Risk
9/3/2013
04:52 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%
Repost This

Energy Dept. Breach: Let's Get Back To Basics

What can lack of internal cooperation and insufficient IT resources add up to create? Unpatched servers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
What does the recent Department of Energy data breach teach us? Based on the details InformationWeek has pieced together so far, it appears it's an old lesson: lack of internal cooperation, a lax IT security policy and insufficient resources.

As InformationWeek first reported on Aug. 30, a cyberattack on a DOE server "owned and maintained by the agency's Office of the Chief Financial Officer" compromised the names, dates of birth and social security numbers of 53,000 employees, according to an internal memo. What that statement suggests is that central IT wasn't managing the server.

In these wild and heady days in which Gartner has all but proclaimed central IT to be dead (and don't think that department heads haven't read the Spark Notes versions in the popular press), individual business units have almost tacit permission to buy their own servers and services without thinking about the implications. And this approach sounds practical enough, especially when business units are frustrated with IT for one reason or another. That is, until your organization (like the DOE) makes the wrong kind of headlines because of its lack of security oversight.

[ Who's really to blame for hack? Read Department Of Energy Cyberattack: 5 Takeaways. ]

Every organization has its own unique mission and culture, requiring its own unique balance between IT restrictiveness and freedom. Defining that balance takes time and cooperation between IT and non-IT stakeholders. Any time one or the other party has too much of a say in setting the ground rules, it will serve its own interests.

For most IT organizations, that one-sided control would mean total system lockdown. For most non-IT folks, it would mean turning off virus protection, posting passwords on computers … or standing up servers without giving much thought to ongoing security.

When I read that the version of ColdFusion being used by the DOE on its hacked server "remained outdated and vulnerable to known exploits," I could only conclude that the agency had gone outside of central IT. Yes, even central IT organizations were bad at patching software a few years ago, but it's hard for me to believe that any IT organization is that bad at patching nowadays.

Key to establishing a culture in which business units want to work with the IT organization is to move beyond compliance to cooperation. The trouble with compliance is that you'll spend most of your time updating your security policy to cover every loophole. Compliance is all about brute force. Cooperation happens as part of building an ongoing relationship and credibility, so that business units perceive IT as helpful instead of the bottleneck or roadblock.

So why, in the DOE case, didn't central IT detect an unpatched server and come in to save the day? Could a lack of IT resources have played a part in the breach?

Almost certainly. When IT organization are understaffed, underfunded or both, "optional" activities simply don't get done. Periodic audits of systems outside of IT's span of control are one of those activities.

But let's remember that central IT activities don't necessarily have to be funded by IT. In cases where the IT organization and business units have a strong relationship, I've seen units chip in for security audits specifically, as well as for data gathering, a phone system update, even a database redesign. It's yet another reason not to squander your social capital by applying overly restrictive, mother-may-I unilateral security policies.

No question, all organizations can be hacked; it's a matter of how hard we make it for the bad guys. For crying out loud, let's at least get the basics right to reduce the number of "unpatched server" breaches.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/6/2013 | 3:45:18 PM
re: Energy Dept. Breach: Let's Get Back To Basics
It also illustrates the danger inherent in "Shadow IT"
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
9/5/2013 | 6:44:15 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Part of Adobe now, I think.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/4/2013 | 6:57:07 PM
re: Energy Dept. Breach: Let's Get Back To Basics
What's hard for those outside of government to appreciate is the convoluted web of relations that exist between IT management, IT contractors and their subcontractors, where often the roles are defined and established, but the people in those roles come and go on a regular basis. Overtime, you have a bunch of folks who either no longer own the problem, or aren't paid to deal with the problem. Throw in the turnover at the top that is part of the way government works, and its easy to see how an important function like this gets lost ...until something happens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/4/2013 | 6:08:54 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Ugh. It's 2013. This kind of lapse shouldn't happen any longer. There's just no excuse.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/4/2013 | 2:57:52 PM
re: Energy Dept. Breach: Let's Get Back To Basics
ColdFusion still exists?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web