Contributing Writer, [GAS]
When it comes to incident response, there is a right way and a wrong way to handle what appears to be a targeted attack against your public infrastructure. The right way is to follow your response plan. The Wrong Way is to pull the ethernet jack from your Firewall and stand on a chair and scream while shaking the hems of your apron and skirt.
Pennsylvania did the latter in response to four intrusion attempts against their webservers: www.dli.state.pa.us, www.pde.state.pa.us, www.milvet.state.pa.us and www.palottery.state.pa.us.
From the AP here:
Hackers infiltrated Pennsylvania’s government Web site on Friday, forcing administrators to shut down nearly the entirely site for several hours.
Hackers broke into the pages of the departments of Labor and Industry, Education, and Military and Veterans Affairs, as well as the Pennsylvania Lottery, said Mia DeVane said, a spokeswoman for the Office of Administration.
Investigators tracked the source of the attack to a domain registered in China, she said.
By late afternoon, nearly all of the state’s site had been put back online.
“It was more that we needed to take down those sites to make sure a virus couldn’t spread,” she said.
It is not unusual for the state’s computer system to be the target of hackers, but having problems at four separate branches of state government prompted the decision to take down nearly the entire system, she said.
From the open source information I have been able to gather about the attack, it was likely a SQL injection attempt to force the servers to host malware- and since the biggest player in that game right now is the Storm Worm folks, odds are in their favor. Chances are that the badguys were exploiting targets of opportunity, not targeting Pennsylvania citizenry.
The FBI seems to be on the case investigating this according to this link here.
And something else you do not do in the face of a cyber-compromise, is brag about how good your security staff and systems are. From the Post-Gazette here:
Pennsylvania’s Internet security is well regarded, she said, and the state recently won an award from the National Association of State Chief Information Officers for its approach to information security and privacy.
The state also spent part of Friday informing other states about the threat so they could protect their systems.
“We have an excellent security program and that’s how we were able to get an early detection of a hacker getting in the back door,” said Ms. DeVane.
Why would such a “well regarded” State Information Assurance division get pwn3d by so-called “backdoors” in the system? Is it too late to revoke that CIO award?
And now the bad guys know how easy it is to take an entire state off the Internet Grid. Just launch a SQL exploit at four separate servers and watch the state DOS itself in panic.