Unit 5 - Department of Energy Information Breach

There have been many information security breaches in the past few years. As information becomes more easily accessible and stored, it becomes easier to steal.  The one this blog will focus on is the Department of Energy (DOE) of the United States. Some breaches affect the clients of the business but this one affected the employees, dependents, and contractors.  Based on access to a human resource network, information such as Social Security numbers and dates of birth were stolen from a total of over 104,000 people.  Between the years of 2011-2013, the Department of Energy has been hacked three times.  This breach was one that could have been avoided.  The department utilized Social Security numbers for purposes where it was not necessary.  Also, there were not enough security measures put in place for a system that was known to be vulnerable.  Basically, the information was out there for the taking for anyone interested in trying hard enough.  Once the situation happened, it was difficult to find out which section of the institution was at fault and who was responsible for fixing it.

Looking at the McCumber cube areas where the DOE had vulnerablitiles can be noticed.

The network was already noted to be unsecure, but the department did not take the necessary measures to protect the individuals in the database.  It may have allowed the information to be safe during transmission but once it got to storage it was available for anyone who wanted it.  The storage site was not a safe one.  According to the cube, the information has to be available only to the authorized people and the information is to be kept confidential.  From our research, other people without access could get the personal information.  Direct internet access to the database’s sensitive information was allowed without appropriate security controls allowing access to the confidential information easier than accessing the DOE’s email.  The biggest security countermeasure failure was not following policy and practice.  It was Federal policy that Social Security numbers where not to be used frequently, but if it were used, the Social Security number needed to be stored as a partial number.  Another Federal policy that was violated was the policy to encrypt personally identifiable information (PII).  Both of the policies were in place by the Federal government but were not practiced by the DOE leading to the security breach.

Security planning is an important aspect of information security.  Having a business contingency plan in place in case of information hacking will help the entity know what to do and in what time frame in a worst case scenario. Figure 2 indicates that a contingency plan needs to include a business impact analysis, incident response planning, disaster recovery planning, and business continuity planning.

Figure 2 page 80 Management of Information Security 3e

Figure 2

Research indicated that the DOE did not even know who was at fault for the security breaches since the systems were owned by two different groups within the DOE.  One group within the DOE thought it was the responsibility of another group to take care of the security weaknesses and vice versa. This miscommunication meant that they did not have the policy in place to deal with the network breaking down.  It seems there was no education on what to do and they surely did not have the right technology to protect the information they collected.  The breaches occurred over two years; the DOE did not react appropriately and quickly enough.

Implementing a course of action is crucial once a security breach has occurred and is crucial for a company as well as the individuals involved with the information theft.  The Office of the Inspector General and the Office of Audits and Inspections conducted an audit of the DOE information security breach and gave advice for a course of action. One of the actions that the DOE implemented was to provide one year’s worth of monitoring at a specific credit rating agency.  Also, each group affected was given a paid four hours off to try to clear up issues that could be cleared up.  Other courses of actions included clarifying which group is responsible for the affected systems, developing a central authority to shut down networks known to be vulnerable and removing unnecessary information, including Social Security numbers where possible.   

The costs to deal with the problems with the breach are estimated to be up to 3.7 million dollars in value. The Department of Energy was very fortunate in the case of this security breach because according to the investigation, the attackers did not look to be targeting top-secret projects or identities of nuclear scientists. Sadly, the DOE is continually being pursued by hackers and their systems have been breached again in February of this year. These instances show the need for continually monitoring the security of your organization’s information and the damage that it can do if left unsecured.

Friedman, G. (2013, July 19). The Department of Energy's July. Retrieved from Energy.gov: http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf

Hicks J. (2013, December 11) Washington Post Retrieved from http://www.washingtonpost.com/blogs/federal-eye/wp/2013/12/11/doe-was-aware-of-security-weaknesses-that-led-to-hacking-report-says/

IBM (2014, July 17) IBM.com Retrieved from http://www.ibm.com/developerworks/security/library/s-confnotes2/

Lemos, R., (2013, February 6). Federal Reserve, DOE Confirm Hackers Breached Servers, Stole Data. EWeek. Retrieved from http://www.eweek.com/security/federal-reserve-doe-confirm-hackers-breached-servers-stole-data/

O'Brien, J. A., & Marakas, G. M. (2011). Management Information Systems 10th Edition. McGraw-Hill/Irwin.

Schwartz M. (2013, October 22) DarkReading.com Retrieved from http://www.darkreading.com/attacks-and-breaches/dept-of-energy-breach-bigger-than-we-realized/d/d-id/1112022?