Um, not to be snarky, but a simple download, particularly if slow and mixed in with other traffic, most likely would not show up as an anomaly. The key indicator would more likely be the length of the session that initiated it...and the fact that there was an open port that allowed the download in the first place. But what would I know. I'm just a cissp. Anyway, we both agree with the "WTF" nature of this mishap. Somebody at .gov needs a good slap.
“But what would I know. I’m just a cissp. Anyway, we both agree with the “WTF” nature of this mishap. Somebody at .gov needs a good slap.”
I’m very happy for you. No, I don’t accept it as a mishap. Someone must have left the gate open for this.