It took the Navy more than four months and $10 million to clean up cyber security loopholes, in a clear example of why businesses and government organizations need to do more to secure networks from scammers, hackers and thieves.
The Navy Marine Corps Intranet network has worked with computer services company Hewlett-Packard since 2000 and found that the lapse in cyber security could have derived from not specifying security measures in the contract, the Wall Street Journal reported. The Navy's system consists of multiple databases, unclassified hosting website networks, video, voice and data communication for over 800,000 users.
One cyber security staff member working with the Navy told the Journal that this "is a contracting failure and not a technology failure." Sources working on the investigation believe that the cyber attack may have came from Iran. The alleged attackers were able to have limited access to the intranet network by injecting faulty Structured Query Language — allowing the hackers to come across different parts of site.
It is unclear who should be responsible for the lapse, but Forrester Research analyst Edward Ferrara told CIO Magazine that these supposed misunderstandings happen all the time.
"Many vendors will interpret contracts in the strictest sense, and if the contract did not explicitly call for the remediation of these vulnerabilities, as the [Journal] article seems to imply, then yes it is more than possible that the vendor would have allowed the vulnerabilities to continue and enable the resultant breach," he said.
We have discussed how important it is to revamp cyber security and disaster recovery efforts — in case a breach occurs, but this situation also shows that simply signing on with a widely-known company may not be enough. Business continuity consultants can provide insight on what assets should be protected from potential intrusions.