As we embark on a new year, I can't help wondering if 2014 will bring improvements in how we protect our businesses against IT security threats.
At the close of 2013, the US Department of Energy released an interesting and unusual report about a security breach made possible by the exploitation of a vulnerability in their Management Information System (MIS). The breach caused the theft of identifiable personal data from over 104,000 individuals.
The findings in the report should not come as a surprise to security specialists and information security professionals. Yet it is striking how, despite the awareness about the issues of IT security in connection with privacy, business continuity, operational security and intellectual property; we continue to see breaches which are caused by the exploitation of basic configuration flaws and publicly known vulnerabilities.
The disclosure of the details of the breach provides us with an autopsy which displays the "enablers" – the human and technological system weaknesses – and describes the internal and external impacts.
"While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease. The attackers in this case were able to use exploits commonly available on the internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data – information that could be used to damage the financial and personal interests of many individuals."
– Department of Energy's July 2013 Cyber Security Breach, page 3
I see this report as a major contribution to the security community because it provides an in-depth analysis of the events that led to the breach, and does so with unusual candor. After all, we all know that breaches occur. We all know that they have an impact on businesses – financial and otherwise. In the case of the Department of Energy:
"(…)the Department estimated it would spend approximately $1.6 million for credit monitoring and labor costs (…)the Secretary authorized the use of up to 4 hours of administrative leave to all affected Federal employees to take action to correct issues associated with the event, an action we estimate could cost the Department an additional $2.1 million in lost productivity. Morale and reputational issues associated with the breach also have an adverse impact upon the Department."
– Department of Energy's July 2013 Cyber Security Breach, page 3-4.
Still, very few organizations are this open about their breaches and not just from an external communications standpoint. Many do not discuss the problem internally, either. One consequence of the guardedness that is commonplace in industries and enterprises is a general assumption that breaches won't happen, and a belief that the security technology we buy automatically keeps us protected and does not require our involvement.
Reading the report makes it very clear that organizations that ignore risk and take a lackadaisical approach to security, do so at their own peril. The case contains all the elements that challenge organizations of all sizes, when it comes to information technology security:
- Internal misalignment which impairs decision making and accountability
- Competing priorities which leads to delays in assessing and updating security-critical applications
- Fragmented infrastructure which comprises a labyrinth of technologies and systems hooked up in precarious – and sometimes mysterious – ways
- Lack of security training and awareness among administrators and users who unintentionally open doors to machines and thereby to networks
- Poor communication and coordination which leads to misunderstandings and to actions not being taken in a timely manner
- Undocumented processes which make it almost impossible to maintain and report security levels
The list is long.
The report is a strong call to business leaders to turn their eyes to the importance of prioritizing the security of their IT environments. But it is not so much a call to look at complex or sophisticated security controls. Rather, it is a cue to take one or two steps back, and pay attention to the very basics of how to secure an infrastructure: planning, policy definition and implementation, assessment, patching, configuration and change management.
So, in 2014, I hope we learn from this case and start changing our organizations to adopt a better information security posture. We can start by getting all hands on deck to assess the vulnerabilities currently affecting us!
Read the report from the Department of Energy:
Department of Energy's July 2013 Cyber Security Breach,
Further reading from Secunia: