back to article CISA broke into a US federal agency, and no one noticed for a full 5 months

The US Cybersecurity and Infrastructure Security Agency (CISA) says a red team exercise at a certain unnamed federal agency in 2023 revealed a string of security failings that exposed its most critical assets. CISA calls these SILENTSHIELD assessments. The agency's dedicated red team picks a federal civilian executive branch ( …

  1. Throatwarbler Mangrove Silver badge
    Trollface

    COMMUNISM!

    The federal government is stepping on entrepreneurial capitalism by not using private industry to perform these checks and analysis, to say nothing of placing undue regulatory burden and profit-killing demands for greater security on job-creating businessmen! The entire CISA should be disbanded immediately and their budget returned to the public in the form of further tax cuts for billionaires!

    1. Anonymous Coward
      Anonymous Coward

      Re: COMMUNISM!

      I and my fellow billionaires agree completely!

      - Elon

    2. Yet Another Anonymous coward Silver badge

      Re: COMMUNISM!

      >The entire CISA should be disbanded immediately and their budget returned to the public in the form of further tax cuts for billionaires!

      Why do we have expensive public sector red teams with their gold plated pensions when cheap overseas red teams can break into our federal agencies for free !

      1. Strahd Ivarius Silver badge
        Devil

        Re: COMMUNISM!

        and furthermore they are likely to be genuine RED teams!

      2. Anonymous Coward
        Anonymous Coward

        Re: COMMUNISM!

        It is only cheaper if they fail. Otherwise you have to pay out $10mil in consulting fees for someone to "produce a report" that says "the method of ownage was by penetrating the rear repeatedly with a big long hard piece of malware".

        Can't document it as a ransom payment...

    3. NoneSuch Silver badge
      Childcatcher

      Re: COMMUNISM!

      Typically, governments react to these embarrassing breaches by pulling funding from the red team program. Problem solved.

  2. GoneFission
    Mushroom

    It would've been hilarious if that red team compromised their systems, only to find out that another actually malicious actor had already set up shop

    >"After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response.

    It's 2024 and basic online infrastructure security, let alone incident response really is still just a complete theater and clown show. But let's keep spending more on C-levels and after-the-fact contractors, then post our infosec roles at $15/hour so we can blame them when the paper mache tower we run our business on crumbles.

    1. DS999 Silver badge

      I wouldn't be surprised if that's actually how some of the compromises are discovered. It isn't like they tell us exactly how they discover the various ongoing attacks against US government infrastructure were discovered (nor should they)

    2. Valeyard

      It would've been hilarious if that red team compromised their systems, only to find out that another actually malicious actor had already set up shop

      Been there. "hey what's this port doing open, and why is it a chinese language password-protected php shell"

  3. chuckufarley Silver badge
    Joke

    Was it the Fish and Wildlife service?

    https://xkcd.com/2958/

    1. Anonymous Coward
      Anonymous Coward

      Re: Was it the Fish and Wildlife service?

      If it was, they really should have spotted something fishy going on!

  4. Bebu Silver badge
    Windows

    Seems like a complete shit show but...

    given the funding shenanigans most federal agencies have faced in congress for more than a decade now I could imagine the agencies would have difficulty resourcing competent Solaris* (+Oracle crap) system admins and competent security staff, let alone attracting applicants in the first place or retaining those duffers they did attract.

    Fairly analogous with the farce that is most SME's IT just differing in scale.

    * Solaris admins must be getting pretty long in the tooth and not exactly oversupplying the market.

    1. chuckufarley Silver badge

      Re: Seems like a complete shit show but...

      https://www.illumos.org/

      Solaris is still Solaris, but Illumos is also Solaris.

    2. Phil O'Sophical Silver badge

      Re: Seems like a complete shit show but...

      CVE-2022-21587 is in Oracle E-business suite, so probably not Solaris-specific.

  5. Bill Gray

    CVE-nnnn : some systems may be vulnerable to divine intervention

    ...It said real adversaries may have instead used prolonged password-praying attacks...

    "God(s/ess/esses), if you really exist and love me, prove it by giving me the password to this system."

    That would be a tough one to patch against. Maybe pray to your pantheon to protect your systems?

    1. Yet Another Anonymous coward Silver badge

      Re: CVE-nnnn : some systems may be vulnerable to divine intervention

      >...It said real adversaries may have instead used prolonged password-praying attacks...

      New policy:

      Passwds must be the name of a demon who is at least a 9th level lord of hell. It must be entered 3 times

      Bad news:

      Our data center is now an abyss with flames and screams of the dammed

      Good news:

      It's secure

      Bad news:

      Oracle are charging a per/user license for the hoards of hell

      1. Anonymous Coward
        Anonymous Coward

        Re: CVE-nnnn : some systems may be vulnerable to divine intervention

        Sounds like an old sysadmin story about how if you say the name "greedy Larry" three times while looking at your reflection in a monitor, an Oracle lawyer will appear to audit your licenses.

    2. diodesign (Written by Reg staff) Silver badge

      Re: CVE-nnnn : some systems may be vulnerable to divine intervention

      Hi -- oops! Thanks been fixed. Thanks for letting us know.

      C.

  6. cantankerous swineherd

    root cause analysis

    putting information on the internet

  7. An_Old_Dog Silver badge
    Joke

    Intrusion Detection

    "Waitaminnit! Isn't that our website listed on haveibeenpwned com?!!

  8. Tron Silver badge

    This is why you outsource your security.

    So someone else gets the blame.

    The skills required to protect systems like this are simply too thin on the ground for the number and complexity of installations.

    Users should be able to expect their software to be secure by default and to be patched automatically by the vendor when new vulnerabilities occur.

    Given that this is unlikely to ever be the case, all internal systems should be airgapped from the public internet.

    We may need simpler OSs and software. The more basic the system, the fewer ways there are to crack it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like