Lockheed Martin's Network Breached

rwmidlrwmidl CISSP, CISM, MCSE, MCSA, MCPxAlotWorldwide AvailabilityPosts: 807Member ■■■■■■□□□□
Lockheed Martin's Security Networks Were Hacked

This is very interesting, in that it appears (from the article) that this is traced back to RSA's breach earlier this year.
CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
«1

Comments

  • jonenojoneno Posts: 257Member ■■■■□□□□□□
    Are you serious? what happened to all the gsecs, analysts, cism's, cissp's and what not...heads are rolling!
  • XcluzivXcluziv Posts: 513Member
    joneno wrote: »
    Are you serious? what happened to all the gsecs, analysts, cism's, cissp's and what not...heads are rolling!


    I'm sure....Heads will be on the Guillotine icon_twisted.gificon_twisted.gificon_twisted.gificon_twisted.gif
    LINKED | GTECH | NOTHINGBUTSHAREPOINT - BLOG AUTHOR

    "TRY NOT. DO. OR DO NOT. THERE IS NO TRY" - Yoda

  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    While they aren't releasing details there is definitely enough references out that pointing to the RSA hack allowing hackers to get past the 2 factor auth that Lockheed uses. That being said....Lockheed also made a statement saying that they have a "layered" approach to security and their infrastructure that should prevent any serious information from being stolen even if their system has been breached.
  • instant000instant000 Posts: 1,745Member
    Woah, I need to read up on this one!

    EDIT: And several other contractors? Could you be any more vague?

    I would hope that they have separate secured and more-secured networks that aren't as accessible as their regular networks, that would help them to mitigate such a type of break-in.

    That is, I just hope that it's not possible for someone to be at home, then just VPN to the office and access fighter jet blueprints :D.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Forsaken_GAForsaken_GA Posts: 4,024Member
    well, the fact that duplicated tokens were used pretty much gives a definitive answer as to whether or not the seeds got compromised in the RSA breach.

    I won't be surprised if this causes a mandate to transition away from RSA in alot of companies.
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    I won't be surprised if this causes a mandate to transition away from RSA in alot of companies.

    I agree...but in this case the article I was reading said Lockheed was just handing out new tokens to remote users and wouldn't specify if they were new RSA or another vendor.
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Posts: 1,873Member ■■■■■■■■□□
    I am a bit skeptical on this one. Like someone on here said, they probably have layers of security, i wonder how deep this breach went. Of course we will never know, unless China or Iran all of a sudden build some new Drones, Stealth fighters, 9 months from now lol

    This is a perfect reason why you need to implement biometric security in high end businesses. Cut off certain sections of the network to only be accessed with a biometric access. I dont think this type of information should travel WANs. Someone in the pentagon or in a remote lockheed martin site needs information on top secret information, they better hop their ass in a plane to the HQ facility lol
    2019 Goals:
    Courses: Real World Red Team Attacks- AppSec Cali 2019 (complete), Active Directory Attacks for Red and Blue Teams Advanced Edition - BlackHat (completed),
    Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (passed!), Azure Security Engineer Associate AZ-500 (in-progress)
  • Forsaken_GAForsaken_GA Posts: 4,024Member
    chrisone wrote: »

    This is a perfect reason why you need to implement biometric security in high end businesses. Cut off certain sections of the network to only be accessed with a biometric access. I dont think this type of information should travel WANs. Someone in the pentagon or in a remote lockheed martin site needs information on top secret information, they better hop their ass in a plane to the HQ facility lol

    You're kidding right? Our president can't even fly his ass back to the states to sign a bill allowing the violation of our rights to continue. Americans can't function without convenience anymore.
  • rwmidlrwmidl CISSP, CISM, MCSE, MCSA, MCPxAlot Worldwide AvailabilityPosts: 807Member ■■■■■■□□□□
    You're kidding right? Our president can't even fly his ass back to the states to sign a bill allowing the violation of our rights to continue. Americans can't function without convenience anymore.

    Sadly, there is some truth to this statement..
    CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
  • tpatt100tpatt100 Posts: 2,989Member ■■■■■■■■□□
    You're kidding right? Our president can't even fly his ass back to the states to sign a bill allowing the violation of our rights to continue. Americans can't function without convenience anymore.

    Hey that robo-pen is cool, next episode of "24" terrorists steal one and sign up for a dozen credit cards.

    Back on topic though, Government and Defense IT security is not that great or "secure" from work I have done in the past. The White House did make some changes to make it more efficient because starting in early 2000 security was how much paperwork you could generate to make it look like your doing security.
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Posts: 1,873Member ■■■■■■■■□□
    You're kidding right? Our president can't even fly his ass back to the states to sign a bill allowing the violation of our rights to continue. Americans can't function without convenience anymore.

    HAHA well it would make me feel safer knowing my tax money is not being wasted on top secret projects that will end up getting compromised because our government cannot pay top dollar to well deserving highly skilled security engineers.

    So until our government starts paying big bucks for high end security engineers, i say no more wan for sending top secret information, snail mail that shiznit and go back to sneaker net! WOOT WOOT!

    Seriously they need to motivate and pay these top notch security engineers, 120k+ a year. Hell they pay politicians like 150k to 200k a year to just run around the country , sit down, contemplate the positives and negatives of a bill to pass or how to spend the countries money! Seriously! pay our security engineers what they deserve!

    thats my rant icon_lol.gif
    2019 Goals:
    Courses: Real World Red Team Attacks- AppSec Cali 2019 (complete), Active Directory Attacks for Red and Blue Teams Advanced Edition - BlackHat (completed),
    Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (passed!), Azure Security Engineer Associate AZ-500 (in-progress)
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    I think that you will start to see a shift in the pay of jobs like this over the coming years. The IT industry as a whole seems to be hiring aggressively right now and more and more companies are realizing that security needs to become a top priority.

    I say in 5 years some government and contractor jobs will out pay private and public companies in the security roles. Just me 2 cents icon_cool.gif
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    FYI - Lockheed Martin detects 'significant' attack on information network - CNN.com

    CNN says Lockheed told them nothing was stolen or access that shouldn't have been. Clearly their engineers must be doing something right....
  • tpatt100tpatt100 Posts: 2,989Member ■■■■■■■■□□
    Pay in the government sector for security does pay very well. The problem is the clearance requirements knock 99.9 percent of qualified applicants out of the running. If the government would just create new requirements like how a Secret is just a simple background check and if you hire somebody do the SSBI investigation. The government could save money if they expanded the contracts for the background checks, the pay for people could normalize because in some areas the pay is way over the private sector.

    The talent is there it's the requirements that make it difficult. I know from experience people who barely know how to load Windows getting 60-75K in my Guard unit only because they have a clearance.
  • tpatt100tpatt100 Posts: 2,989Member ■■■■■■■■□□
    Oh and my last job? Yeah contractors were hired to do the work of government IT people who knew almost nothing on IT. So they had to hired more people to do the work for people already hired.
  • rwmidlrwmidl CISSP, CISM, MCSE, MCSA, MCPxAlot Worldwide AvailabilityPosts: 807Member ■■■■■■□□□□
    tpatt100 wrote: »
    Oh and my last job? Yeah contractors were hired to do the work of government IT people who knew almost nothing on IT. So they had to hired more people to do the work for people already hired.

    At my last gig, in our building at least, it was all us contractors who were in charge of IT security. Even some of the feds thought it was kind of funny that contractors were responsible for security.
    CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    rwmidl wrote: »
    At my last gig, in our building at least, it was all us contractors who were in charge of IT security. Even some of the feds thought it was kind of funny that contractors were responsible for security.

    Haha excellent! I love when everyone overlooks the "human" factor involved when that usually ends up being the weakest link in the chain. icon_thumright.gif
  • rwmidlrwmidl CISSP, CISM, MCSE, MCSA, MCPxAlot Worldwide AvailabilityPosts: 807Member ■■■■■■□□□□
    Haha excellent! I love when everyone overlooks the "human" factor involved when that usually ends up being the weakest link in the chain. icon_thumright.gif

    To clarify, they weren't dissing us contractors, they just thought it was crazy to have IT security contracted out.
    CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    Understood...but I agree that it is crazy though.
  • NOC-NinjaNOC-Ninja Posts: 1,403Member
    Its really sad. We have our own Security Engineers. Seriously, they don't know crap about network. It's really sad. I dont even get how they got hired. I guess they were friends of the higher ups and they gave these guys a chance. Most of them don't even know how to config a router or a switch. Not only does they low ball their employees but also hire stupid engineers. Some of the engineers were technicians that were working for more than 5 years in that place. I guess working years and years made them move up to become engineers and they dont even engineer anything. These guys have no degrees nor certifications. Its crazy!

    We have an engineer that dont know the meaning of WEP. Its that bad!

    I even caught one of the guys sleeping on his desk.

    Im not even surprise if lockheed martin gets hacked. icon_rolleyes.gif Its the managers or directors fault. They don't to hire the skilled people or maybe they cant afford those guys?

    Heck, I know a network engineer that has been working for lockheed for 5 years that does not know how to configure an SSH.
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Posts: 1,873Member ■■■■■■■■□□
    NOC-Ninja wrote: »
    Some of the engineers were technicians that were working for more than 5 years in that place. I guess working years and years made them move up to become engineers and they dont even engineer anything. These guys have no degrees nor certifications. Its crazy!

    Sadly this is the case in all companies, and yet it is highly encouraged to look inside first, this gives everyone that foot in the door chance. However in order to give that person a chance , i believe they need to show they are studying and taking the initiative to gain the skills needed for a higher end position. So if they are not taking courses or getting certified or have a goal for a high end certification, i believe such individuals should not be in charge of managing high end networks, servers, security, voip, wifi infrastructures. I have seen a lot of guys get promoted with no certification or goals to improve skills without certs, they end up being those guys who are up late trying to figure out an outage or how to implement a project they have no experience in. These guys are the typical "i will learn on the job" type, and their knowledge is solely restricted to the projects done at work.
    2019 Goals:
    Courses: Real World Red Team Attacks- AppSec Cali 2019 (complete), Active Directory Attacks for Red and Blue Teams Advanced Edition - BlackHat (completed),
    Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (passed!), Azure Security Engineer Associate AZ-500 (in-progress)
  • UnixGuyUnixGuy SABSA, GCFA, GPEN, CISM, RHCE, Security+, Server+, eJPT, CCNA Posts: 4,037Mod Mod
    tpatt100 wrote: »
    . So they had to hire more people to do the work for people already hired.

    sadly I've seen this trend all over the world...
    Goal: MBA, August 2020
  • UnixGuyUnixGuy SABSA, GCFA, GPEN, CISM, RHCE, Security+, Server+, eJPT, CCNA Posts: 4,037Mod Mod
    chrisone wrote: »
    ..These guys are the typical "i will learn on the job" type..


    and by learning they mean : we will try to configure things using trial and error, and if it doesn't work (and it won't) , we will call service providers and watch them working icon_rolleyes.gif
    (no one learns by watching anyway, and no one can learn by starting with high-end projects using trial and error).
    Goal: MBA, August 2020
  • TurgonTurgon Posts: 6,313Banned
    NOC-Ninja wrote: »
    Its really sad. We have our own Security Engineers. Seriously, they don't know crap about network. It's really sad. I dont even get how they got hired. I guess they were friends of the higher ups and they gave these guys a chance. Most of them don't even know how to config a router or a switch. Not only does they low ball their employees but also hire stupid engineers. Some of the engineers were technicians that were working for more than 5 years in that place. I guess working years and years made them move up to become engineers and they dont even engineer anything. These guys have no degrees nor certifications. Its crazy!

    We have an engineer that dont know the meaning of WEP. Its that bad!

    I even caught one of the guys sleeping on his desk.

    Im not even surprise if lockheed martin gets hacked. icon_rolleyes.gif Its the managers or directors fault. They don't to hire the skilled people or maybe they cant afford those guys?

    Heck, I know a network engineer that has been working for lockheed for 5 years that does not know how to configure an SSH.

    It's just another example of how bloated and ineffective the IT security genre is. Far too many people swarmed into an area of IT that got unnecessarily bigger for it's own sake. When that happens the quality goes down. It's time the entire security workforce had a shakedown so it is fit for purpose for the next decade. It would save the tax payer too.
  • afcyungafcyung Posts: 212Member
  • afcyungafcyung Posts: 212Member
    Turgon wrote: »
    It's just another example of how bloated and ineffective the IT security genre is.

    I think this problem stems from people not taking security seriously when they start out in IT. I see a lot of people who think that security is something you only do when you work in a dedicated security position. This is the one area I think the DOD got cyber security right in making everyone who works on the network an information assurance technician and thus responsible for security. I think it will help create knowledgeable people to becomes leaders in cyber security.
  • Chris:/*Chris:/* Posts: 658Member
    The problem with the DoD model is that the people are not learning the information they instead spend the time brain dumping it. The command encourages quick spin up and passing of a test so they are certified but not necessarily qualified.

    When you start saturating the workforce with certification instead of truly training people you get people in positions that have the checkmarks but not the knowledge. People can then do serious damage not just in the logical sense but in the business sense as well.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • TurgonTurgon Posts: 6,313Banned
    afcyung wrote: »
    I think this problem stems from people not taking security seriously when they start out in IT. I see a lot of people who think that security is something you only do when you work in a dedicated security position. This is the one area I think the DOD got cyber security right in making everyone who works on the network an information assurance technician and thus responsible for security. I think it will help create knowledgeable people to becomes leaders in cyber security.

    I take your point.

    If we still have people working in IT that dont understand that every job involved within and without it has an implied security responsibility then that just underlines for me how far we have to go to get security *right* and what a lousy job is being done of it given the billions of dollars sunk into it.. One of the problems is the mushrooming of the security genre where whole empires have been built, something that perpetrates the misguided belief that 'security will take care of that'. It has become in many cases a tick box exercise that is overblown in terms of process and audit requirement and overwhelmed by a large number of people who bring very little to resolve matters for the benefit of all.

    I have met a lot of security types over the years and with a few exceptions have felt underwhelmed by what they have to offer. Im all for security and can definitely see a role for individuals to take a lead, but we need to spend less time getting through audits and adhering to accredited standards, cranking a handle to pass, and more time on doing security *properly*. That means commercial, management, process and technical skills so a business is not only adequately defended but also lean enough to respond and continue to operate in an efficient manner. The discipline requires intelligent people not salary chasers.
  • EveryoneEveryone Posts: 1,661Member
    Sounds like the RSA SecureID tokens are a very likely attack vector. I had one when I worked for them.

    I'd much rather be working security for the DoD again, at least there I was taken seriously and could make a difference. I hate how the Healthcare industry treats security. If you knew how easy it is for anyone to get your medical records...
Sign In or Register to comment.