Last night, it was reported that the State Department has suffered a data breach. According to reports, some employees had their personal information exposed by a breach of an unclassified email system. Other reports stated that a report published earlier this year by administration watchdog Government Accountability Office said that the State Department had only rolled out some form of two-factor authentication to 11 percent of required agency devices, despite a legal requirement to secure all accounts with higher privileges.
Pleas see below for commentary from cybersecurity experts.
“In the past, the State Department has turned down help from other agencies to help them identify problems and improve. There are a lot of reasons for this such as they don’t want national security agencies snooping through their networks, can’t afford any down time, etc. However, considering the immense target that the Department represents, it is not a very compelling case. One of the other challenges they face is the government procurement process. It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do and fundamentally this is likely a hack that led to a breach and not some type of insider issue. It’s no more or no less, and how it is handled, the context of it as an incident, the PII exposed, the response and the future readiness by the State Department and other agencies is what matters.”
Gary McGraw, Vice President of Security Technology at Synopsys:
“Sadly, many important departments in the US government continue to lag when it comes to computer security. If the State Department has trouble rolling out two factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure? This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector.”
“Governments and online companies that provide services online, must secure all the links in their security chain. Bad actors look for the weakest point to access information, so companies have to be extra diligent in keeping their security up to date on all placements. Additionally, companies that identify users online need to devalue the data that bad actors steal and use to misrepresent legitimate users – like they do in account takeover attacks. By creating a new authentication framework that identifies customers by their online behavior instead of relying on credentials, personally identifiable information such as names and passwords become valueless to cybercriminals. New authentication technologies which incorporate passive biometrics and behavioral analytics can identify consumers by thousands of online authenticators. This way, if credentials or devices are stolen, entities can still recognize the person behind the device or block transactions altogether when fraud is detected.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.