What is your e-mail address?
My e-mail address is:

Do you have a password?
Forgot your password? Click here
close


    Energy ups security efforts after loss of employee data

    Latest federal breach highlights a growing security problem

    • By Patience Wait
    • Jun 16, 2006

    Tom Pyke, Energy CIO

    The Energy Department has joined a long list of federal agencies that recently have suffered serious breaches of cybersecurity. Unlike those organizations,
    however, the DOE breach was the result of a targeted intrusion
    and theft, rather than carelessness.


    'This is the tip of a much bigger
    iceberg,' said Alan Paller, director
    of research at the SANS
    Institute of Bethesda, Md. 'This
    is an example of the kind of attack
    and extraction that was
    going on for the last 2 1/2 years'
    during Titan Rain, an organized
    series of cyberattacks believed to
    have originated in China.


    Breaking in

    At DOE, hackers stole personal
    information on 1,502 employees'
    both government and contract
    workers'from an unclassi-
    fied system belonging to the
    National Nuclear Security Administration,
    a semiautonomous
    agency within DOE.


    The theft occurred in June
    2004 at NNSA's Albuquerque
    service center at Kirtland Air
    Force Base, but officials did not
    discover it until August or September
    2005, according to the
    Albuquerque Journal, when a
    DOE cybersecurity team turned
    up evidence of 'an unusual data
    transmission.'


    And NNSA officials did not
    notify Energy secretary Samuel
    Bodman of the data theft until
    two days before a hearing earlier
    this month of the Energy and
    Commerce Subcommittee on
    Oversight and Investigations,
    nor did the agency begin notifying
    affected personnel until the
    day of the hearing.


    Rep. Joe Barton (R-Texas),
    chairman of the full committee,
    was so angry about NNSA's
    handling of the incident that he
    told Linton Brooks, the NNSA
    administrator, he should resign
    or be fired.


    The news follows on the heels
    of the Veterans Affairs Department
    reporting last month that
    a notebook PC and hard drive
    had been stolen from an employee's
    home. The hardware
    contained records on more than
    26 million veterans and activeduty
    service personnel, including
    names, dates of birth, Social
    Security numbers and other personal
    information; the data was
    not encrypted.


    The IRS also reported that an
    employee traveling to an agency
    event lost a notebook in transit.
    The computer contained personal
    information, including fingerprints,
    names, birth dates and Social
    Security numbers of 291 IRS
    employees and job applicants that
    was secured with a double password
    system, but not encrypted.


    Security woes

    Even the Social Security Administration'
    an agency that received a
    security grade of A+ for 2005
    under the Federal Information Security
    Management Act'acknowledged
    in testimony earlier
    this month before the House Government
    Reform Committee that
    a notebook computer was stolen
    from an employee attending a
    conference. The computer held
    about 200 files containing personal
    information on individuals.


    In response to this litany of security
    woes, Rep. Tom Davis (RVa.),
    chairman of the Government
    Reform Committee, plans
    to introduce legislation soon to
    strengthen data breach notification
    requirements at federal
    agencies.


    Rep. James Sensenbrenner (RWis.),
    introduced legislation in
    May calling for a five-year prison
    sentence or fine of up to $1 million
    should a person with knowledge
    of a major security breach
    affecting 10,000 individuals or
    more, databases owned by the
    federal government or national
    security databases fail to notify
    the FBI or Secret Service within
    14 days. The bill was passed by
    the Judiciary Committee on May
    25 and is awaiting a date to be
    voted on by the full House.


    The NNSA incident involved
    the theft of information on 75 federal
    employees and 1,427 contract
    employees'roughly 4 percent of
    the agency's 37,000 workers'at
    all levels of the organization.
    Tom Pyke, the Energy chief information
    officer, said this particular
    incident was part of a series of
    'very sophisticated' attacks,
    though he declined to say whether
    it was part of Titan Rain.


    Pyke did say the system incursion
    did not occur through penetration
    of the department's firewall,
    but through a social
    engineering attack, in this case an
    e-mail with an attachment containing
    malware.


    'So far as I know, we have not
    had any penetrations of our
    perimeter security ... going back
    years,' he said.


    Jonathan Bingham, chief strategist
    and co-founder of Intrusic, a
    network security company in
    Burlington, Mass., said the weak
    point of networks such as DOE's is
    not the perimeter defense, but
    measures in place behind the firewalls
    to spot someone rummaging
    around after they've managed to
    get inside.


    'Once inside, they're the same'
    as a trusted user, Bingham said.
    The hacker can be on the internal
    network and create 'reverse tunnels'
    that open a passage for him
    through the firewall and allow information
    to be shuttled out.


    Pyke testified on Capitol Hill
    and then elaborated to GCN
    about cybersecurity 'revitalization'
    plans now under way.


    'Over the past several months,
    we've improved our defense in
    depth across the department,'
    since the intrusion and exfiltration
    of data was discovered, Pyke
    said. 'We have added layers of intrusion
    detection, including at the
    server level. We also have recon-
    figured our networks to isolate a
    hacker, should he penetrate.'


    Energy is attacked hundreds of
    times a day, he said, so he also
    has established a departmentwide
    cyberincident management
    team. The response team
    is responsible for determining
    the extent of an incident, how
    best to stop it, how best to analyze
    what happened and what
    actions are needed.


    'We have been successful in
    raising the sensitivity level of our
    employees and contractor employees'
    about social-engineering
    attacks, he said. 'We are in a position
    in some cases to watch the
    bad guys, and to watch their attacks
    morph from time to time.'


    In addition, DOE has increased
    the use of data encryption software
    and has implemented twofactor
    authentication requirements
    for systems administrators
    at all department sites.


    As for notification'one of the
    weaknesses for which DOE was
    hammered at the congressional
    hearing'Pyke said DOE has always
    reported incidents, as defined
    by the U.S. Computer
    Emergency Readiness Team, to
    that Homeland Security agency.


    But DOE is moving to strengthen
    its notification processes, Pyke
    said.


    'What we have done is try to ensure
    people understand it's a good
    thing to report incidents,' he said.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Your Name:(optional)
    Your Email:(optional)
    Your Location:(optional)
    Comment:
    Please type the letters/numbers you see above

    GCN eNewsletters

    eSeminar