From: InformationWeek/Security
Mathew J. Schwartz
Exclusive: Outdated, unpatched system blamed for DOE breach, but agency said to be getting its cybersecurity house in order.
Is the Department of Energy (DOE) serious about cybersecurity? It appears to be doing better than most federal agencies, despite two high-profile breaches this year. What follows is a second-day look at what’s known about the latest breach, how it happened and what the agency might do to prevent future attacks.
First, some background. The DOE warned employees in an emailed memo earlier this month that information pertaining to 14,000 current and former employees had been compromised in a “cyber incident that occurred at the end of July.” Stolen information included personally identifying information (PII) in the form of names and social security numbers, according to a copy of the memo published by The Wall Street Journal.
“No classified data was targeted or compromised,” the memo read. “Once the full nature and extent of this incident is known, the department will implement a full remediation plan.” The agency promised that all affected employees would be notified individually by the end of August.
The July breach marked the second time this year that the DOE reported that online attackers had infiltrated its systems, following a February intrusion that officials said resulted in the theft of information pertaining to several hundred employees.
1. Source: Hack Involved Outdated System
According to a source close to the DOE, the system hacked in the July breach — which stored PII — was outdated, unpatched and easy pickings. “The form and style of this attack were not difficult to defend if you’re doing the basics of cybersecurity: knowing what’s on your network, knowing what your vulnerabilities are, doing good patch management and establishing mitigations against the places where you know you’re vulnerable,” the source said. “But you’ve got to start with knowing what’s on your network.”
A DOE spokeswoman, as well as the agency’s CTO, didn’t respond to multiple requests for comment — made over the past week via email and phone — about the breach and whether the agency plans to alter its approach to cybersecurity.
2. DOE Failed To Implement SANS Top 20
“Knowing what’s on your network” alludes to SANS Institute’s 20 Critical Security Controls for Effective Cyber Defense, which are widely considered to be the basic steps for every information security program. Put another way, the consensus is that organizations which fail to put those 20 controls in place can’t effectively defend themselves against attackers.
The No. 1 recommendation on the SANS Top 20 is to create an “inventory of authorized and unauthorized devices.” In other words, businesses and government agencies must know what’s on their network. If they don’t, then attempting to safeguard the network against intrusions becomes orders of magnitude more difficult.
Leave a Reply