Hacker News new | ask | show | jobs
by savethefuture 2559 days ago
The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.

Anyone think they approved the security of that subcontractor before giving sensitive information to them?

More importantantly, why is that type of data leaving CBP in the first place?
3 comments
MrMorden 2559 days ago
Compliance with NIST SP 800-53 is mandatory per statute and DHS policy. That system has an identified ISSO, ISSM, ISSPM, DAO, and AO who are responsible for authority to operate being given. If the paperwork is in place, a government employee signed off on that network's operation. If not, it doesn't have ATO and there's a government employee (the AO or CIO) responsible for allowing a such a network to be connected to government systems and store government-controlled information.
link
01100011 2559 days ago
I worked at a government contractor who was rolling out NIST compliance. Everyone, from IT to engineers, hated it. You can rest assured that as soon as someone isn't looking, they're going to violate it.
link
enraged_camel 2559 days ago
I have never come across a compliance policy that people didn't hate.

Compliance, almost by definition, needs to make people's job harder, or create extra work. Because people are lazy, and they tend to go for the path of least resistance, and those are not good things in the context of safety and security.

link
MrMorden 2558 days ago
Compliance is a tool. It's used to enable security iff the C-suite want to use it that way; otherwise, it's just another meaningless metric.
link
txcwpalpha 2559 days ago
> Anyone think they approved the security of that subcontractor before giving sensitive information to them?

They almost certainly did, actually. FIPS [1] and FISMA [2] are pretty strict requirement for every company contracting with a government agency. IMO it's one of the rare situations where, at least conceptually, the federal government has done something right in terms of security.

Now whether FIPS/FISMA, and the people enforcing it, actually have any teeth or effectiveness is a different topic entirely.

1: https://en.wikipedia.org/wiki/Federal_Information_Processing...

2: https://en.wikipedia.org/wiki/Federal_Information_Security_M...

link
Johnny555 2559 days ago
If Fedramp is like other security certifications, written policies can be used in lieu of actual enforcement.

A policy could be something like:

"Vendor shall not move sensitive data out of CBP's secure network"

So it's pretty much on the honor system. And some new employee at the vendor may not even be aware of all of the policies they are supposed to be following. The vendor is still reponsible for that employees actions, but it can be discovered too late (as in this case, the breach was already made)

But instead of just a written policy (among dozens or hundreds of others) that people are expected to abide by, this could be enforced by limiting the vendor's access to the network. For example, by counting how many records they access, how many bytes of data they download over their connection to the secure network, or not giving them direct access at all and exposing only an API controlled be CBP that gives them access to only the data they require)..

link
xvilka 2559 days ago
Most of these are so called "paper security", while some real technical vulnerabilities can effectively crash all these fictional barriers.
link
a3n 2559 days ago
At best, ads. At worst, ...
link