13 CIOs Share: My Big Mistakes

The July 2013 Department of Energy breach happened because of an ongoing number of managerial and technological failures, some of them stretching back years.

That's the top-level takeaway from a 28-page report, released Wednesday, by Gregory H. Friedman, the inspector general (IG) of the Department of Energy. The IG's report is a result of an investigation that was launched, in part at the request of the DOE's CIO, after an attacker hacked into the DOE Employee Data Repository (aka DOEInfo), which is accessed via a gateway provided by the agency's management information system (MIS).

The list of failures cataloged by the report is extensive, starting with a "lack of urgency" over information security matters. "While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease," said Friedman. The attacker exploited a DOEInfo vulnerability for which attack code was publicly available on the Internet.

[Outdated IT systems are too risky to leave in place. Are Legacy Systems Keeping You Prisoner?]

The data breach may also be more extensive than realized. According to previous DOE disclosures, attackers stole personally identifiable information (PII) for 104,000 people. But according to Friedman, the number may be closer to 150,000, based on a number of additional nine-digit records -- which may be social security numbers -- that the IG's office found in digital forensic data. DOE officials have responded to that finding by saying that they believe at least some of the discrepancy may be due to "false positives."

Furthermore, the report revealed that stolen information didn't only comprise names, dates of birth, social security numbers, and some bank account numbers, as the DOE previously disclosed. Information pertaining to places of birth, education, security questions -- and answers -- and disabilities was also exposed.

The hack was the third MIS breach to occur within three years. The breach occurred after an attacker gained access to DOEInfo, which was an outdated Adobe ColdFusion system that's been rebuilt since the attack. DOEInfo first launched in 1994, and more than 30 different systems were connected to the database at some point in time. But according to the IG's report, DOE management failed to keep abreast of how the database was being used, or seemingly the agency's enterprise architecture in general. That's because at least two disused systems were still connected to DOEInfo. During the July 2013 breach, the attacker accessed one of those systems, although it reportedly didn't store sensitive data.

Other problems that contributed to the breach involved the agency failing to encrypt stored PII and using social security numbers as unique identifiers, in violation of federal guidelines. Friedman's report also slammed the agency for "permitting direct Internet connections to a highly sensitive system without adequate security controls," noting that the security controls in place for checking email were stronger than the controls in place to secure access to DOEInfo.

The report also found that the DOE failed to patch, improve, or upgrade systems "even though they were known to have critical and/or high-risk security vulnerabilities." Likewise, the agency appeared to lack plans for replacing systems that had reached the end of their life. "Although core support for the version of the compromised application upon which MIS was built ended in July 2012, the department did not purchase updated software until March 2013 -- eight months after support for the outdated application ended," Friedman said.

On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities. Managers interviewed by the IG's office acknowledged that even though DOEInfo sported known, high-risk vulnerabilities in systems, "they lacked the authority to impose restrictions on system operation or take other corrective measures when known security vulnerabilities were not addressed," Friedman said. "We could not determine with certainty whether the lack of authority, in all instances, was real or only perceived."

Regardless, senior managers failed to take charge of security matters. "OCIO officials told us that various system owners they supported prohibited them from making security updates to applications in a timely manner because doing so would make it harder for employees to do their work," said Friedman. "Conversely, program officials indicated that they directed security-related issues to the OCIO and never received responses."

An application developer had reported the DOEInfo system vulnerabilities to the CIO's office. But they "were not fully investigated," Friedman said, leading him to "question the thoroughness of department's analysis of the reported anomalies."

To date, the costs of the DOEInfo breach have included $1.6 million for credit monitoring and an estimated $2.1 million in lost productivity, owing to the agency granting affected personnel up to four hours of paid leave. According to DOE insiders, as well as the IG's report, the breach -- and the perception that related data breach notifications weren't released in a timely manner -- also took a bite out of employee morale.

The IG's report makes a number of cybersecurity program and control environment suggestions to prevent a future breach, aimed at improving communications and coordination and ensuring that all PII gets stored and used securely. Related changes have begun, including eliminating outdated information from being stored and encrypting all social security numbers. In addition, the CIO's office is implementing "improvements to the real-time protection and continuous monitoring of DOEInfo and the underlying infrastructure," Friedman said.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The use of cloud technology is booming, often offering the only way to meet customers', employees' and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)