Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Can the Combination of a Default Password and an Unpatched Asset Get You Military Secrets? Yup.

October 13, 2017

  • Blog
  • Archive
Password Management For years, security professionals have been preaching about the need for basic cyber security hygiene, including vulnerability, patch, and password management. Indeed, many successful cyber attacks are conducted leveraging these three threat vectors. In a recent report filed by the BBC we read that the Australian government, despite ASD mandates, received a critical reminder of the need for basic cyber security hygiene and are now dealing with the ramifications of failing to maintain it.

Details on the breach

In the breach (related to an Adelaide-based aerospace engineering company) we can speculate that requirements like those found in NIST 800-171 where clearly not enforced, but applicable, because some of the breach material included the F-35 Joint Strike Fighter, P-8 Poseidon, and C130 transport aircraft (in addition to other navy vessels) which are manufactured in the United States. In total, about 30GB of data was compromised. But like any good hack, the threat actor has still not been positively identified despite speculation of regional nation state involvement.

What went wrong

This sensitive military breach at a contractor is particularly annoying since so many basic cyber security hygiene policies, procedures and indicators where not followed, or just completely missed. For example:
  • The breach began in July 2016, but government officials (ASD) were not notified until November 2016 – four months before disclosure and much too long by any standards.
  • The exploit occurred in a software application that had not received security updates for a full year. No red flags from vulnerability or patch management were raised to remediate or mitigate the threat? It sounds like Equifax to me.
  • The contractor was also using default passwords on the application! Wait. What? You’re protecting sensitive military secrets and cannot even change the default password on an application that could be leveraged against the crown jewels of your organization? Clearly, hygiene went out the window here too.

The fallout

If there is a silver lining, the stolen data was allegedly commercial information about the aircraft and not military data. Please think about that for a moment. What commercial information, totaling 30GB, is available about three military aircraft and a few navy vessels? High resolution JPGs? 30GB is a lot of commercially available information for a country’s offensive and defensive systems no matter how you look at it. It just was not relevant Australian military information; just information on the assets. This is completely the opposite of reports that North Korea hacked South Korea and stole vital military plans. It is the difference of knowing about your enemy’s weapons verses knowing what they plan to do with them.

What we can learn

As we continue into the middle of October, we are reminded yet again from our allies down under of the important of basic cyber security hygiene. October is National Cybersecurity Awareness Month and incidents like this are a firm reminder that we must always be vigilant in securing, protecting, monitoring, and enforcing our basic policies and procedures – including the Essential Eight. If you would like more information on how BeyondTrust can help with NIST, ASD, or Essential Eight implementations and reporting, contact us today. Our goal: to make sure you do not become the next victim.

Morey J. Haber

Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.