Stewart International Airport has a long history. In 1930 Thomas Stewart convinced his Uncle to donate land for an airport to the city. In 1939 the U.S. Military Academy at West Point built the first airfield at Stewart and in 1948 it became Stewart Air Force Base. In 1970 the State of New York bought it and in 1989, American Airlines became the first commercial airline to offer service. It is now a cargo facility, U.S. mail hub and an overflow New York City regional airport run by the Port Authority of New York and New Jersey.
Enough of the history lesson.
The airport, which is about an hour or two drive north of Manhattan near Newburgh, NY, is in the news for a different and much less positive reason.
The airport was using a Buffalo network attached storage system to back up its servers. Unfortunately, somehow, this particular one was made visible to the Internet. Apparently, I assume, unknown to the airport’s IT department – of one person according to the researcher who found the drive.
On the drive were unprotected, unencrypted backups of the airports servers.
This includes hundreds of gigabytes of data like email, HR files, payroll, security documents, screening protocols – all the stuff that you would expect to find on a backup, but you would not expect to be connected to the Internet.
The data was exposed for a year, so who knows who might have that data now. Maybe there are firewall logs, but likely not. Even if there were, they likely were not kept long enough. That’s why the new New York financial services security regulation requires institutions to keep logs for at least five years.
Stewart has more than it’s share of high profile arrivals. After all, it is highly unlikely you could shut down all traffic in and out of John F. Kennedy International for a VIP, but you could likely shut down Stewart for 30-60 minutes to build a secure corridor. Of course, the VIP plans were also in the backups.
Also in the backup was a file with a list of network passwords. The file was not encrypted.
In these days of saving money, the Port Authority has outsourced the operation of Stewart to a private company, AVPorts.
The less money AVPorts spends on overhead like security, the more profit for the company. AVPorts is privately owned, so we don’t know much about them, but they have operations all across the country from Newark Liberty, Tetterboro, Westchester County and New Haven on the east coast to Moffett Field in California. As such, they ought to know better. However, these are all second or third tier properties and, I suspect, to make money, they watch their nickels and dimes carefully. If their customer (in this case, the Port Authority) doesn’t say they have to do something in the contract and their interpretation of the law says that it is not legally required, they might save money. Hence, it appears, a one person IT operation. I don’t care how good one person is, they are not going to have the bandwidth or expertise to deal with a complicated network.
For example, as a piece of critical infrastructure, they ought to be conducting third party, independent, penetration tests several times a year. Maybe they do and the testers, somehow, missed this. My guess is that there was neither a contractual nor a legal requirement to do one. A decent but not great one might cost $25k every time they did one and if it was not mandated, they might save a hundred thousand bucks a year.
Many of our clients are required to conduct penetration tests at least annually for a variety of contractual and legal reasons and my guess is, depending on what was on that network, they actually may be legally required to do so as well.
It is possible that they hired a totally incompetent penetration tester who completely missed a publicly accessible network attached storage array, but if so, that company needs to get out of the penetration testing business. Much more likely is that they did not hire anyone to do that.
Hackers do not play favorites. If you are vulnerable, you are fair game. These guys just happened to be unlucky.
It is not clear what the consequences of this breach will be. I suspect that it is unlikely that the Port Authority will cancel their contract. It is equally unlikely that there are even terms in the contract which would allow them to do that.
A couple of lessons here.
- Manage your third party vendors.
- Make sure you define the security requirements in your contracts.
- Trust. But verify that your vendors are doing what they say they are doing.
- For your own company, if you are not hiring outside, independent, third party penetration testers to try and hack into your network, you should consider doing so.
I suspect that all of the airport owners that have contracts with AVPorts are now considering their options.
And, even if you are not an AVPorts client, how sure are you that you don’t have a similar problem?
While spending money every year on third party penetration tests is expensive, the reputational damage alone to a company like AVPorts, never mind the hard costs, dwarfs the costs of a pen test by probably two-three ORDERS OF MAGNITUDE.
Just food for thought.