There have been many information security breaches
in the past few years. As information becomes more easily accessible and
stored, it becomes easier to steal. The
one this blog will focus on is the Department of Energy (DOE) of the United
States. Some breaches affect the clients of the business but this one affected
the employees, dependents, and contractors.
Based on access to a human resource network, information such as Social
Security numbers and dates of birth were stolen from a total of over 104,000 people. Between the years of 2011-2013, the
Department of Energy has been hacked three times. This breach was one that could have been avoided. The department utilized Social Security numbers
for purposes where it was not necessary.
Also, there were not enough security measures put in place for a system
that was known to be vulnerable.
Basically, the information was out there for the taking for anyone
interested in trying hard enough. Once the
situation happened, it was difficult to find out which section of the
institution was at fault and who was responsible for fixing it.
Looking at the McCumber cube areas where the DOE had vulnerablitiles can be noticed.
The network was already noted to be unsecure, but
the department did not take the necessary measures to protect the individuals
in the database. It may have allowed the
information to be safe during transmission but once it got to storage it was
available for anyone who wanted it. The
storage site was not a safe one.
According to the cube, the information has to be available only to the authorized
people and the information is to be kept confidential. From our research, other people without
access could get the personal information.
Direct internet access to the database’s sensitive information was
allowed without appropriate security controls allowing access to the
confidential information easier than accessing the DOE’s email. The biggest security countermeasure failure
was not following policy and practice.
It was Federal policy that Social Security numbers where not to be used
frequently, but if it were used, the Social Security number needed to be stored
as a partial number. Another Federal
policy that was violated was the policy to encrypt personally identifiable
information (PII). Both of the policies
were in place by the Federal government but were not practiced by the DOE
leading to the security breach.
Security planning is an important aspect of
information security. Having a business
contingency plan in place in case of information hacking will help the entity
know what to do and in what time frame in a worst case scenario. Figure 2
indicates that a contingency plan needs to include a business impact analysis,
incident response planning, disaster recovery planning, and business continuity
planning.
|
|
Research indicated that the DOE did not even know
who was at fault for the security breaches since the systems were owned by two
different groups within the DOE. One group
within the DOE thought it was the responsibility of another group to take care
of the security weaknesses and vice versa. This miscommunication meant that
they did not have the policy in place to deal with the network breaking
down. It seems there was no education on
what to do and they surely did not have the right technology to protect the
information they collected. The breaches
occurred over two years; the DOE did not react appropriately and quickly
enough.
Implementing a course of action is crucial once a security breach has occurred and is crucial for a company as well as the individuals involved with the information theft. The Office of the Inspector General and the Office of Audits and Inspections conducted an audit of the DOE information security breach and gave advice for a course of action. One of the actions that the DOE implemented was to provide one year’s worth of monitoring at a specific credit rating agency. Also, each group affected was given a paid four hours off to try to clear up issues that could be cleared up. Other courses of actions included clarifying which group is responsible for the affected systems, developing a central authority to shut down networks known to be vulnerable and removing unnecessary information, including Social Security numbers where possible.
The costs to deal with the problems with the breach are estimated to be up to 3.7 million dollars in value. The Department of Energy was very fortunate in the case of this security breach because according to the investigation, the attackers did not look to be targeting top-secret projects or identities of nuclear scientists. Sadly, the DOE is continually being pursued by hackers and their systems have been breached again in February of this year. These instances show the need for continually monitoring the security of your organization’s information and the damage that it can do if left unsecured.
Friedman,
G. (2013, July 19). The Department of Energy's July. Retrieved from Energy.gov:
http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf
Hicks J. (2013,
December 11) Washington Post Retrieved from http://www.washingtonpost.com/blogs/federal-eye/wp/2013/12/11/doe-was-aware-of-security-weaknesses-that-led-to-hacking-report-says/
IBM
(2014, July 17) IBM.com Retrieved from http://www.ibm.com/developerworks/security/library/s-confnotes2/
Lemos, R., (2013, February 6). Federal Reserve, DOE Confirm Hackers
Breached Servers, Stole Data. EWeek. Retrieved from http://www.eweek.com/security/federal-reserve-doe-confirm-hackers-breached-servers-stole-data/
O'Brien,
J. A., & Marakas, G. M. (2011). Management Information Systems 10th Edition.
McGraw-Hill/Irwin.