Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/3/2013
04:52 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Energy Dept. Breach: Let's Get Back To Basics

What can lack of internal cooperation and insufficient IT resources add up to create? Unpatched servers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
What does the recent Department of Energy data breach teach us? Based on the details InformationWeek has pieced together so far, it appears it's an old lesson: lack of internal cooperation, a lax IT security policy and insufficient resources.

As InformationWeek first reported on Aug. 30, a cyberattack on a DOE server "owned and maintained by the agency's Office of the Chief Financial Officer" compromised the names, dates of birth and social security numbers of 53,000 employees, according to an internal memo. What that statement suggests is that central IT wasn't managing the server.

In these wild and heady days in which Gartner has all but proclaimed central IT to be dead (and don't think that department heads haven't read the Spark Notes versions in the popular press), individual business units have almost tacit permission to buy their own servers and services without thinking about the implications. And this approach sounds practical enough, especially when business units are frustrated with IT for one reason or another. That is, until your organization (like the DOE) makes the wrong kind of headlines because of its lack of security oversight.

[ Who's really to blame for hack? Read Department Of Energy Cyberattack: 5 Takeaways. ]

Every organization has its own unique mission and culture, requiring its own unique balance between IT restrictiveness and freedom. Defining that balance takes time and cooperation between IT and non-IT stakeholders. Any time one or the other party has too much of a say in setting the ground rules, it will serve its own interests.

For most IT organizations, that one-sided control would mean total system lockdown. For most non-IT folks, it would mean turning off virus protection, posting passwords on computers … or standing up servers without giving much thought to ongoing security.

When I read that the version of ColdFusion being used by the DOE on its hacked server "remained outdated and vulnerable to known exploits," I could only conclude that the agency had gone outside of central IT. Yes, even central IT organizations were bad at patching software a few years ago, but it's hard for me to believe that any IT organization is that bad at patching nowadays.

Key to establishing a culture in which business units want to work with the IT organization is to move beyond compliance to cooperation. The trouble with compliance is that you'll spend most of your time updating your security policy to cover every loophole. Compliance is all about brute force. Cooperation happens as part of building an ongoing relationship and credibility, so that business units perceive IT as helpful instead of the bottleneck or roadblock.

So why, in the DOE case, didn't central IT detect an unpatched server and come in to save the day? Could a lack of IT resources have played a part in the breach?

Almost certainly. When IT organization are understaffed, underfunded or both, "optional" activities simply don't get done. Periodic audits of systems outside of IT's span of control are one of those activities.

But let's remember that central IT activities don't necessarily have to be funded by IT. In cases where the IT organization and business units have a strong relationship, I've seen units chip in for security audits specifically, as well as for data gathering, a phone system update, even a database redesign. It's yet another reason not to squander your social capital by applying overly restrictive, mother-may-I unilateral security policies.

No question, all organizations can be hacked; it's a matter of how hard we make it for the bad guys. For crying out loud, let's at least get the basics right to reduce the number of "unpatched server" breaches.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/6/2013 | 3:45:18 PM
re: Energy Dept. Breach: Let's Get Back To Basics
It also illustrates the danger inherent in "Shadow IT"
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
9/5/2013 | 6:44:15 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Part of Adobe now, I think.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/4/2013 | 6:57:07 PM
re: Energy Dept. Breach: Let's Get Back To Basics
What's hard for those outside of government to appreciate is the convoluted web of relations that exist between IT management, IT contractors and their subcontractors, where often the roles are defined and established, but the people in those roles come and go on a regular basis. Overtime, you have a bunch of folks who either no longer own the problem, or aren't paid to deal with the problem. Throw in the turnover at the top that is part of the way government works, and its easy to see how an important function like this gets lost ...until something happens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/4/2013 | 6:08:54 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Ugh. It's 2013. This kind of lapse shouldn't happen any longer. There's just no excuse.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/4/2013 | 2:57:52 PM
re: Energy Dept. Breach: Let's Get Back To Basics
ColdFusion still exists?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15256
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
CVE-2020-15261
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
CVE-2020-6084
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-6085
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-10746
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.