Attacks/Breaches
8/27/2013
09:07 AM
Connect Directly
RSS
E-Mail
50%
50%

Department Of Energy Cyberattack: 5 Takeaways

Exclusive: Outdated, unpatched system blamed for DOE breach, but agency said to be getting its cybersecurity house in order.

Is the Department of Energy (DOE) serious about cybersecurity? It appears to be doing better than most federal agencies, despite two high-profile breaches this year. What follows is a second-day look at what's known about the latest breach, how it happened and what the agency might do to prevent future attacks.

First, some background. The DOE warned employees in an emailed memo earlier this month that information pertaining to 14,000 current and former employees had been compromised in a "cyber incident that occurred at the end of July." Stolen information included personally identifying information (PII) in the form of names and social security numbers, according to a copy of the memo published by The Wall Street Journal.

"No classified data was targeted or compromised," the memo read. "Once the full nature and extent of this incident is known, the department will implement a full remediation plan." The agency promised that all affected employees would be notified individually by the end of August.

[ Want to know more about government security problems? See Most VA Privacy Breaches Trace To Paper, Not PCs. ]

The July breach marked the second time this year that the DOE reported that online attackers had infiltrated its systems, following a February intrusion that officials said resulted in the theft of information pertaining to several hundred employees.

1. Source: Hack Involved Outdated System

According to a source close to the DOE, the system hacked in the July breach -- which stored PII -- was outdated, unpatched and easy pickings. "The form and style of this attack were not difficult to defend if you're doing the basics of cybersecurity: knowing what's on your network, knowing what your vulnerabilities are, doing good patch management and establishing mitigations against the places where you know you're vulnerable," the source said. "But you've got to start with knowing what's on your network."

A DOE spokeswoman, as well as the agency's CTO, didn't respond to multiple requests for comment -- made over the past week via email and phone -- about the breach and whether the agency plans to alter its approach to cybersecurity.

2. DOE Failed To Implement SANS Top 20

"Knowing what's on your network" alludes to SANS Institute's 20 Critical Security Controls for Effective Cyber Defense, which are widely considered to be the basic steps for every information security program. Put another way, the consensus is that organizations which fail to put those 20 controls in place can't effectively defend themselves against attackers.

The No. 1 recommendation on the SANS Top 20 is to create an "inventory of authorized and unauthorized devices." In other words, businesses and government agencies must know what's on their network. If they don't, then attempting to safeguard the network against intrusions becomes orders of magnitude more difficult.

3. Why DOE Might Be Running Unpatched Systems

The above isn't rocket science. So how was an outdated, unpatched and apparently Internet-accessible system containing personal information on thousands of DOE employees -- some of whom work with cutting-edge nuclear secrets -- allowed to run on the agency's network?

One likely explanation: unclear lines of IT oversight and authority. The DOE, like all government agencies, comprises numerous internal departments and fiefdoms. Furthermore, most of the agency's budget comes from Congressional appropriations that flow to project offices; relatively little is directed to centralized functions. As a result, creating a top-down, "thou shalt comply" IT and patch management regime is difficult.

The IT picture is further complicated by the agency's oversight of 17 national laboratories (including Fermi National Accelerator Laboratory and Los Alamos National Laboratory) and 14 other facilities, including Bettis Atomic Power Laboratory, Kansas City Plant and the Yucca Mountain nuclear waste repository. The scale of those operations is highlighted by the fact that the DOE reportedly had about 16,000 employees as of 2009, and 93,000 contractors on the books as of 2008. (A DOE spokeswoman didn't respond to an emailed request for more up-to-date employment figures.)

All of those 30-plus labs and facilities are run by contractors, and they're arguably held to a higher information security standard than the DOE itself. To wit, the DOE's two most recent breaches didn't involve networks managed by labs or facilities, but rather infrastructure managed by DOE's in-house IT staff. No heads appear to be rolling at DOE, and no Congressional inquiry has begun. Would the same be true if those cybersecurity shortcomings were traced to a contractor?

4. Upside: DOE Leading On Agency Cybersecurity

Then again, Alan Paller, director of research at the SANS Institute, thinks the DOE's cybersecurity practices are quite good. "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Paller said in an email.

What might DOE be doing better? In general, he noted that at every government institution, paper-based policies and strategies too often trump hands-on security improvements.

5. Challenge: Improving Actual Security, Not Just Policies

Blame a widespread lack of hands-on cybersecurity skills across the federal government. "The great failing of DOE is that too many of its security officers do not have the technical mastery to implement the 20 [SANS] controls cost-effectively," Paller said. "They still are living in an era of compliance, where writing reports is more important than securing systems. This same affliction is found in most federal agencies, and I see DOE as among the better ones. It is that cyber-skills weakness, along with a lack of persuasion skills -- needed to get agency staff to take necessary action -- that leads to losses."

Again, Paller emphasized that this problem isn't unique to the DOE, which he lauded for having publicized the breaches. "You are not seeing most of the losses in the other agencies," he said. "DOE has led the way on being open."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/28/2013 | 1:55:28 PM
re: Department Of Energy Cyberattack: 5 Takeaways
When a breach like this is self-reported by the agency, that could as easily mean they're being more vigilant than others who might let these things go undetected.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
8/28/2013 | 1:53:28 PM
re: Department Of Energy Cyberattack: 5 Takeaways
So the DOE is considered a leader among government agencies when it comes to security governance, yet it doesn't follow the most basic of steps.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.