Direct Financial Cost of Intrusions

Thanks to the blog reader who directed me to the Washington Times story Contractor returns money to Pentagon:

Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China...

Apptis agreed to the repayment after the Defense Criminal Investigative Service concluded the company and a subcontractor failed to provide "proper network security and information assurance services," according to the report, released in June.

The subcontractors system under Apptis management was intruded upon "with total access to the root network" from an Internet address in China, the report said.

Wow. Can anyone think of another case where a company was "fined" by a customer for an intrusion? Usually we only hear of PCI issues.

Comments

Jay said…
This is a good thing as way too many SMB's are created just to be awarded a large Government contract and in turn provide sub par security services therefore leaving the agency open to intrusion. I'm sure this is a start of something new that will weed out security companies who's only intention is to make large amounts of profit instead of protecting the very agencies they've been paid to do so. Thoughts?
10:52 AM
e0n said…
I agree, there needs to be more accountability in the security field. Far too many companies come in and do a sub-standard job, hire unqualified people as there SME's and get compromised. They collect their money and state "well intrusions happen". It is a very fine line however, because intrusions eventually "do happen" regardless of the countermeasures put in place. I also feel that the "commercial" software companies should also be held accountable...ahem...Micro$oft.
11:09 AM
Jay said…
Holding software corporations liable is a steep mountain to climb as they provide software, in this case MSFT, to make society more productive. It's the h4x0rs who are exploiting poorly written code. Also secure coding needs to be implemented at all levels not just coders who are currently in school seeking entry level positions. It's a vicious cycle that will take quite some time to break....unfortunately.
11:19 AM
Anonymous said…
Was the system intruded upon “Certified and Accredited”? If so when and by whom? I’m willing to bet that it was Certified and Accredited in some form or fashion to operate lawfully. Why isn’t the responsible agency DAA (Designated Accrediting Authority) being fired or subject to court martial?

This event further illustrates the uselessness and futility of performing “Certification and Accreditation” (C&A ) in accordance with Defense Information Assurance Certification and Accreditation Process (DIACAP). DIACAP like its predecessor DITSCAP is a form of larceny. Departments and agencies are being robbed blind by flimflam C&A scams. C&A does absolutely NOTHING to protect or safeguard systems or networks. In fact the false impression given by so called C&A experts that can barely spell IP is what lead to the current crisis in which we are immersed.

If federal departments and agencies were simply forced to employ Industry best practices such as Configuration/Asset Management during the acquisition process, the money wasted on C&A could be better spent detecting and defeating advance persistent threat using Network Security Monitoring (NSM). We need stop wasting money on C&A and provide funds and resources to recruit, hire, and retain technically proficient and competent security professionals.
3:43 PM
Anonymous said…
This comment has been removed by a blog administrator.
6:28 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more