Risk
9/3/2013
04:52 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Energy Dept. Breach: Let's Get Back To Basics

What can lack of internal cooperation and insufficient IT resources add up to create? Unpatched servers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
What does the recent Department of Energy data breach teach us? Based on the details InformationWeek has pieced together so far, it appears it's an old lesson: lack of internal cooperation, a lax IT security policy and insufficient resources.

As InformationWeek first reported on Aug. 30, a cyberattack on a DOE server "owned and maintained by the agency's Office of the Chief Financial Officer" compromised the names, dates of birth and social security numbers of 53,000 employees, according to an internal memo. What that statement suggests is that central IT wasn't managing the server.

In these wild and heady days in which Gartner has all but proclaimed central IT to be dead (and don't think that department heads haven't read the Spark Notes versions in the popular press), individual business units have almost tacit permission to buy their own servers and services without thinking about the implications. And this approach sounds practical enough, especially when business units are frustrated with IT for one reason or another. That is, until your organization (like the DOE) makes the wrong kind of headlines because of its lack of security oversight.

[ Who's really to blame for hack? Read Department Of Energy Cyberattack: 5 Takeaways. ]

Every organization has its own unique mission and culture, requiring its own unique balance between IT restrictiveness and freedom. Defining that balance takes time and cooperation between IT and non-IT stakeholders. Any time one or the other party has too much of a say in setting the ground rules, it will serve its own interests.

For most IT organizations, that one-sided control would mean total system lockdown. For most non-IT folks, it would mean turning off virus protection, posting passwords on computers … or standing up servers without giving much thought to ongoing security.

When I read that the version of ColdFusion being used by the DOE on its hacked server "remained outdated and vulnerable to known exploits," I could only conclude that the agency had gone outside of central IT. Yes, even central IT organizations were bad at patching software a few years ago, but it's hard for me to believe that any IT organization is that bad at patching nowadays.

Key to establishing a culture in which business units want to work with the IT organization is to move beyond compliance to cooperation. The trouble with compliance is that you'll spend most of your time updating your security policy to cover every loophole. Compliance is all about brute force. Cooperation happens as part of building an ongoing relationship and credibility, so that business units perceive IT as helpful instead of the bottleneck or roadblock.

So why, in the DOE case, didn't central IT detect an unpatched server and come in to save the day? Could a lack of IT resources have played a part in the breach?

Almost certainly. When IT organization are understaffed, underfunded or both, "optional" activities simply don't get done. Periodic audits of systems outside of IT's span of control are one of those activities.

But let's remember that central IT activities don't necessarily have to be funded by IT. In cases where the IT organization and business units have a strong relationship, I've seen units chip in for security audits specifically, as well as for data gathering, a phone system update, even a database redesign. It's yet another reason not to squander your social capital by applying overly restrictive, mother-may-I unilateral security policies.

No question, all organizations can be hacked; it's a matter of how hard we make it for the bad guys. For crying out loud, let's at least get the basics right to reduce the number of "unpatched server" breaches.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/6/2013 | 3:45:18 PM
re: Energy Dept. Breach: Let's Get Back To Basics
It also illustrates the danger inherent in "Shadow IT"
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
9/5/2013 | 6:44:15 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Part of Adobe now, I think.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/4/2013 | 6:57:07 PM
re: Energy Dept. Breach: Let's Get Back To Basics
What's hard for those outside of government to appreciate is the convoluted web of relations that exist between IT management, IT contractors and their subcontractors, where often the roles are defined and established, but the people in those roles come and go on a regular basis. Overtime, you have a bunch of folks who either no longer own the problem, or aren't paid to deal with the problem. Throw in the turnover at the top that is part of the way government works, and its easy to see how an important function like this gets lost ...until something happens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/4/2013 | 6:08:54 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Ugh. It's 2013. This kind of lapse shouldn't happen any longer. There's just no excuse.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/4/2013 | 2:57:52 PM
re: Energy Dept. Breach: Let's Get Back To Basics
ColdFusion still exists?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.