“Every single sailor on board any ship still poses a potential risk to that network” when they establish a secure socket layer (SSL) connection to an outside website by, for example, checking Facebook, Bondura said. “Once that SSL connection is established, we cannot see – that whole DOD architecture that’s built there – cannot see what’s coming down that encrypted pipe.”
The broader act of phishing, which is less discriminate in its target, is apparently a Defense Department-wide problem, judging by a memo DOD Chief Information Officer Terry Halvorsen sent Pentagon employees in March. “Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey,” the memo said.
The Navy has a sprawling IT footprint. Securing all of it, absolutely, from cyber threats may be infeasible, so the service has set about prioritizing threats via a five-year plan it released in May. That plan drew on lessons learned from “Operation Rolling Tide,” a months-long operation begun in August 2013 to drive Iranian hackers off of the Navy Marine Corps Intranet, the service’s massive internal computer network.
Phishing is the most popular attack vector for malicious actors simply because humans are the weakest link in the cyber defense chain. It is so easy to fool unsuspecting users, especially with the increasing sophistication attackers use these days, there is no need to use cliche hacking methods to compromise networks.
All it takes is for one user to open up that malicious PDF attachments exploiting any of the myriad Adobe Acrobat vulnerabilities and your network is now phoning home to a potential nation-state command-and-control server without your knowledge. This is the type of problem not only the Navy faces, but every network. Better cyber defense tools are not the answer; increased cyber security awareness and user accountability are necessary to help mitigate this problem.