Energy Department Breach Years In Making, Investigators Say - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Energy Department Breach Years In Making, Investigators Say
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Moderator
12/16/2013 | 4:54:55 AM
Re: Inspectors General
That's a great point, Wyatt. Kudos to the current DOE management -- including the CIO -- for not only calling for an investigation but also publishing the results of the related inquiry, as well as apparently getting needed fixes in place, finally.

Part of the reason this breach occured is because past generations of DOE upper management allowed it to happen. They authorized the continued development of new applications that hooked into the  outdated/insecure/Internet-accessible/unsuitable Adobe ColdFusion DOEInfo database. Fast-forward some years, and you have a breach waiting to happen. 

Current DOE management inherited a mess. Should they have fixed it faster? That's open to debate. Regardless, credit where due: "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Alan Paller, director of research at the SANS Institute, told me earlier this year. (It's notable, of course, that this breach involved HQ, rather than one of the DOE's contract organizations. Meaning that it can't hide behind "business independence," because it's in charge and should be setting a standard that it expects everyone else to emulate.)

With luck, DOE's experience will spur other agencies to do what they should be doing: nuking outdated systems, replacing legacy integrations with modern connectors, eliminating outdated data stores, inventorying all enterprise applications (so they know what to secure) and documenting the name of the person inside the agency whose head will role if a given application isn't kept updated/secure. For starters.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
12/14/2013 | 5:29:16 PM
Re: Breaches And Communication
This is something else. I hope that managers read this and see it as a wake-up call because it is evident that these types of breaches can cost an organization a lot of money. Maybe someone will learn from these mistakes and that in turn will prevent some sort of future breach which could have affected countless lives in terms of potential indentity theft risks. 
WKash
50%
50%
WKash,
User Rank: Author
12/13/2013 | 6:59:28 PM
Inspectors General
This report is a certainly a cautionary tale about what happens when managers ignore advice and/or choose to underinvest.

But this report is also remarkable for another reason.  It's something that you'll rarely see in the private sector.  In fact, government agencies deserve more credit than they get for 1) maintaining inspectors on staff to investigate operating problems; and 2) for releasing the messy findings when they occur, as DOE's inspector general has -- and other agency inspectors general do on a regular basis.

It's not a lot of consolation for those whose private information was compromised.  But take a moment to ponder: You don't see a report like this explaining why an Amazon's regional cloud center went down or when a credit card processing company gets hacked.

Now lets hope DOE and other federal agencies learn from their mistakes.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
12/13/2013 | 3:32:47 PM
Re: Breaches And Communication
I wonder if the private sector is any better than this. I kinda doubt it. Anyone agree?
Laurianne
50%
50%
Laurianne,
User Rank: Author
12/13/2013 | 2:22:26 PM
Breaches And Communication
"On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities." That makes me squirm just thinking about it. But IT pros see this time and again -- complete failure to communicate.


The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Slideshows
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
News
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll