The Department of Motor Vehicles (DMV) may not be many people’s favorite place, but in South Carolina, it has apparently become a magnet for hackers.
Last week, South Carolina DMV Executive Director Kevin Shwedo told a panel of senators the FBI visited DMV recently to identify vulnerabilities in its computer system which will need to be fixed with new firewalls, as well as investments in encryption to secure sensitive data.
“I get pinged virtually every night from countries like China, Pakistan, the Czech republic, Syria and others,” he was quoted as saying by the Greenville News.
How the attacks had been attributed to those countries was not revealed, but some say the situation underscores the reality that organizations of all shapes and sizes can come under attack – and that means IT professionals need to take measures to assess their security posture.
“Security is a process, not a product,” said Scott Waddell, vice president of technology at iovation. “So you really have to think in terms of securing what you’ve got, monitoring that security, testing it regularly – ideally through third-party, internal and external security assessments – and then making sure you’ve got executive buy-in to effect change to improve security following the best practices that come from both the consultants and the dedicated staff you have on the team to focus on that day in and day out.”
According to reports, the DMV has been hit with about 90 intrusion attempts between Jan.1 and Feb. 2, all of which the agency said it has deflected.
“Nobody should be surprised if they are targeted online, especially those organizations that collect and store sensitive data,” said Josh Shaul, CTO of database security firm Application Security. “DMVs and other agencies that issue official identification will always be prime targets for attack. Their comment about having had around 90 intrusion attempts this year is very vague. That sounds like a small number, but who knows what they count as an ‘attack’. The more interesting question for me is how do they know? Could there have been other attacks that they didn’t detect and therefore didn’t stop?”
The agency will never succeed in protecting their databases simply by adding more firewalls as there are too many ways “around and through the network perimeter for that to be an effective measure,” he said.
Though he agreed it was hard to assess the report of 90 attacks without more information, Rapid7 researcher Marcus Carey also noted that the FBI does not typically pay an onsite-visit to the DMV unless there is a significant issue. When it comes to organizations assessing their security posture, Carey suggested implementing a vulnerability management program and configurations to identify all assets, software and what their risks are. Organizations should also develop incident response and business continuity capabilities, including organization-wide security threat awareness training for security administrators, management and users.
“Encryption and masking are also often considered a silver bullet for database security, but only solve a few specific problems,” Shaul said. “The truth is there is no silver bullet for databases. To keep them secure, its takes good hygiene. That means scanning for vulnerabilities, misconfigurations, and access controls, fixing the problems you find. Of course it is not realistic to believe that everything will be fixed, so what isn’t fixed must be monitored, so if and when something goes wrong, you know it immediately and can respond before damage is done.”
Shwedo noted that other state and federal agencies are consistently under attack. So are companies in the private sector. Last week, ICS-CERT (Industrial Control System Computer Emergency Readiness Team) issued an alert to warn critical infrastructure companies of secure shell (SSH) scans of Internet-facing control systems. According to ICS-CERT, an electric utility reported experiencing unsuccessful brute force activity against their networks.
“You’ve got to stay abreast of network security issues,” Shwedo said. “We’re going to do everything we can to prevent an intrusion. And we’re going to make sure we’ve got the right hardware and the right software and the right encryption to protect that information.”
