In a series of tests using fake data, a U.S. government surveillance agency was able to steal more than 1 GB of seemingly sensitive personal data from the U.S. Department of the Interior's cloud systems. The experiment is detailed in a new report released last week by the Interior Department's Office of Inspector General (OIG). TechCrunch reports: The purpose of the report was to test the security of the Home Office's cloud infrastructure and its “Data Loss Prevention Solution,” software that protects the Home Office's most sensitive data from malicious hackers. The OIG said in its report that the experiment was conducted from March 2022 to June 2023. The Department of the Interior manages the country's federal lands, national parks, multibillion-dollar budget, and hosts vast amounts of data in the cloud. To test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that “appeared to be useful for the Department of the Interior's security tools,” according to the report. That's what it means.
The OIG team then used virtual machines in the department's cloud environment to imitate a “sophisticated attacker” in the network, who then used “well-known techniques that are widely documented to exfiltrate data.” I used it. “We left the virtual machines intact and did not install any tools, software, or malware that would have made it easier to extract data from the target systems,” the report said. The OIG said it conducted more than 100 tests in one week while monitoring the department's “computer log and incident tracking system” in real time, none of which were detected or stopped by the department's cybersecurity defenses. Stated.
The OIG's report states that “our tests were not successful because the department failed to implement security measures that could prevent or detect the well-known and widely used techniques used by malicious actors to steal sensitive data.” “I did,” he said. “In all the years that the system has been hosted in the cloud, the Department has never conducted the regular testing required of system controls to protect sensitive data from unauthorized access.” That's bad news. . Weaknesses in the department’s systems and practices “lead to high secrecy.” [personal information] “Tens of thousands of federal employees are at risk of unauthorized access,” the report said. The OIG also acknowledged that it may be impossible to stop a “resource-rich adversary” from entering the country, but that it may be possible with some improvements. Prevent attackers from exfiltrating sensitive data.
