Direct Financial Cost of Intrusions

Thanks to the blog reader who directed me to the Washington Times story Contractor returns money to Pentagon:

Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China...

Apptis agreed to the repayment after the Defense Criminal Investigative Service concluded the company and a subcontractor failed to provide "proper network security and information assurance services," according to the report, released in June.

The subcontractors system under Apptis management was intruded upon "with total access to the root network" from an Internet address in China, the report said.

Wow. Can anyone think of another case where a company was "fined" by a customer for an intrusion? Usually we only hear of PCI issues.


Jay said…
This is a good thing as way too many SMB's are created just to be awarded a large Government contract and in turn provide sub par security services therefore leaving the agency open to intrusion. I'm sure this is a start of something new that will weed out security companies who's only intention is to make large amounts of profit instead of protecting the very agencies they've been paid to do so. Thoughts?
e0n said…
I agree, there needs to be more accountability in the security field. Far too many companies come in and do a sub-standard job, hire unqualified people as there SME's and get compromised. They collect their money and state "well intrusions happen". It is a very fine line however, because intrusions eventually "do happen" regardless of the countermeasures put in place. I also feel that the "commercial" software companies should also be held accountable...ahem...Micro$oft.
Jay said…
Holding software corporations liable is a steep mountain to climb as they provide software, in this case MSFT, to make society more productive. It's the h4x0rs who are exploiting poorly written code. Also secure coding needs to be implemented at all levels not just coders who are currently in school seeking entry level positions. It's a vicious cycle that will take quite some time to break....unfortunately.
Anonymous said…
Was the system intruded upon “Certified and Accredited”? If so when and by whom? I’m willing to bet that it was Certified and Accredited in some form or fashion to operate lawfully. Why isn’t the responsible agency DAA (Designated Accrediting Authority) being fired or subject to court martial?

This event further illustrates the uselessness and futility of performing “Certification and Accreditation” (C&A ) in accordance with Defense Information Assurance Certification and Accreditation Process (DIACAP). DIACAP like its predecessor DITSCAP is a form of larceny. Departments and agencies are being robbed blind by flimflam C&A scams. C&A does absolutely NOTHING to protect or safeguard systems or networks. In fact the false impression given by so called C&A experts that can barely spell IP is what lead to the current crisis in which we are immersed.

If federal departments and agencies were simply forced to employ Industry best practices such as Configuration/Asset Management during the acquisition process, the money wasted on C&A could be better spent detecting and defeating advance persistent threat using Network Security Monitoring (NSM). We need stop wasting money on C&A and provide funds and resources to recruit, hire, and retain technically proficient and competent security professionals.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics