Risk
9/3/2013
04:52 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Energy Dept. Breach: Let's Get Back To Basics

What can lack of internal cooperation and insufficient IT resources add up to create? Unpatched servers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
What does the recent Department of Energy data breach teach us? Based on the details InformationWeek has pieced together so far, it appears it's an old lesson: lack of internal cooperation, a lax IT security policy and insufficient resources.

As InformationWeek first reported on Aug. 30, a cyberattack on a DOE server "owned and maintained by the agency's Office of the Chief Financial Officer" compromised the names, dates of birth and social security numbers of 53,000 employees, according to an internal memo. What that statement suggests is that central IT wasn't managing the server.

In these wild and heady days in which Gartner has all but proclaimed central IT to be dead (and don't think that department heads haven't read the Spark Notes versions in the popular press), individual business units have almost tacit permission to buy their own servers and services without thinking about the implications. And this approach sounds practical enough, especially when business units are frustrated with IT for one reason or another. That is, until your organization (like the DOE) makes the wrong kind of headlines because of its lack of security oversight.

[ Who's really to blame for hack? Read Department Of Energy Cyberattack: 5 Takeaways. ]

Every organization has its own unique mission and culture, requiring its own unique balance between IT restrictiveness and freedom. Defining that balance takes time and cooperation between IT and non-IT stakeholders. Any time one or the other party has too much of a say in setting the ground rules, it will serve its own interests.

For most IT organizations, that one-sided control would mean total system lockdown. For most non-IT folks, it would mean turning off virus protection, posting passwords on computers … or standing up servers without giving much thought to ongoing security.

When I read that the version of ColdFusion being used by the DOE on its hacked server "remained outdated and vulnerable to known exploits," I could only conclude that the agency had gone outside of central IT. Yes, even central IT organizations were bad at patching software a few years ago, but it's hard for me to believe that any IT organization is that bad at patching nowadays.

Key to establishing a culture in which business units want to work with the IT organization is to move beyond compliance to cooperation. The trouble with compliance is that you'll spend most of your time updating your security policy to cover every loophole. Compliance is all about brute force. Cooperation happens as part of building an ongoing relationship and credibility, so that business units perceive IT as helpful instead of the bottleneck or roadblock.

So why, in the DOE case, didn't central IT detect an unpatched server and come in to save the day? Could a lack of IT resources have played a part in the breach?

Almost certainly. When IT organization are understaffed, underfunded or both, "optional" activities simply don't get done. Periodic audits of systems outside of IT's span of control are one of those activities.

But let's remember that central IT activities don't necessarily have to be funded by IT. In cases where the IT organization and business units have a strong relationship, I've seen units chip in for security audits specifically, as well as for data gathering, a phone system update, even a database redesign. It's yet another reason not to squander your social capital by applying overly restrictive, mother-may-I unilateral security policies.

No question, all organizations can be hacked; it's a matter of how hard we make it for the bad guys. For crying out loud, let's at least get the basics right to reduce the number of "unpatched server" breaches.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/6/2013 | 3:45:18 PM
re: Energy Dept. Breach: Let's Get Back To Basics
It also illustrates the danger inherent in "Shadow IT"
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
9/5/2013 | 6:44:15 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Part of Adobe now, I think.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/4/2013 | 6:57:07 PM
re: Energy Dept. Breach: Let's Get Back To Basics
What's hard for those outside of government to appreciate is the convoluted web of relations that exist between IT management, IT contractors and their subcontractors, where often the roles are defined and established, but the people in those roles come and go on a regular basis. Overtime, you have a bunch of folks who either no longer own the problem, or aren't paid to deal with the problem. Throw in the turnover at the top that is part of the way government works, and its easy to see how an important function like this gets lost ...until something happens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/4/2013 | 6:08:54 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Ugh. It's 2013. This kind of lapse shouldn't happen any longer. There's just no excuse.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/4/2013 | 2:57:52 PM
re: Energy Dept. Breach: Let's Get Back To Basics
ColdFusion still exists?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.