Core Issues In The US Air Force Key Logger Incident
powers-old-account 270000NC1K Visits (2516)
Wired Magazine has been working an exclusive story over the past few days about a key logger virus affecting the network the US Air Force uses to control its drone program. Citing a “source familiar with the network infection,” it’s unknown whether the virus is benign or specifically target to those Air Force systems. The same source reported that the Air Force’s “Host-Based Security System” was the component that originally detected the virus and that the key logger was found both on classified and unclassified systems raising at least the theoretical possibility that the virus expropriated activity on classified systems to the attackers on the public network.
I haven’t seen any further description of the “host-based security system,” in terms of whether it’s a standard off the shelf ant-virus system or something more sophisticated. But I’d say it’s an example of ISO 27001’s “Monitoring System Use” control (control 10.10.2). That one seemed to do its job. What I always ask myself with these stories is, “what controls failed or were missing?”
It’s an important question because inevitably, people try to use a high profile incident like this to advocate change they want to make regardless of whether the incident is at all related to the proposed change. So it’s important to know whether the proposals are going to actually address the failed/missing controls that led to the incident. The key logger incident at the US Air Force drone program is no exception. In a more recent article “Get Hacked, Don’t Tell: Drone Base Didn’t Report Virus”, Wired reported:
That’s almost a bigger story than key logger virus itself. It implies that either there was no incident response plan or it wasn’t followed. This is so key to IT security it warrants an entire section of the ISO 27001 security control standard. Section 13, “Information Security Incident Response Management,” documents 5 controls related to ability to communicate security incidents to the right people to allow for timely and appropriate response. If the reports that the key logger still had not been removed from the systems 2 weeks after discovered, I’d say there was definitely a failure in this area.
It’s unclear how serious the key logger incident is. Until someone seriously investigates the incident we won’t know if this key logger is evidence of a well coordinated attack on the integrity of the drone program or simply a common key logger virus that infects many computers on the internet. But the failure to report the incident up the management chain so it can be investigated is huge. Wired’s sources are, again, unnamed “source involved with Air Force network operations” so it’s not even clear that the source would have been in the loop for the incident response procedures. But it does seem to be something of a smoking gun indicating that the key logging incident wasn’t properly handled in terms of reporting it up the chain of command.
What interests me the most about this latest report from Wired is how quickly the discussion veers off in a totally different direction:
Whoa! Given that the one and only source for Wired’s story is an unnamed source involved in the Air Force’s “network operations.” I guess it’s not a surprise that the discussion veers off into a discussion about how the network is organized and monitored. I would not ever claim that network architecture and network monitoring aren’t important. In fact, I’m willing to say that proper network segmentation according to common security needs is an often overlooked security control.
But what I’d like to point out is that I don’t see a connection between the key logger incident and the Air Force’s network architecture and monitoring. Instead, the root cause analysis should stick to the actual computer security incident management failures. In this particular case, the host-based monitoring appears to have done its job. So that’s good. But the key failure is the incident response place. So instead of talking about network architecture and monitoring operations, the right questions to be asking are:
Furthermore, the key logger incident is a good motivator to ensure that the incident reponse policies and procedures cover all the bases of a good security incident response plan. The most crucial elements are:
The Wired article indicates that the Air Force is starting a “high level investigation” into the key logger incident. I hope they focus on the core issues of the incident rather than getting distracted, as the Wired article did, about tangentially related topics.
Photo credit: USAF