copyright notice
link to published version: IEEE Computer, March, 2013

accesses since January 25, 2013

The SCDOR Hack: Great Security Theater in Five Stages

Hal Berghel


The South Carolina Governor’s response is a textbook application of Elisabeth Kübler-Ross’ “5 Stages of Grief” to cybersecurity. For want of a better phrase, we’ll call this the “politicians five stages of covering your assets.”


Last fall, the State of South Carolina Department of Revenue (DOR) computer systems were hacked – allegedly by Eastern European criminals. According to South Carolina Governor Nikki Haley, the security breach yielded the digital denizens of delicta 3.9 million taxpayer files, 1.9 million dependent files, 699,900 business records, 3.3 million bank accounts, and 5,000 expired credit cards ( http://www.wyff4.com/news/columbia-statewide-news/Cyberattack-final-tally-released-SCDOR-head-replaced/-/9324106/17489378/-/ax1yul/-/index.html ). Some estimates are even higher ( http://standrews.patch.com/articles/dems-call-for-independent-investigation-of-hack-creation-of-fund ). In any case, the extent of the breach attracted considerable media scrutiny, which in turn highlighted the weak security measures in place in the state's IT infrastructure. This attention proved embarrassing to Governor Haley who compounded the embarrassment in a series of misguided press releases culminating in some great security theater. I offer this story to you as my candidate for the 2012 security breach of the year.

THE HACK

The State of South Carolina hired Mandiant (mandiant.com) as external incident responders to assess the damage. The analysis of the hack below is derived from their Mandiant Public Incident Response Report released November 20, 2012.

Apparently the incident began with email phish bait received by at least one DOR employee on August 13, 2012. This email contained a link to online malware. At least one unidentified DOR employee clicked on that link and compromised their computer. The injected malware subsequently forwarded the harvested userID and password information to the hacker who reused it for remote login to one or more of the victim's workstations, and from there to the DOR computer system.

Within a few weeks, this access was leveraged to obtain userIDs and passwords for all Windows account holders, and also install a back door on one DOR server. By mid-September, the attacker was able to access and compress sensitive taxpayer data files from the DOR server cluster, transmit them over the Internet, and cover his/her tracks. By October 20, 2012 DOR implemented a Mandiant remediation plan.

While the nature of the attack is interesting, were it not for the nature of the data and the Governor's response, this would have been a relatively routine incident. The payload was South Carolina taxpayer records – a veritable treasure trove of goodies in identity theft! According to Mandiant, the compromise extended to:

No explanation was offered on what underlying rationale was used by DOR to justify encrypting some taxpayer records and not others.

POLITICIANS AND THE 5 STAGES OF COVERING YOUR ASSETS

The South Carolina Governor's response is a textbook application of Elisabeth Kübler-Ross' “5 Stages of Grief” to cybersecurity. For want of a better phrase, we'll label this the “politicians' five stages of covering your assets.”

  1. Denial and Isolation: Apparently the August 12 hack was never noticed by DOR until the U.S. Secret Service informed the state leadership a month and a half later! ( http://www.fitsnews.com/2012/11/02/scdor-refused-cyber-security-aid/ ). What is even more unbelievable is that the DOR Director may have been informed that malware was being downloaded on DOR computers the day after the hack, but did nothing ( http://www.databreaches.net/?p=26699 ). This denial every bit as extensive as its namesake in Egypt.

  2. Anger: Governor Nikki Haley first went on the attack with typical political embroidery: “I want this person slammed against the wall,” ( http://www.huffingtonpost.com/2012/10/26/nikki-haley_n_2025317.html ). She didn't have to look far to find someone to slam, as it turns out, as one candidate was just down the hall. We'll return to this in a few paragraphs.

  3. Bargaining – (aka making a deal with the political base if not the devil): Following in the long-established tradition of doublespeak, Governor Haley offered: "The industry standard is most Social Security numbers are not encrypted. A lot of banks don't encrypt. It's very complicated. It's very cumbersome. There's a lot of numbers involved with it." ( http://finance.yahoo.com/news/haley-taxpayer-didnt-encrypted-223600346--finance.html ).

  4. Depression and worry: At this stage, Governor Haley offered “There wasn't anything where anyone in state government could have done anything to avoid it,” (October 29, 2012 - http://www.fitsnews.com/2012/10/29/nikki-haley-nothing-could-have-stopped-hackers/ ). Obviously the Governor hasn't attended many SANS conferences over the past few decades. The Governor clearly didn't ask the State's Payment Card Industry and Anti Money-Laundering specialists to weigh in before this sentence was crafted. We speculate that 3. And 4., taken together, circumscribe what may be the Palmetto State equivalent to a force majeure defense.

  5. Acceptance:“International hackers are not going to do this from 9 to 5,” Haley observed, so she's going to add four FTE for 24/7 monitoring the newly added systems put in place to reveal suspicious activities on State computers. ( http://www.youtube.com/watch?v=YXk-tngz6f0 ) After extensive media criticism, Haley suggested that the state should have done more to protect the taxpayer data. There's a news flash for you.

At this point it appears that the South Carolina taxpayer-victims will pay $20m for remediation, with another $20m budgeted for beefing up DOR’s cyber security defense in 2013. In her press conference of November 15, 2012, Governor Haley announced that her administration would be adding systems to monitor network activity. Her explanation of how this system will work is priceless: http://www.youtube.com/watch?v=YXk-tngz6f0.

CONCLUSION – “FROI”

As I suggested earlier, what makes the South Carolina experience most interesting is not so much the forensics but the State's reaction. There's a lesson in top-down blundering that could have been easily avoided had professionals with any significant background in digital security been consulted. Let's analyze some of these blunders.

At the administrative level, the State's greatest embarrassment is due to the dissemination of misleading and confusing information by the Governor. The lesson here for all administrators and exutives is that the appropriate response to security breaches is not convulsive blathering. Any seasoned security professional or enlightened legal counsel would have advised that press releases, especially during the investigation, be confined to prepared statements that were vetted by the CISO, CIO and legal counsels well in advance of the incident. That's right, well in advance! These responses should follow a proscribed template e.g., “The State of ______ Department of _______ respects the privacy of all citizens and taxpayers, and is committed to to protect sensitive data. We will have more to say as the investigation proceeds.” End of story. Full stop. Close the cake hole!

Since we're on the subject, one reason that the South Carolina DOR CISO didn't vet a press release was that there wasn't one – a CISO I mean.. DOR Director, Jim Etter, speculated that the anticipated $100k salary for a CISO was a barrier to successful recruiting (save $100,000 vs, spend $40,000,000 – this is a classic “foolish return-on-investment,” or FROI, for short.). Security professionals have dealt with this penny-wise, dollar-foolish attitude for many years (see my 2005 column “The Two Sides of ‘ROI': Return-on-Investment vs. Risk-of-Incarceration at http://www.berghel.net/col-edit/digital_village/apr-05/dv_4-05.php .) Incidentally, Mr. Etter submitted his resignation November 20.

At the administrative level, the State's greatest embarrassment is due to the dissemination of misleading and confusing information by the Governor. The lesson here for all administrators and exutives is that the appropriate response to security breaches is not convulsive blathering. Any seasoned security professional or enlightened legal counsel would have advised that press releases, especially during the investigation, be confined to prepared statements that were vetted by the CISO, CIO and legal counsels well in advance of the incident. That's right, well in advance! These responses should follow a proscribed template e.g., “The State of ______ Department of _______ respects the privacy of all citizens and taxpayers, and is committed to to protect sensitive data. We will have more to say as the investigation proceeds.” End of story. Full stop. Close the cake hole!

Since we're on the subject, one reason that the South Carolina DOR CISO didn't vet the press release was that there wasn't one – a CISO I mean.. DOR Director, Jim Etter, speculated that the anticipated $100k salary for a CISO was a barrier to successful recruiting (save $100,000 vs, spend $40,000,000 – this is a classic product of FROI “foolish return-on-investment”analysis. Security professionals have dealt with this penny-wise, dollar-foolish attitude for many years (see my 2005 column “The Two Sides of ‘ROI': Return-on-Investment vs. Risk-of-Incarceration at http://www.berghel.net/col-edit/digital_village/apr-05/dv_4-05.php .) Incidentally, Mr. Etter submitted his resignation November 20.

OOB URL Pearls

The Mandiant report of the SCDOR incident is online at http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20-%20Department%20of%20Revenue%20-%2011%2020%202012.pdf .

Reports on the economics of the SCDOR hack may be found at http://www2.wjbf.com/news/2013/jan/06/south-carolina-legislators-pledge-tackle-cybersecu-ar-5308319/ , http://www.fitsnews.com/2012/12/11/scdor-running-deficit/ , ttp://www.usatoday.com/story/news/nation/2013/01/06/south-carolina-cyber-security-protections/1566082/ . The story behind the unfilled DOR CISO position, see http://www.bankinfosecurity.com/blogs/how-much-good-ciso-worth-p-1387 or http://www.wltx.com/news/article/210418/2/Etter-Revenue-Dept-Without-Cyber-Expert-for-1-Year .