Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Human and tech flaws caused data hemorrhage from Dept of Energy. Letís learn from their mistakes in 2014.

Get this blog as an RSS Feed
14:30 CET on the 7th January 2014
Entry written by Marcelo Pereira, Business Developer.

As we embark on a new year, I can’t help wondering if 2014 will bring improvements in how we protect our businesses against IT security threats.
At the close of 2013, the US Department of Energy released an interesting and unusual report about a security breach made possible by the exploitation of a vulnerability in their Management Information System (MIS). The breach caused the theft of identifiable personal data from over 104,000 individuals.

The findings in the report should not come as a surprise to security specialists and information security professionals. Yet it is striking how, despite the awareness about the issues of IT security in connection with privacy, business continuity, operational security and intellectual property; we continue to see breaches which are caused by the exploitation of basic configuration flaws and publicly known vulnerabilities.

The disclosure of the details of the breach provides us with an autopsy which displays the "enablers" – the human and technological system weaknesses – and describes the internal and external impacts.

"While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease. The attackers in this case were able to use exploits commonly available on the internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data – information that could be used to damage the financial and personal interests of many individuals."
- Department of Energy's July 2013 Cyber Security Breach, page 3


I see this report as a major contribution to the security community because it provides an in-depth analysis of the events that led to the breach, and does so with unusual candor. After all, we all know that breaches occur. We all know that they have an impact on businesses – financial and otherwise. In the case of the Department of Energy:

"(…)the Department estimated it would spend approximately $1.6 million for credit monitoring and labor costs (…)the Secretary authorized the use of up to 4 hours of administrative leave to all affected Federal employees to take action to correct issues associated with the event, an action we estimate could cost the Department an additional $2.1 million in lost productivity. Morale and reputational issues associated with the breach also have an adverse impact upon the Department."
- Department of Energy's July 2013 Cyber Security Breach, page 3-4.

Still, very few organizations are this open about their breaches and not just from an external communications standpoint. Many do not discuss the problem internally, either. One consequence of the guardedness that is commonplace in industries and enterprises is a general  assumption that breaches won't happen, and a belief that the security technology we buy automatically keeps us  protected and does not require our involvement.

Reading the report makes it very clear that organizations that ignore risk and take a lackadaisical approach to security, do so at their own peril. The case contains all the elements that challenge organizations of all sizes, when it comes to information technology security:

  • Internal misalignment which impairs decision making and accountability
  • Competing priorities which leads to delays in assessing and updating security-critical applications
  • Fragmented infrastructure which comprises a labyrinth of technologies and systems hooked up in precarious – and sometimes mysterious – ways
  • Lack of security training and awareness among administrators and users who unintentionally open doors to machines and thereby to networks
  • Poor communication and coordination which leads to misunderstandings and to actions not being taken in a timely manner
  • Undocumented processes which make it almost impossible to maintain and report security levels

The list is long.

The report is a strong call to business leaders to turn their eyes to the importance of prioritizing the security of their IT environments. But it is not so much a call to look at complex or sophisticated security controls. Rather, it is a cue to take one or two steps back, and pay attention to the very basics of how to secure an infrastructure: planning, policy definition and implementation, assessment, patching, configuration and change management.

So, in 2014, I hope we learn from this case and start changing our organizations to adopt a better information security posture. We can start by getting all hands on deck to assess the vulnerabilities currently affecting us!

Stay Secure,
Marcelo Pereira

 


Attend the Secunia webinar on the DoE security breach on February 4th 2014:
Autopsy of a Data Breach – Common Mistakes That Lead to Breaches
Sign up now

 

Read the report from the Department of Energy:
Department of Energy's July 2013 Cyber Security Breach,
December 2013

Further reading from Secunia:

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Human and tech flaws caused data hemorrhage from Dept of Energy. Letís learn from their mi 
User Message
[+]

jondowning

RE: Human and tech flaws caused data hemorrhage from Dept of Energy. Letís learn from their mistakes in 2014.
This reply has been deleted

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer