MONTGOMERY, Ala. (WPMI) Alabama Department of Homeland Security Director Spencer Collier on Tuesday discussed the recent cyber intrusion at the Alabama Information Services Division (ISD) and outlined action items the state is currently following as part of a coordinated response.
ISD is a part of the Alabama Department of Finance and is responsible for information technology services for the state of Alabama. The state’s information technology (IT) network is deemed critical infrastructure and falls under the jurisdiction of the Alabama Department of Homeland Security (ALDHS).
After becoming suspicious of unusual activities, ISD employees self-detected that the firewall protecting the state's IT system had been breached. ISD employees subsequently notified ALDHS. Immediately, the Alabama Department of Homeland Security contacted state and federal authorities to open a criminal case.
Simultaneously, Director of ISD Jack Doane activated a computer emergency response team to confirm that an intrusion had taken place and formulate a plan to respond.
As the Director of Homeland Security and newly appointed Senior Law Enforcement Advisor, Director Collier initiated a confidential inquiry into this matter to determine if criminal action had taken place, to assess the initial damage, and to determine the steps necessary to properly address the incident.
According to Director Collier, "We are currently conducting an extensive inquiry with our state and federal partners who are experts in their field regarding cyber security. We are doing everything in our power to protect the evidence, maintain the confidentiality required in a case of this nature, and to prevent future intrusions.”
The Alabama Department of Finance has taken further action and has hired a leading information security company to assist in the investigation, help secure the system, and to institute tighter controls on access to eliminate the possibility of a future intrusion.
According to Jack Doane, “ISD and the computer emergency response team is working closely with the contractor on all remediation efforts. We have assembled the best team possible to preserve the evidence and to do the analysis regarding exactly what occurred. There is no way to estimate how long the forensics will take, but it could be weeks or months.”
The information regarding the cyber intrusion that is confirmed and available for public knowledge is as follows:
We know that someone:
- Obtained access into the state network, and
- Used this access to examine multiple computers within the network
We have evidence that:
- At least one server containing malware was used to gain access to the systems
In response to this attack, ISD:
- Immediately activated a computer emergency response team to monitor network activity and contain the threat
- Deployed additional firewalls to monitor and control access to State systems
- Consulted with local and federal officials and State Homeland Security to assist in the investigation; a criminal investigation is on-going
- Obtained the services of a national cyber security consulting firm to help collect and analyze attack data
- Began thoroughly examining Internet-accessible applications to ensure they are not vulnerable to future attack
Any detailed release of information pertaining to the scope of intrusion or the response measures used to remediate the vulnerabilities could negatively influence the investigation.
“While we are respectful of providing critical information to the public in a timely manner, this is an on going criminal investigation, and releasing sensitive information could jeopardize the process and outcome of the investigation,” Director Collier reiterated.