Comments
Energy Department Breach Years In Making, Investigators Say
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Moderator
12/16/2013 | 4:54:55 AM
Re: Inspectors General
That's a great point, Wyatt. Kudos to the current DOE management -- including the CIO -- for not only calling for an investigation but also publishing the results of the related inquiry, as well as apparently getting needed fixes in place, finally.

Part of the reason this breach occured is because past generations of DOE upper management allowed it to happen. They authorized the continued development of new applications that hooked into the  outdated/insecure/Internet-accessible/unsuitable Adobe ColdFusion DOEInfo database. Fast-forward some years, and you have a breach waiting to happen. 

Current DOE management inherited a mess. Should they have fixed it faster? That's open to debate. Regardless, credit where due: "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Alan Paller, director of research at the SANS Institute, told me earlier this year. (It's notable, of course, that this breach involved HQ, rather than one of the DOE's contract organizations. Meaning that it can't hide behind "business independence," because it's in charge and should be setting a standard that it expects everyone else to emulate.)

With luck, DOE's experience will spur other agencies to do what they should be doing: nuking outdated systems, replacing legacy integrations with modern connectors, eliminating outdated data stores, inventorying all enterprise applications (so they know what to secure) and documenting the name of the person inside the agency whose head will role if a given application isn't kept updated/secure. For starters.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
12/14/2013 | 5:29:16 PM
Re: Breaches And Communication
This is something else. I hope that managers read this and see it as a wake-up call because it is evident that these types of breaches can cost an organization a lot of money. Maybe someone will learn from these mistakes and that in turn will prevent some sort of future breach which could have affected countless lives in terms of potential indentity theft risks. 
WKash
50%
50%
WKash,
User Rank: Author
12/13/2013 | 6:59:28 PM
Inspectors General
This report is a certainly a cautionary tale about what happens when managers ignore advice and/or choose to underinvest.

But this report is also remarkable for another reason.  It's something that you'll rarely see in the private sector.  In fact, government agencies deserve more credit than they get for 1) maintaining inspectors on staff to investigate operating problems; and 2) for releasing the messy findings when they occur, as DOE's inspector general has -- and other agency inspectors general do on a regular basis.

It's not a lot of consolation for those whose private information was compromised.  But take a moment to ponder: You don't see a report like this explaining why an Amazon's regional cloud center went down or when a credit card processing company gets hacked.

Now lets hope DOE and other federal agencies learn from their mistakes.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
12/13/2013 | 3:32:47 PM
Re: Breaches And Communication
I wonder if the private sector is any better than this. I kinda doubt it. Anyone agree?
Laurianne
50%
50%
Laurianne,
User Rank: Author
12/13/2013 | 2:22:26 PM
Breaches And Communication
"On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities." That makes me squirm just thinking about it. But IT pros see this time and again -- complete failure to communicate.


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.