Energy Department Breach Years In Making, Investigators Say - InformationWeek
Energy Department Breach Years In Making, Investigators Say
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
12/16/2013 | 4:54:55 AM
Re: Inspectors General
That's a great point, Wyatt. Kudos to the current DOE management -- including the CIO -- for not only calling for an investigation but also publishing the results of the related inquiry, as well as apparently getting needed fixes in place, finally.

Part of the reason this breach occured is because past generations of DOE upper management allowed it to happen. They authorized the continued development of new applications that hooked into the  outdated/insecure/Internet-accessible/unsuitable Adobe ColdFusion DOEInfo database. Fast-forward some years, and you have a breach waiting to happen. 

Current DOE management inherited a mess. Should they have fixed it faster? That's open to debate. Regardless, credit where due: "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Alan Paller, director of research at the SANS Institute, told me earlier this year. (It's notable, of course, that this breach involved HQ, rather than one of the DOE's contract organizations. Meaning that it can't hide behind "business independence," because it's in charge and should be setting a standard that it expects everyone else to emulate.)

With luck, DOE's experience will spur other agencies to do what they should be doing: nuking outdated systems, replacing legacy integrations with modern connectors, eliminating outdated data stores, inventorying all enterprise applications (so they know what to secure) and documenting the name of the person inside the agency whose head will role if a given application isn't kept updated/secure. For starters.
User Rank: Ninja
12/14/2013 | 5:29:16 PM
Re: Breaches And Communication
This is something else. I hope that managers read this and see it as a wake-up call because it is evident that these types of breaches can cost an organization a lot of money. Maybe someone will learn from these mistakes and that in turn will prevent some sort of future breach which could have affected countless lives in terms of potential indentity theft risks. 
User Rank: Author
12/13/2013 | 6:59:28 PM
Inspectors General
This report is a certainly a cautionary tale about what happens when managers ignore advice and/or choose to underinvest.

But this report is also remarkable for another reason.  It's something that you'll rarely see in the private sector.  In fact, government agencies deserve more credit than they get for 1) maintaining inspectors on staff to investigate operating problems; and 2) for releasing the messy findings when they occur, as DOE's inspector general has -- and other agency inspectors general do on a regular basis.

It's not a lot of consolation for those whose private information was compromised.  But take a moment to ponder: You don't see a report like this explaining why an Amazon's regional cloud center went down or when a credit card processing company gets hacked.

Now lets hope DOE and other federal agencies learn from their mistakes.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Author
12/13/2013 | 3:32:47 PM
Re: Breaches And Communication
I wonder if the private sector is any better than this. I kinda doubt it. Anyone agree?
User Rank: Author
12/13/2013 | 2:22:26 PM
Breaches And Communication
"On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities." That makes me squirm just thinking about it. But IT pros see this time and again -- complete failure to communicate.

How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll