Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/3/2013
04:52 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Energy Dept. Breach: Let's Get Back To Basics

What can lack of internal cooperation and insufficient IT resources add up to create? Unpatched servers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
What does the recent Department of Energy data breach teach us? Based on the details InformationWeek has pieced together so far, it appears it's an old lesson: lack of internal cooperation, a lax IT security policy and insufficient resources.

As InformationWeek first reported on Aug. 30, a cyberattack on a DOE server "owned and maintained by the agency's Office of the Chief Financial Officer" compromised the names, dates of birth and social security numbers of 53,000 employees, according to an internal memo. What that statement suggests is that central IT wasn't managing the server.

In these wild and heady days in which Gartner has all but proclaimed central IT to be dead (and don't think that department heads haven't read the Spark Notes versions in the popular press), individual business units have almost tacit permission to buy their own servers and services without thinking about the implications. And this approach sounds practical enough, especially when business units are frustrated with IT for one reason or another. That is, until your organization (like the DOE) makes the wrong kind of headlines because of its lack of security oversight.

[ Who's really to blame for hack? Read Department Of Energy Cyberattack: 5 Takeaways. ]

Every organization has its own unique mission and culture, requiring its own unique balance between IT restrictiveness and freedom. Defining that balance takes time and cooperation between IT and non-IT stakeholders. Any time one or the other party has too much of a say in setting the ground rules, it will serve its own interests.

For most IT organizations, that one-sided control would mean total system lockdown. For most non-IT folks, it would mean turning off virus protection, posting passwords on computers … or standing up servers without giving much thought to ongoing security.

When I read that the version of ColdFusion being used by the DOE on its hacked server "remained outdated and vulnerable to known exploits," I could only conclude that the agency had gone outside of central IT. Yes, even central IT organizations were bad at patching software a few years ago, but it's hard for me to believe that any IT organization is that bad at patching nowadays.

Key to establishing a culture in which business units want to work with the IT organization is to move beyond compliance to cooperation. The trouble with compliance is that you'll spend most of your time updating your security policy to cover every loophole. Compliance is all about brute force. Cooperation happens as part of building an ongoing relationship and credibility, so that business units perceive IT as helpful instead of the bottleneck or roadblock.

So why, in the DOE case, didn't central IT detect an unpatched server and come in to save the day? Could a lack of IT resources have played a part in the breach?

Almost certainly. When IT organization are understaffed, underfunded or both, "optional" activities simply don't get done. Periodic audits of systems outside of IT's span of control are one of those activities.

But let's remember that central IT activities don't necessarily have to be funded by IT. In cases where the IT organization and business units have a strong relationship, I've seen units chip in for security audits specifically, as well as for data gathering, a phone system update, even a database redesign. It's yet another reason not to squander your social capital by applying overly restrictive, mother-may-I unilateral security policies.

No question, all organizations can be hacked; it's a matter of how hard we make it for the bad guys. For crying out loud, let's at least get the basics right to reduce the number of "unpatched server" breaches.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/6/2013 | 3:45:18 PM
re: Energy Dept. Breach: Let's Get Back To Basics
It also illustrates the danger inherent in "Shadow IT"
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
9/5/2013 | 6:44:15 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Part of Adobe now, I think.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/4/2013 | 6:57:07 PM
re: Energy Dept. Breach: Let's Get Back To Basics
What's hard for those outside of government to appreciate is the convoluted web of relations that exist between IT management, IT contractors and their subcontractors, where often the roles are defined and established, but the people in those roles come and go on a regular basis. Overtime, you have a bunch of folks who either no longer own the problem, or aren't paid to deal with the problem. Throw in the turnover at the top that is part of the way government works, and its easy to see how an important function like this gets lost ...until something happens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/4/2013 | 6:08:54 PM
re: Energy Dept. Breach: Let's Get Back To Basics
Ugh. It's 2013. This kind of lapse shouldn't happen any longer. There's just no excuse.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/4/2013 | 2:57:52 PM
re: Energy Dept. Breach: Let's Get Back To Basics
ColdFusion still exists?
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.