, State/OIG issued a Management Assistance Report (MAR-PDF) reminding the State Department of continued deficiencies identified in information technology contingency planning at its overseas posts:

OIG identified IT contingency planning deficiencies in 69 percent (20 out of 29) of overseas inspections performed during FYs 2014 and 2015. The issues identified ranged from information management staff at posts not developing, updating, or testing IT contingency plans to plans that lacked appropriate key stakeholders and contact information as part of emergency preparedness, contrary to requirements set forth in 5 Foreign Affairs Manual (FAM) 1064, 12 FAM 623.7, 12 FAM 632.3, and National Institute of Standards and Technology Special Publication 800-34. This report recommends that the Department take action to ensure that information management personnel are held accountable for IT contingency planning by making this responsibility explicit in their work requirements.

Recommendations from 2011 OIG Memorandum Report Unimplemented

OIG inspection teams continue to report IT contingency planning findings in overseas inspection reports, despite a December 2011 OIG memorandum2 to the Bureau of Information Resource Management with two recommendations addressing the topic. The memorandum identified IT contingency planning issues involving bureaus’ and posts’ lack of attention to developing and testing IT contingency plans as part of their emergency preparedness activities. The Bureau of Information Resource Management stated in compliance responses that it was planning to implement a tracking mechanism and develop a SharePoint site to capture risk scoring compliance for posts and bureaus. However, after 4 years the bureau still lacks a tracking mechanism and a SharePoint site as mentioned in their compliance responses. The September 2015 compliance response noted that the bureau is researching other alternatives to comply with OIG recommendations.

 So State/OIG is trying again with this MAR and a nudge on the Work Requirements of Information Management Staff

A review of Foreign Service employee evaluation reports for information management officers or the most senior information management personnel at embassies and consulates revealed that only 12 percent (32 out of 272) had a stated work requirement to develop and test IT contingency plans. According to 5 FAM 825 and 5 FAM 826, responsibility for the development and testing of IT contingency plans lies with the information management staff overseas.

Recommendation 1: The Bureau of Information Resource Management, in coordination with the regional bureaus, should include the requirement to complete and test information technology contingency plans in the work requirements for information management personnel. (Action: IRM, in coordination with AF, EAP, EUR, NEA, SCA, and WHA).

In related news:

#

Another Federal Data Breach: Hacker Dumps FBI and DHS Employee Information Online

Posted: 2:56 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Via motherboard.vice.com:

The data was obtained, the hacker told Motherboard, by first compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place. (On Monday, the hacker used the DoJ email account to contact this reporter).  From there, he tried logging into a DoJ web portal, but when that didn’t work, he phoned up the relevant department.

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

If that’s true, then it took just one employee and elementary social engineering to start the ball rolling in this newest data breach.

 

#

 

USG Creates New National Background Investigations Bureau (NBIB) After OPM Data Breach

Posted: 12:16 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week, OPM announced a series of changes to modernize and strengthen the way it conduct background investigations for Federal employees and contractors and protect sensitive data. The new bureau will be housed at OPM but will have DOD IT security and operation. It also absorbs OPM’s Federal Investigative Services (FIS).  It is described as a new government wide-service provider. It is not clear how this will affect agencies like the State Department who conducted their own separate background investigations in the past.

Below is an excerpt from the OPM announcement:

These changes include the establishment of the National Background Investigations Bureau (NBIB), which will absorb the U.S. Office of Personnel Management’s (OPM) existing Federal Investigative Services (FIS), and be headquartered in Washington, D.C. This new government-wide service provider for background investigations will be housed within the OPM. Its mission will be to provide effective, efficient, and secure background investigations for the Federal Government. Unlike the previous structure, the Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB.

Today’s announcement comes after an interagency 90-Day Suitability and Security review commenced last year in light of increasing cybersecurity threats, including the compromise of information housed at OPM, to re-examine reforms to the Federal background investigations process, assess additional enhancements to further secure information networks and systems, and determine improvements that could be made to the way the Government conducts background investigations for suitability, security and credentialing.

This review was conducted by the interagency Performance Accountability Council (PAC), which is chaired by the Office of Management and Budget (OMB) and comprised of the Director of National Intelligence (DNI), the Director of the U.S. Office of Personnel Management, in their respective roles as Security and Suitability Executive Agents of the PAC, and the Departments of Defense (DOD), the Treasury, Homeland Security, State, Justice, Energy, the Federal Bureau of Investigation, and others. It also included consultation with outside experts.

We are proud of the collaborative effort of the interagency team that helped identify these critical reforms. And we are committed to protecting the security of not only our systems and data, but also the Personally Identifiable Information of the people we entrust with protecting our national security.

We also want to thank the men and women of OPM’s Federal Investigative Services for the work they do every day to provide quality background investigations to agencies across Government.

The Administration will establish a transition team that will develop a plan to stand up NBIB and migrate the existing functions of the current Federal Investigative Service to the NBIB, and to make sure that agencies continue to get the investigative services they need during the transition.

For more information about today’s announcement please go to https://www.whitehouse.gov/blog/2016/01/22/way-forward-federal-background-investigations.

 

#

State Dept Authorization Bill Mandates Security Breach Reporting, NSA Consultations –Can PenTest Be Far Behind?

Posted: 12:27 am EDT
Updated: 11:23 am PDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Update: A source on the Hill alerted us that the State Authorization bill was offered as an amendment when the NDAA was debated in the Senate last month but it was not voted on and the NDAA passed on June 18 (That would be H.R. 1735 which passed 215 (71-25)  We understand that both chambers are now starting the process to bring the bill to conference in order to resolve differences.  The State Authorization bill, we are told, will not be part of those discussions.  In order for this to move forward, it will either need to be brought to the floor as a stand alone vote or Corker/Cardin could try again to attach it to another piece of legislation. Given that this is the first authorization bill passed by the SFRC in 5 years, and made it through the committee with bi-partisan support, we suspect that the senators will not just easily forget about this. — DS

On June 9, 2015, U.S. Senators Bob Corker (R-Tenn.) and Ben Cardin (D-Md.), the chairman and ranking member of the Senate Foreign Relations Committee, applauded the unanimous committee passage of the Fiscal Year 2016 Department of State Operations Authorization and Embassy Security Act. The SFRC statement says that it has been five years since the Senate Foreign Relations Committee passed a State Department Authorization bill and 13 years since one was enacted into law.  This State Department Authorization bill has been offered as an amendment to the National Defense Authorization Act, which currently is on the Senate floor. It is quite lengthy so we’re doing this in installments.

Below is the section on information technology system security that mandates security breach reporting, as well as making State Dept systems and networks available to the Director of the National Security Agency (NSA) and any other such departments or agencies to carry out necessary tests and procedures.

The State Department’s Consular Consolidated Database (CCD) as of 2011 contains over 137 million American and foreign case records and over 130 million photographs and is growing at approximately 40,000 visa and passport cases every day. If the CCD is compromised, it would be a jackpot for hackers that would make the OPM hack severely pales in comparison.

If this bill passes, will the penetration test by NSA on one of the world’s largest data warehouses finally happen?

Via govtrack:

Section 206.Information technology system security

(a)In general

The Secretary shall regularly consult with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate regarding the security of United States Government and nongovernment information technology systems and networks owned, operated, managed, or utilized by the Department, including any such systems or networks facilitating the use of sensitive or classified information.

(b)Consultation

In performing the consultations required under subsection (a), the Secretary shall make all such systems and networks available to the Director of the National Security Agency and any other such departments or agencies to carry out such tests and procedures as are necessary to ensure adequate policies and protections are in place to prevent penetrations or compromises of such systems and networks, including by malicious intrusions by any unauthorized individual or state actor or other entity.

(c)Security breach reporting

Not later than 180 days after the date of the enactment of this Act, and every 180 days thereafter, the Secretary, in consultation with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate, shall submit a report to the appropriate congressional committees that describes in detail—

(1)all known or suspected penetrations or compromises of the systems or networks described in subsection (a) facilitating the use of classified information; and

(2)all known or suspected significant penetrations or compromises of any other such systems and networks that occurred since the submission of the prior report.

(d)Content

Each report submitted under subsection (c) shall include—

(1)a description of the relevant information technology system or network penetrated or compromised;

(2)an assessment of the date and time such penetration or compromise occurred;

(3)an assessment of the duration for which such system or network was penetrated or compromised, including whether such penetration or compromise is ongoing;

(4)an assessment of the amount and sensitivity of information accessed and available to have been accessed by such penetration or compromise, including any such information contained on systems and networks owned, operated, managed, or utilized by any other department or agency of the United States Government;

(5)an assessment of whether such system or network was penetrated by a malicious intrusion, including an assessment of—

(A)the known or suspected perpetrators, including state actors; and

(B)the methods used to conduct such penetration or compromise; and

(6)a description of the actions the Department has taken, or plans to take, to prevent future, similar penetrations or compromises of such systems and networks.

#

Related Post:
S.1635: DOS Operations Authorization and Embassy Security Act, Fiscal Year 2016 – Security Clearance

OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info

Posted: 3:39 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On June 4, WaPo reported that hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, and that the agency will notify about 4 million current and former federal employees that their personal data may have been compromised.

We should note that OPM’s Federal Investigative Services (OPM-FIS) oversees approximately 90% of all background investigations.

Reuters reported on June 6 that most of the State Department employees had not been exposed to the breach because their data was not housed on the hacked OPM systems. Apparently, only those who had previously been employed by another federal agency may have been exposed, it said. Did you get the notice on the data breach?

It appears, however, that OPM has a requirement that all candidates being offered positions of employment at U.S. government agencies or departments, including at the State Department, are to complete their Questionnaires for National Security Positions (SF-86) on-line via the electronic Questionnaires for Investigations Processing (e-QIP). We don’t know what happens to those completed questionnaires after they are submitted to OPM; are they transferred to the State Department and deleted from OPM servers?

OPM released the following statement:

The U.S. Office of Personnel Management (OPM) has identified a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information (PII).

Within the last year, the OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.  As a result, in April 2015, OPM detected a cyber-intrusion affecting its information technology (IT) systems and data. The intrusion predated the adoption of the tougher security controls.

OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel. OPM continues to improve security for the sensitive information it manages and evaluates its IT security protocols on a continuous basis to protect sensitive data to the greatest extent possible. Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network.

As a result of the incident, OPM will send notifications to approximately 4 million individuals whose PII may have been compromised.  Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary.  In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID®, a company that specializes in these services.  This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.

“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”

OPM has issued the following guidance to affected individuals:

•Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

•Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.

•Review resources provided on the FTC identity theft website, www.identitytheft.gov.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

•You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

How to avoid being a victim:

•Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

•Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

•Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

•Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).

•Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

•If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

•Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).

•Take advantage of any anti-phishing features offered by your email client and web browser.

•Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Potentially affected individuals can obtain additional information about the steps they can take to avoid identity theft from the following agencies. The FTC also encourages those who discover that their information has been misused to file a complaint with them.

More:
.

.

.

.

#

State/IRM blocked this blog’s evil shadow diplopundit.com, and it’s a good thing!

Posted: 7:24 pm EDT
Updated: 4:06 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week we blogged about some reported issues with accessing this blog from the State Department. There were reports of this blog displaying as a blank page, and another of this blog being categorized as “suspicious.”

Two things to remember — first, if you’re connecting to this blog from a State Department network and you get a blank screen, check if you’re using Internet Explorer 8. If you are, you need to switch to Chrome if you want to read this blog.

Second, if you get the “suspicious” prompt or a block that prevents you from connecting to Diplopundit, make sure you are connecting to the correct URL – the one that sounds rhymy — diplopundit.NET, and not/not its evil shadow diplopundit.COM.

Here is the back story.  We thought it was a question of the left hand not knowing what the right hand is doing, it wasn’t that. Nothing to do with the tigers either. So our apologies for thinking that.  The firewall did bite but it was not done out of any wicked reason. It was merely a coincidence of two unrelated issues that occurred around the same time.

After we’ve blogged about issues with access from State, Ann from State/IRM’s Information Assurance office reached out to us to help see what’s going on.

“Suspicious” Category

So folks who attempted to access Diplopundit but typed .COM instead of .NET were blocked by state.gov, and will continue to be blocked access. And that’s a good thing.

image002-4

IRM/IA’s Ann did some sleuthing and discovered that somebody is domain camping on diplopundit.com, a domain registered out of Australia under protected status, so it’s not clear who owns it. Apparently, it is a very common attack to buy up domain names that are similar to a popular one, with different endings, common typos, etc, and then camp malware on them. She notes that “It’s especially awesome to do this to sites that have a high likelihood for targeted visitors, like, oh, maybe Department of State and other governments.” Running the domain through some site reputation lookups came back “suspicious.”

www.brightcloud.com threat intelligence: Suspicious

http://www.isithacked.com/check/www.diplopundit.com : Suspicious returns

IRM/IA tried to access diplopundit.com and the site is redirecting to another site that tells users their computers are infected and to click on “ok” to begin the repair process. DEFINITELY malicious.  IRM/IA’s IT ninja concludes that not only did the State Department’s security systems work as needed, someone is using the reputation of Diplopundit to try to infect users who type the wrong URL.

Ugh!  So watch what you type.  She’s not sure if this is targeted or just criminal botnet activity but whatever it is, stay away from diplopundit.COM.  Also, make sure you’re not sending any email to diplopundit.COM, as that email would end up with whoever owns that shadowy domain.

The Blank Screens

Internet Explorer  (IE) is the browser compatible with the Department of State’s IT system. A couple of years ago, Chrome became an optional browser. IE8 and other old browsers are less stable, and much more vulnerable to viruses, and other security issues. It also doesn’t support a lot of things including HTML5 and CSS codes used in WordPress. In fact, we’re told that WP’s support for this browser version was dropped a while back.  Microsoft has also reported that they will end support for it themselves. So it’s not about what script is in this blog, it’s more about the IE8 browser not playing nice with the blogs. This blog displays properly on Safari, Firefox, Chrome, and on Internet Explorer 9. Our tech folks suggested that IE8 users upgrade to IE9 if at all possible.

Our readers from State can’t just do that on their own, so we asked IRM. The word is that the State Department will probably skip IE9 due to resource constraints on testing each incremental version. The good news is, it will move everyone directly to Internet Explorer 11 in December. That may sound a long way off but we’re told that the move forces everyone from 32-bit to 64-bit servers, which is not an insignificant jump for all the developers (including those for Consular Affairs and the financial services). So there is that to look forward to at the end of the year.

Our most sincere thanks to State/IRM especially to IA’s Ann who pursued this issue to the end and also WP’s Grace and her team for helping us understand what’s going on. Merci.

#

State Dept Awards $2.8M “High Availability and Disaster Recovery Services” IT Contract to VMware

Posted: 12:53 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On March 31, 2015, the State Department awarded a $2.8 million “High Availability and Disaster Recovery Services” contract to VMware.  The contract awarded on behalf of the Bureau of Information Resource Management, Operations, Systems Integration Office, Enterprise Server Operations Center or IRM/OPS/SIO/ESOC is for 12 months, and appears to be a modification of a prior task order.  The J&A document posted online justifying “other than full competition” indicates “only one source capable” in handwritten notation. “Persistent security concerns,” “changing strategic landscape” and  “heightened vulnerability” all appear in the limited source justification for the award.  VMware is located in Palo Alto, CA and Reston, VA.

click for larger view

click for larger view

 #