recommended reading

Energy IG Reports Dating to 2009 Foreshadowed Hack That Hit 104,000

Lisa S./Shutterstock.com

Before computer attackers in July breached Energy Department personnel systems, federal inspectors for years had been warning officials about unencrypted sensitive data and urging them to fix application vulnerabilities -- failings that ultimately would lead to the hack of sensitive information on 104,179 individuals, according to a Nextgov review of annual cybersecurity evaluations.  

An inspector general special report  issued on Friday determined that the inability to fix known entry points for hackers made possible a July intrusion into the DOE Employee Data Repository, or DOEInfo, the main Rolodex of records on employees, relatives and contractors. The outsiders stole names, Social Security numbers, banking information, and password questions and answers, among other personal data.

"Critical security vulnerabilities in certain software supporting the [management information system] application had not been patched or otherwise hardened for a number of years," the report stated, referring to the system that connects to DOEInfo. "No efforts had been undertaken to eliminate the unnecessary use of Social Security numbers in the existing DOEInfo database tables even though the requirement to do so was over 5 years old."

Among the potential doorways for hackers cited in an August 2009 IG report is that sensitive information on laptops and handhelds, as well as data sent by email, was not always encrypted. Energy officials also permit unencrypted files to be transmitted to offsite storage facilities.

A similar IG evaluation from October 2011 revealed network weaknesses had spiked 60 percent between fiscal 2010 and fiscal 2011. The security gaps documented included lax access controls and software defects.

Inspectors examining this summer's assault said they could not identify a single fatal flaw, but found several weaknesses that assisted the hackers, many of which, old IG reports show, were flagged previously.

Ultimately, the attackers crept in by using “exploits commonly available on the Internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data -- information that could be used to damage the financial and personal interests of many individuals," Friday's report states.

Exploits are hacking tools that take advantage of vulnerabilities -- like those found in the earlier IG reports -- to break into systems. 

Among the factors that aided and abetted the hackers this year: the systems struck were directly accessible through the Web without adequate safeguards and contained vulnerabilities that weren't patched. In addition, the systems stored Social Security numbers in plain text. 

Officials had been "permitting systems to operate even though they were known to have critical and/or high risk security vulnerabilities," Friday's report states. “The department had not taken appropriate action to remediate known vulnerabilities on its systems either through patching, system enhancements or upgrades."

According to the 2011 evaluation, tests at 25 facilities, including headquarters, turned up 32 new vulnerabilities plus an additional 24 left unresolved from the prior year.

One year later, a November 2012 inspector general audit found 29 Web applications, including human resource software, did not undergo “validation” to regularly check that program changes were authorized. 

On Friday, Energy officials said work is underway to address the inspector general's latest discoveries. The department is examining all online systems and applications, as well as instituting new protections to restrict unauthorized disclosure. All superfluous personal information and Social Security numbers will be expunged from systems by the end of January 2014, officials said. And encryption tools will be installed to protect remaining sensitive information. 

(Image via Lisa S./Shutterstock.com)

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.