15 February 2016
I really appreciate the comprehensive approach of the Cybersecurity National Action Plan (CNAP) because the news of the cyber-attack on the Department of Homeland security made one thing crystal clear:
It’s definitely not enough to focus on the upgrade of the U.S. IT security infrastructure. Security protocols must be reviewed and adjusted where necessary. And employees must be trained in their correct application.
Moreover, it is required to enable employees to say “No, I’m sorry, this is not allowed!” if an unambiguous identification of a caller is not possible.
9 February 2016
I was really shocked when I read the LIFARS post ‘Hacker Allegedly Dumps Data of 9,000 DHS Employees’ at 5:30 this morning.
It is very remarkable how easy it was for the attacker to get access to the DHS network:
“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told the outlet. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”
From this it’s apparent that the help desk hasn’t got enough training in the procedure for verification of a caller’s identity. In addition the passing-on of the token code is a massive violation of the security procedures.
Take care! And train the help desk staff…