Attacks/Breaches
8/27/2013
09:07 AM
50%
50%

Department Of Energy Cyberattack: 5 Takeaways

Exclusive: Outdated, unpatched system blamed for DOE breach, but agency said to be getting its cybersecurity house in order.

Is the Department of Energy (DOE) serious about cybersecurity? It appears to be doing better than most federal agencies, despite two high-profile breaches this year. What follows is a second-day look at what's known about the latest breach, how it happened and what the agency might do to prevent future attacks.

First, some background. The DOE warned employees in an emailed memo earlier this month that information pertaining to 14,000 current and former employees had been compromised in a "cyber incident that occurred at the end of July." Stolen information included personally identifying information (PII) in the form of names and social security numbers, according to a copy of the memo published by The Wall Street Journal.

"No classified data was targeted or compromised," the memo read. "Once the full nature and extent of this incident is known, the department will implement a full remediation plan." The agency promised that all affected employees would be notified individually by the end of August.

[ Want to know more about government security problems? See Most VA Privacy Breaches Trace To Paper, Not PCs. ]

The July breach marked the second time this year that the DOE reported that online attackers had infiltrated its systems, following a February intrusion that officials said resulted in the theft of information pertaining to several hundred employees.

1. Source: Hack Involved Outdated System

According to a source close to the DOE, the system hacked in the July breach -- which stored PII -- was outdated, unpatched and easy pickings. "The form and style of this attack were not difficult to defend if you're doing the basics of cybersecurity: knowing what's on your network, knowing what your vulnerabilities are, doing good patch management and establishing mitigations against the places where you know you're vulnerable," the source said. "But you've got to start with knowing what's on your network."

A DOE spokeswoman, as well as the agency's CTO, didn't respond to multiple requests for comment -- made over the past week via email and phone -- about the breach and whether the agency plans to alter its approach to cybersecurity.

2. DOE Failed To Implement SANS Top 20

"Knowing what's on your network" alludes to SANS Institute's 20 Critical Security Controls for Effective Cyber Defense, which are widely considered to be the basic steps for every information security program. Put another way, the consensus is that organizations which fail to put those 20 controls in place can't effectively defend themselves against attackers.

The No. 1 recommendation on the SANS Top 20 is to create an "inventory of authorized and unauthorized devices." In other words, businesses and government agencies must know what's on their network. If they don't, then attempting to safeguard the network against intrusions becomes orders of magnitude more difficult.

3. Why DOE Might Be Running Unpatched Systems

The above isn't rocket science. So how was an outdated, unpatched and apparently Internet-accessible system containing personal information on thousands of DOE employees -- some of whom work with cutting-edge nuclear secrets -- allowed to run on the agency's network?

One likely explanation: unclear lines of IT oversight and authority. The DOE, like all government agencies, comprises numerous internal departments and fiefdoms. Furthermore, most of the agency's budget comes from Congressional appropriations that flow to project offices; relatively little is directed to centralized functions. As a result, creating a top-down, "thou shalt comply" IT and patch management regime is difficult.

The IT picture is further complicated by the agency's oversight of 17 national laboratories (including Fermi National Accelerator Laboratory and Los Alamos National Laboratory) and 14 other facilities, including Bettis Atomic Power Laboratory, Kansas City Plant and the Yucca Mountain nuclear waste repository. The scale of those operations is highlighted by the fact that the DOE reportedly had about 16,000 employees as of 2009, and 93,000 contractors on the books as of 2008. (A DOE spokeswoman didn't respond to an emailed request for more up-to-date employment figures.)

All of those 30-plus labs and facilities are run by contractors, and they're arguably held to a higher information security standard than the DOE itself. To wit, the DOE's two most recent breaches didn't involve networks managed by labs or facilities, but rather infrastructure managed by DOE's in-house IT staff. No heads appear to be rolling at DOE, and no Congressional inquiry has begun. Would the same be true if those cybersecurity shortcomings were traced to a contractor?

4. Upside: DOE Leading On Agency Cybersecurity

Then again, Alan Paller, director of research at the SANS Institute, thinks the DOE's cybersecurity practices are quite good. "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Paller said in an email.

What might DOE be doing better? In general, he noted that at every government institution, paper-based policies and strategies too often trump hands-on security improvements.

5. Challenge: Improving Actual Security, Not Just Policies

Blame a widespread lack of hands-on cybersecurity skills across the federal government. "The great failing of DOE is that too many of its security officers do not have the technical mastery to implement the 20 [SANS] controls cost-effectively," Paller said. "They still are living in an era of compliance, where writing reports is more important than securing systems. This same affliction is found in most federal agencies, and I see DOE as among the better ones. It is that cyber-skills weakness, along with a lack of persuasion skills -- needed to get agency staff to take necessary action -- that leads to losses."

Again, Paller emphasized that this problem isn't unique to the DOE, which he lauded for having publicized the breaches. "You are not seeing most of the losses in the other agencies," he said. "DOE has led the way on being open."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
8/28/2013 | 1:53:28 PM
re: Department Of Energy Cyberattack: 5 Takeaways
So the DOE is considered a leader among government agencies when it comes to security governance, yet it doesn't follow the most basic of steps.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/28/2013 | 1:55:28 PM
re: Department Of Energy Cyberattack: 5 Takeaways
When a breach like this is self-reported by the agency, that could as easily mean they're being more vigilant than others who might let these things go undetected.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.