recommended reading

Energy IG Reports Dating to 2009 Foreshadowed Hack That Hit 104,000

Lisa S./Shutterstock.com

Before computer attackers in July breached Energy Department personnel systems, federal inspectors for years had been warning officials about unencrypted sensitive data and urging them to fix application vulnerabilities -- failings that ultimately would lead to the hack of sensitive information on 104,179 individuals, according to a Nextgov review of annual cybersecurity evaluations.  

An inspector general special report  issued on Friday determined that the inability to fix known entry points for hackers made possible a July intrusion into the DOE Employee Data Repository, or DOEInfo, the main Rolodex of records on employees, relatives and contractors. The outsiders stole names, Social Security numbers, banking information, and password questions and answers, among other personal data.

"Critical security vulnerabilities in certain software supporting the [management information system] application had not been patched or otherwise hardened for a number of years," the report stated, referring to the system that connects to DOEInfo. "No efforts had been undertaken to eliminate the unnecessary use of Social Security numbers in the existing DOEInfo database tables even though the requirement to do so was over 5 years old."

Among the potential doorways for hackers cited in an August 2009 IG report is that sensitive information on laptops and handhelds, as well as data sent by email, was not always encrypted. Energy officials also permit unencrypted files to be transmitted to offsite storage facilities.

A similar IG evaluation from October 2011 revealed network weaknesses had spiked 60 percent between fiscal 2010 and fiscal 2011. The security gaps documented included lax access controls and software defects.

Inspectors examining this summer's assault said they could not identify a single fatal flaw, but found several weaknesses that assisted the hackers, many of which, old IG reports show, were flagged previously.

Ultimately, the attackers crept in by using “exploits commonly available on the Internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data -- information that could be used to damage the financial and personal interests of many individuals," Friday's report states.

Exploits are hacking tools that take advantage of vulnerabilities -- like those found in the earlier IG reports -- to break into systems. 

Among the factors that aided and abetted the hackers this year: the systems struck were directly accessible through the Web without adequate safeguards and contained vulnerabilities that weren't patched. In addition, the systems stored Social Security numbers in plain text. 

Officials had been "permitting systems to operate even though they were known to have critical and/or high risk security vulnerabilities," Friday's report states. “The department had not taken appropriate action to remediate known vulnerabilities on its systems either through patching, system enhancements or upgrades."

According to the 2011 evaluation, tests at 25 facilities, including headquarters, turned up 32 new vulnerabilities plus an additional 24 left unresolved from the prior year.

One year later, a November 2012 inspector general audit found 29 Web applications, including human resource software, did not undergo “validation” to regularly check that program changes were authorized. 

On Friday, Energy officials said work is underway to address the inspector general's latest discoveries. The department is examining all online systems and applications, as well as instituting new protections to restrict unauthorized disclosure. All superfluous personal information and Social Security numbers will be expunged from systems by the end of January 2014, officials said. And encryption tools will be installed to protect remaining sensitive information. 

(Image via Lisa S./Shutterstock.com)

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Hospital Breach Affects Thousands of Patients

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.