Navy network hack has valuable lessons for companies

The hacking of a U.S. military network that was made easier by a poorly written contract with Hewlett-Packard offers lessons on how negotiations between customer and service provider could lead to weakened security.

The HP contract with the military did not include securing a set of Navy Department databases that were later hacked, giving the attackers, believed to be from Iran, access to the Navy Marine Corps Intranet, The Wall Street Journal reported Thursday. Without proper updates, the Microsoft databases became vulnerable to an SQL injection, a common hacking technique.

Cleanup costs following the discovery of the breach cost the military $10 million and led to the Navy reviewing its security efforts, the Journal said. The unclassified network hosts websites, stores non-sensitive information and handles voice, video and data communications for 800,000 users in 2,500 locations.

HP declined comment, directing queries to the Navy spokesman in charge of talking to the media. He could not be reached for comment.

Contract negotiations between the government and tech vendors have a different set of requirements than talks between private companies and service providers. Nevertheless, there are lessons to be learned and important reminders from the military snafu.

First, screw-ups in contract negotiations happen often in the government and the private sector.

"These types of poorly written contracts are common," Edward Ferrara, analyst for Forrester Research, said. "Many vendors will interpret contracts in the strictest sense, and if the contract did not explicitly call for the remediation of these vulnerabilities, as the article seems to imply, then yes it is more than possible that the vendor would have allowed the vulnerabilities to continue and enable the resultant breach."

One way for companies to avoid missing systems in service contracts is to create a network schematic that both parties could reference, Al Pascual, analyst for Javelin Strategy & Research, said.

"Organizations looking to avoid a similar fate should ensure that the responsibility for securing systems is clearly specified in the contract," he said.

In the private sector, an organization's security pros are usually left out of contract negotiations, so security lapses are often discovered after the fact, Chris Camejo, director of assessment services at NTT Com Security, said.

"That's sort of the disease that leads to this whole problem," Camejo said. "Security tends to get involved in these sorts of contracts way, way too late in the process."

In Ferrara's opinion, the lesson learned from the Navy hacking is that specifying what is not in the contract is as important as what's covered.

"I always recommend clients build a detailed requirements traceability matrix to track the explicit requirements for each contract, defining the service to be performed, the service levels expected and the environment -- network, application, or host -- the service will be performed with or on," he said. "Liability and indemnification should be clearly defined."

Contracts should also have clearly defined processes for resolving problems and list the key decision makers.

"This is actually standard operating procedure for federal contracts," Ferrara said. "Commercial contracts have a tendency to be not as detailed, however."

Spelling out the responsibilities of both sides is pivotal in avoiding future problems, Roger Entner, analyst and founder of Recon Analytics, said.

"If you write a contract, you have to make it idiot proof, because the other side will follow it exactly to the letter and not more," Entner said. "Everybody is under a profit pressure."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Forrester ResearchHewlett-Packard AustraliaHPJavelinMicrosoftNTT AustraliaWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place