Energy Ups Security Efforts After Loss of Employee Data

By Patience Wait, Government Computer News

The Energy Department has joined a long list of federal agencies that recently have suffered serious breaches of cybersecurity. Unlike those organizations, however, the DOE breach was the result of a targeted intrusion and theft, rather than carelessness.

“This is the tip of a much bigger iceberg,” said Alan Paller, director of research at the SANS Institute of Bethesda, Md. “This is an example of the kind of attack and extraction that was going on for the last 2 1/2 years” during Titan Rain, an organized series of cyberattacks believed to have originated in China.

Breaking in At DOE, hackers stole personal information on 1,502 employees– both government and contract workers–from an unclassi- fied system belonging to the National Nuclear Security Administration, a semiautonomous agency within DOE.

The theft occurred in June 2004 at NNSA’s Albuquerque service center at Kirtland Air Force Base, but officials did not discover it until August or September 2005, according to the Albuquerque Journal, when a DOE cybersecurity team turned up evidence of “an unusual data transmission.”

And NNSA officials did not notify Energy secretary Samuel Bodman of the data theft until two days before a hearing earlier this month of the Energy and Commerce Subcommittee on Oversight and Investigations, nor did the agency begin notifying affected personnel until the day of the hearing.

Rep. Joe Barton (R-Texas), chairman of the full committee, was so angry about NNSA’s handling of the incident that he told Linton Brooks, the NNSA administrator, he should resign or be fired.

The news follows on the heels of the Veterans Affairs Department reporting last month that a notebook PC and hard drive had been stolen from an employee’s home. The hardware contained records on more than 26 million veterans and activeduty service personnel, including names, dates of birth, Social Security numbers and other personal information; the data was not encrypted.

The IRS also reported that an employee traveling to an agency event lost a notebook in transit. The computer contained personal information, including fingerprints, names, birth dates and Social Security numbers of 291 IRS employees and job applicants that was secured with a double password system, but not encrypted.

Security woes Even the Social Security Administration– an agency that received a security grade of A+ for 2005 under the Federal Information Security Management Act–acknowledged in testimony earlier this month before the House Government Reform Committee that a notebook computer was stolen from an employee attending a conference. The computer held about 200 files containing personal information on individuals.

In response to this litany of security woes, Rep. Tom Davis (RVa.), chairman of the Government Reform Committee, plans to introduce legislation soon to strengthen data breach notification requirements at federal agencies.

Rep. James Sensenbrenner (RWis.), introduced legislation in May calling for a five-year prison sentence or fine of up to $1 million should a person with knowledge of a major security breach affecting 10,000 individuals or more, databases owned by the federal government or national security databases fail to notify the FBI or Secret Service within 14 days. The bill was passed by the Judiciary Committee on May 25 and is awaiting a date to be voted on by the full House.

The NNSA incident involved the theft of information on 75 federal employees and 1,427 contract employees–roughly 4 percent of the agency’s 37,000 workers–at all levels of the organization. Tom Pyke, the Energy chief information officer, said this particular incident was part of a series of “very sophisticated” attacks, though he declined to say whether it was part of Titan Rain.

Pyke did say the system incursion did not occur through penetration of the department’s firewall, but through a social engineering attack, in this case an e-mail with an attachment containing malware.

“So far as I know, we have not had any penetrations of our perimeter security … going back years,” he said.

“We have added layers of intrusion detection, including at the server level. We also have reconfigured our networks to isolate a hacker, should he penetrate.” TOM PYKE, ENERGY CIO

Jonathan Bingham, chief strategist and co-founder of Intrusic, a network security company in Burlington, Mass., said the weak point of networks such as DOE’s is not the perimeter defense, but measures in place behind the firewalls to spot someone rummaging around after they’ve managed to get inside.

“Once inside, they’re the same” as a trusted user, Bingham said. The hacker can be on the internal network and create “reverse tunnels” that open a passage for him through the firewall and allow information to be shuttled out.

Pyke testified on Capitol Hill and then elaborated to GCN about cybersecurity “revitalization” plans now under way.

“Over the past several months, we’ve improved our defense in depth across the department,” since the intrusion and exfiltration of data was discovered, Pyke said. “We have added layers of intrusion detection, including at the server level. We also have recon- figured our networks to isolate a hacker, should he penetrate.”

Energy is attacked hundreds of times a day, he said, so he also has established a departmentwide cyberincident management team. The response team is responsible for determining the extent of an incident, how best to stop it, how best to analyze what happened and what actions are needed.

“We have been successful in raising the sensitivity level of our employees and contractor employees” about social-engineering attacks, he said. “We are in a position in some cases to watch the bad guys, and to watch their attacks morph from time to time.”

In addition, DOE has increased the use of data encryption software and has implemented twofactor authentication requirements for systems administrators at all department sites.

As for notification–one of the weaknesses for which DOE was hammered at the congressional hearing–Pyke said DOE has always reported incidents, as defined by the U.S. Computer Emergency Readiness Team, to that Homeland Security agency.

But DOE is moving to strengthen its notification processes, Pyke said.

“What we have done is try to ensure people understand it’s a good thing to report incidents,” he said.

Reported By Government Computer News, http://www.gcn.com

(20060616/WIRES security, news/)