There have been many information security breaches
in the past few years. As information becomes more easily accessible and
stored, it becomes easier to steal. The
one this blog will focus on is the Department of Energy (DOE) of the United
States. Some breaches affect the clients of the business but this one affected
the employees, dependents, and contractors.
Based on access to a human resource network, information such as Social
Security numbers and dates of birth were stolen from a total of over 104,000 people. Between the years of 2011-2013, the
Department of Energy has been hacked three times. This breach was one that could have been avoided. The department utilized Social Security numbers
for purposes where it was not necessary.
Also, there were not enough security measures put in place for a system
that was known to be vulnerable.
Basically, the information was out there for the taking for anyone
interested in trying hard enough. Once the
situation happened, it was difficult to find out which section of the
institution was at fault and who was responsible for fixing it.
Looking at the McCumber cube areas where the DOE had vulnerablitiles can be noticed.
The network was already noted to be unsecure, but
the department did not take the necessary measures to protect the individuals
in the database. It may have allowed the
information to be safe during transmission but once it got to storage it was
available for anyone who wanted it. The
storage site was not a safe one.
According to the cube, the information has to be available only to the authorized
people and the information is to be kept confidential. From our research, other people without
access could get the personal information.
Direct internet access to the database’s sensitive information was
allowed without appropriate security controls allowing access to the
confidential information easier than accessing the DOE’s email. The biggest security countermeasure failure
was not following policy and practice.
It was Federal policy that Social Security numbers where not to be used
frequently, but if it were used, the Social Security number needed to be stored
as a partial number. Another Federal
policy that was violated was the policy to encrypt personally identifiable
information (PII). Both of the policies
were in place by the Federal government but were not practiced by the DOE
leading to the security breach.
Security planning is an important aspect of
information security. Having a business
contingency plan in place in case of information hacking will help the entity
know what to do and in what time frame in a worst case scenario. Figure 2
indicates that a contingency plan needs to include a business impact analysis,
incident response planning, disaster recovery planning, and business continuity
planning.
|
|
Research indicated that the DOE did not even know
who was at fault for the security breaches since the systems were owned by two
different groups within the DOE. One group
within the DOE thought it was the responsibility of another group to take care
of the security weaknesses and vice versa. This miscommunication meant that
they did not have the policy in place to deal with the network breaking
down. It seems there was no education on
what to do and they surely did not have the right technology to protect the
information they collected. The breaches
occurred over two years; the DOE did not react appropriately and quickly
enough.
Implementing a course of action is crucial once a security breach has occurred and is crucial for a company as well as the individuals involved with the information theft. The Office of the Inspector General and the Office of Audits and Inspections conducted an audit of the DOE information security breach and gave advice for a course of action. One of the actions that the DOE implemented was to provide one year’s worth of monitoring at a specific credit rating agency. Also, each group affected was given a paid four hours off to try to clear up issues that could be cleared up. Other courses of actions included clarifying which group is responsible for the affected systems, developing a central authority to shut down networks known to be vulnerable and removing unnecessary information, including Social Security numbers where possible.
The costs to deal with the problems with the breach are estimated to be up to 3.7 million dollars in value. The Department of Energy was very fortunate in the case of this security breach because according to the investigation, the attackers did not look to be targeting top-secret projects or identities of nuclear scientists. Sadly, the DOE is continually being pursued by hackers and their systems have been breached again in February of this year. These instances show the need for continually monitoring the security of your organization’s information and the damage that it can do if left unsecured.
Friedman,
G. (2013, July 19). The Department of Energy's July. Retrieved from Energy.gov:
http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf
Hicks J. (2013,
December 11) Washington Post Retrieved from http://www.washingtonpost.com/blogs/federal-eye/wp/2013/12/11/doe-was-aware-of-security-weaknesses-that-led-to-hacking-report-says/
IBM
(2014, July 17) IBM.com Retrieved from http://www.ibm.com/developerworks/security/library/s-confnotes2/
Lemos, R., (2013, February 6). Federal Reserve, DOE Confirm Hackers
Breached Servers, Stole Data. EWeek. Retrieved from http://www.eweek.com/security/federal-reserve-doe-confirm-hackers-breached-servers-stole-data/
O'Brien,
J. A., & Marakas, G. M. (2011). Management Information Systems 10th Edition.
McGraw-Hill/Irwin.
Group 2,
ReplyDeleteWe found your post on the DOE hack to be very interesting. Until your posting, we were unaware of this event. However, in reading your post (and other articles), we were intrigued by the idea of hacking to propagate more hacking. In this case, Alan Paller (founder of the SANS Institute) stated that the attacks were part of a larger and longer term plan (King, 2013). He believes that the hackers are attempting to collect enough personal information to user workers information to hack more sensitive areas (King, 2013). If successful, hackers could create nationwide catastrophe by misuse of the energy grid.
To some extent, we wonder if the DOE has similar thinking to Target - only focused on protecting critical information. As was seen in the Target breach, ignoring less sensitive systems can create vulnerabilities that hackers can exploit to get to sensitive systems. Although the DOE claims they are giving these less sensitive areas the appropriate attention, the fact they were hacked twice within 6 months does not inspire confidence.
Team 3 - Regina Riccioni and Jason Hatter
References
King, R. (2013, August 15). Department of Energy Hacked Again. The Wall Street Journal. Retrieved on July 26, 2014 from http://blogs.wsj.com/cio/2013/08/15/department-of-energy-hacked-again/
The breach of the DOE's system is seen as a black eye to many government agencies. Government agencies possess many records including Social Security numbers, income records, addresses, etc. To expand, government agencies have nearly endless financial resources to employ the greatest security measures possible. We find it shocking the cost of the breach was a mere $3.7 million. In the private sector, a data breach would cost significantly more. The tarnish brand image and loss of future revenue would be hard to measure for private organizations but are certain to be large enough to threaten the future of the organization. While the DOE's future isn't threatened by the data breach, it brings to light that government and private organizations must take extended measures to ensure their data is protected.
ReplyDeleteGroup 9
Data Loss security strategy looks at best practice for managing data breaches, secure disposal and information risk management as well as the key tools and procedures for data loss prevention.
ReplyDeletebest virtual data room providers
no deposit bonus forex 2021 - takipçi satın al - takipçi satın al - takipçi satın al - takipcialdim.com/tiktok-takipci-satin-al/ - instagram beğeni satın al - instagram beğeni satın al - google haritalara yer ekleme - btcturk - tiktok izlenme satın al - sms onay - youtube izlenme satın al - google haritalara yer ekleme - no deposit bonus forex 2021 - tiktok jeton hilesi - tiktok beğeni satın al - binance - takipçi satın al - uc satın al - finanspedia.com - sms onay - sms onay - tiktok takipçi satın al - tiktok beğeni satın al - twitter takipçi satın al - trend topic satın al - youtube abone satın al - instagram beğeni satın al - tiktok beğeni satın al - twitter takipçi satın al - trend topic satın al - youtube abone satın al - instagram beğeni satın al - tiktok takipçi satın al - tiktok beğeni satın al - twitter takipçi satın al - trend topic satın al - youtube abone satın al - instagram beğeni satın al - perde modelleri - instagram takipçi satın al - instagram takipçi satın al - cami avizesi - marsbahis
ReplyDeleteperde modelleri
ReplyDeletesms onay
mobil ödeme bozdurma
nft nasıl alınır
Ankara evden eve nakliyat
trafik sigortasi
DEDEKTOR
web sitesi kurma
aşk kitapları
smm panel
ReplyDeleteSmm Panel
iş ilanları
instagram takipçi satın al
Hırdavatçı Burada
www.beyazesyateknikservisi.com.tr
servis
JETON HİLESİ