Obama, Pentagon Suffer Security Breaches

Security breaches have struck both President-elect Barack Obama and the Pentagon, with both cases pointing to holes in policy, tracking and enforcement, according to observers.

In Obama’s case, Verizon Wireless employees stole a peek at his old cell phone records, leading Lowell McAdam, the company’s president and CEO, to apologize and promise retribution.

The Pentagon, meanwhile, has been forced to ban the use of removable media such as USB flash drives after its networks were hit by an unspecified virus.

The incidents come on the heels of a report by — perhaps ironically — Verizon Communications’ business unit, which concluded that most corporate security breaches could be prevented with reasonable security measures. According to the study, nearly nine out of 10 security lapses could have been avoided by implementing a number of improvements, like a data retention plan.

“It’s critical that an organization knows where data flows and where it resides,” the report said.

Whether following those recommendations could have avoided a problem at Verizon Wireless, a joint venture of Verizon Communications and Vodafone, remains unclear. In a statement, McAdam said all employees who accessed Obama’s account — an inactive account attached to an older, voice-only phone that the president-elect no longer uses — have been put on paid leave.

Those who had legitimate business needs to access the account will be restored to their positions and the others will face appropriate disciplinary action, he added.

The Obama camp did not respond to requests for comment by press time.

Breaches like those at Verizon are not uncommon, Deepak Taneja, founder, president and chief technology officer at access governance solution provider Aveksa, told InternetNews.com, pointing to a breach in March at the State Department, in which employees gained unauthorized access to passport records belonging to Obama and then-presidential candidates Sens. Hillary Clinton and John McCain.

“Companies need a business process to track who has access to what information resources,” Taneja said. Leaving that tracking to IT department won’t always work without incorporating knowledge about employees’ business functions or the business use of an information resource, he added. A number of vendors offer solutions that give enterprises the ability to track employees by their business roles.

Malware at the Department of Defense

At the Pentagon, meanwhile, it is not clear how a virus got into the Department of Defense’s (DoD) systems, even though its computer network is probed by outsiders millions of times daily, DoD spokesperson Lt. Col. Eric Butterbaugh said in an e-mail to InternetNews.com.

“We are aware of a global virus for which there are recent public alerts,” Butterbaugh said. “We have seen some of this on our networks, and are taking steps to identify and mitigate the virus.”

[cob:Special_Report]He declined to discuss the problem in detail, which has resulted in the Pentagon banning the use of removable media. He also declined to comment on specific defensive measures the DoD has in place or plans to take in response to the virus.

Of course, malware is a persistent threat even for the most heavily protected networks — one package, the Sinowal Trojan, has been around for three years and is particularly difficult to detect and defend against.

Making matters more complicated for the DoD is the fact that it’s got an extremely complex network to police. Butterbaugh pointed out that the department’s global information grid includes more than 15,000 networks and about seven million IT devices.

“To address continuous and constantly changing cyber threats, guidance regularly is provided to the field about current threats and measures for users to take to ensure information systems remain secure,” he added.

However, Wolfgang Kandek, CTO at policy compliance and security vendor Qualys, is skeptical about the DoD’s security policies, considering the fact that removable media appear to be coming under scrutiny only now.

“It sounds like the DoD doesn’t have a policy in place, and I find this surprising,” Kandek told InternetNews.com. “It’s long been well known that removable media can bear viruses that will infect your system.”