Data breach exposes Energy Department's 'continuing story of negligence'

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.infoworld.com/t/hacking/data-breach-exposes-energy-departments-continuing-story-of-negligence-212246

The U.S. Department of Energy has admitted that unidentified malicious
hackers successfully breached 14 of its servers and 20 of its
workstations two weeks ago, making off with personal information
belonging to several hundred employees. The department's assurances
that "no classified data was compromised" come as little comfort,
however, considering the department's spotty security history.

"It's a continuing story of negligence," Ed McCallum, former director
of the department's office of safeguards and security, told the Free
Beacon. "[The department] is on the cutting edge of some of the most
sophisticated military and intelligence technology the country owns
and it is being treated frivolously by the Department of Energy and
its political masters."

Late last year, an audit of the Department of Energy revealed that 58
percent of the department's computers were running OSes or
applications that hadn't been patched against known vulnerabilities.
Similarly, at least 157 of the department's network systems were in
need of patching, and 41 servers were running OSes no longer supported
by vendors.

Examiners identified server vulnerabilities "that could have resulted
in a compromise of business information or unauthorized access to
critical application functionality and data, as well as loss or
disruptions of critical operations," the audit said.

In a letter to employees and contractors sent out last Friday, the
Department of Energy said it would notify individuals whose sensitive
information had been stolen to help protect them from identity theft.
The letter also said the department was "leading an aggressive effort
to reduce the likelihood of these events occurring again."

The letter noted "cybersecurity is a shared responsibility" and asked
employees to adhere to a couple of "best practices": encrypting all
files and emails containing PII (personally identifiable information)
or sensitive information, and to avoid storing or emailing
non-government-related PII on DOE network computers.

Authorities may wish department employees are well-versed in
identifying phishing attacks as well. Malicious hackers have been
known to use stolen personal data to dupe users into giving up their
passwords or opening a malware-infected document. From there, it's a
matter of time before a persistent and sufficiently skilled hacker can
wreak havoc, whether overtly by defacing Web pages and deleting data
or covertly snooping and stealing data via an APT (advanced persistent
threat). The prospect of the DOE being hit with an APT is particularly
troubling, considering it oversees the National Nuclear Security
Administration, which manages the U.S. nuclear weapons stockpile.

Here's hoping the DOE -- along with other governmental agencies,
financial institutions, and utilities -- wake up quickly to the fact
that the United States is engaged in an unseen, all-out cyber war.

This article, "Data breach exposes Energy Department's 'continuing
story of negligence'," was originally published at InfoWorld.com. Get
the first word on what the important tech news really means with the
InfoWorld Tech Watch blog. For the latest business technology news,
follow InfoWorld.com on Twitter.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.