http://arstechnica.com/security/2013/12/how-hackers-made-minced-meat-of-department-of-energy-networks/
By Dan Goodin
Ars Technica
Dec 16 2013
A Department of Energy network breach earlier this year that allowed
hackers to download sensitive personal information for 104,000 people was
the result of a decade-old patchwork of systems, some that hadn't
installed critical security updates in years, according to a federal
watchdog.
July's successful hack on the department's Employee Data Repository
database was at least the third one to occur since 2011, DOE Inspector
General Gregory H. Friedman wrote in a recently published review of the
breach. The hack resulted in the exfiltration of more than 104,000
individuals' personally identifiable information (PII), including their
social security numbers, bank account data, dates and places of birth,
user names, and answers to security questions. The department expects to
incur costs of $3.7 million setting up credit monitoring and in lost
productivity. That figure doesn't include the costs of fixing the
vulnerable systems.
The inspector general review recited a litany of failures that allowed
hackers to penetrate system defenses. Chief among them is the fact that
none of the 354 database tables containing social security numbers were
encrypted. Using strong cryptography to protect such "at rest" PII has
long been considered a best practice in government and corporate data
security. The department's management information system (MIS) that
allowed access to the DOEInfo databases also failed to require common
security enhancements, such as two-factor authentication or a
department-issued virtual private network.
Most glaring of all, members of the department's Office of the Chief
Information Officer (OCIO) failed to apply critical security patches,
sometimes going years without installing readily available updates.
According to the review:
[...]
--
Find the best InfoSec talent without breaking your
IT recruiting budget! Save 50 percent off our normal
rate by using the discount code - XMAS2013
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
