July 15, 2013 at 5:37 pm #179441
IMO a classic case of FUD(Fear Uncertainity Doubt) by most concerned… Sad that it would cost this much money($170,000) and this much time
Report from Office of Inspector General Department of Commerce
Malware Infections on EDA’s Systems Were Overstated and the Disruption of IT Operations Was Unwarranted
Attached is the final report of our audit of EDA’s information security program and cyber incident response. In accordance with the Federal Information Security Management Act, we evaluated EDA’s incident response and recovery activities in relation to EDA’s fiscal year 2012 cyber incident. We (I) assessed the effectiveness of EDA’s IT security program, (2) determined the significant factors that contributed to its incident, and (3) evaluated both completed and planned activities to recover its information systems to support critical operational requirements.
We found (I) EDA based its critical incident response decisions on inaccurate information, (2) deficiencies in the Department’s incident response program impeded EDA’s incident response, and (3) misdirected planning efforts hindered EDA’s IT system recovery.
July 15, 2013 at 5:43 pm #179444
Additional information and Commentary from TheSecurity Bistro blog
EDA Overreacts to Malware Scare
The Economic Development Administration (EDA) in Washington, D.C. physically destroyed computers and other IT equipment worth $170,000 in a comedy of errors sparked by a relatively harmless malware incident, according to an audit report.
The report by the inspector general’s office in the Department of Commerce, released late last month, said that at one stage the EDA feared it was under cyber-attack by a foreign state – whereas in reality its system had suffered only a limited infection by unsophisticated malware.
The report into the incident which began in December 2011 described a litany of miscommunication, misunderstanding and incompetence that cost the EDA a total of $2.75-million in IT remediation measures – including the cost of the destroyed hardware. “EDA’s persistent mistaken beliefs resulted in an excessive response and ultimately unnecessary expenditure of valuable resources,” the report said.
It said that EDA’s chief information officer concluded that the risk of extremely persistent malware and nation-state activity — which did not exist – “was great enough to necessitate the physical destruction of all of EDA’s IT components. EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards.”
The report said the agency would have destroyed more IT components, but it ran out of money to replace them. “The destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems,” it said.
You must be logged in to reply to this topic.