"Census Bureau Comes up Short Against 'Red Team' Attack"

According to a new report by the Commerce Department Office of Inspector General (IG), a team of government-contracted red team hackers gained unauthorized and undetected control of critical Census Bureau systems in a simulated attack test, which revealed major cybersecurity flaws within the Federal agency. The cybersecurity experts, tasked with simulating a real-world hacking attempt on an organization's system, were able to breach the agency's systems via a domain administrator account and gain access to employees' Personally Identifiable Information (PII). The red team exercise was held between August 2021 and March 2022. The Census Bureau stated in its response to the IG report that it intends to release a detailed action plan to address the security vulnerabilities exposed by the attack. According to department guidelines, the agency has 60 days to submit the plan. The Census Bureau failed to restrict or disable access to an out-of-date account management control tool, allowing the security firm access to the agency's systems and allowing the red team to run commands as a user with elevated privileges. The red team was so successful in its simulated attack that it was able to send fake emails through insecure programs and execute additional malicious actions, resulting in the discovery of 11 security flaws. However, to protect sensitive information about the Census Bureau's Information Technology (IT) vulnerabilities, the IG redacted some details from its report. The evaluation's goal was to determine the effectiveness of the Bureau's cybersecurity posture in the face of a simulated real-world attack. Hackers successfully exploited a security flaw in the Bureau's virtual desktop infrastructure in January 2020, which prompted the IG's Office of Audit and Evaluation to form a cyber red team to conduct a simulated attack on the Census Bureau and assess the effectiveness of the Bureau's cybersecurity posture. According to the report, the Census Bureau failed to address its cyber vulnerabilities and still requires effective cybersecurity measures to prevent attacks capable of limiting its defensive options. This article continues to discuss the red team attack against the Census Bureau. 

MeriTalk reports "Census Bureau Comes up Short Against 'Red Team' Attack"