BreachExchange mailing list archives
Weakness that exposed DOE employee data still common
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Sun, 3 Nov 2013 23:04:55 -0700
http://www.fiercegovernmentit.com/story/weakness-exposed-doe-employee-data-still-common/2013-11-01 The same weakness that exposed the personal data of tens of thousands of Energy Department employees in July persists in many of the department's desktop computers. DOE's office of inspector general scanned more than 2,300 desktop systems at 17 different locations, finding that 41 percent lacked security patches for known vulnerabilities. Missing patches were to blame for an incident in July where personally identifiable information for more than 100,000 individuals was exfiltrated, auditors say in a report dated Oct. 29. The office has a criminal investigation into that incident underway. The information belonged to current and former employees, as well as dependents of employees. Names, birth dates and Social Security numbers were compromised. The OIG's review, an annual requirement under the Federal Information Security Management Act, turned up 29 weaknesses in addition to 10 from the previous year's review that remained unresolved. The review found poor access controls at several facilities, including the "inappropriate granting of physical access to sensitive facilities." At one site, 11 systems and devices used default login credentials or easily guessed credentials--or required no authentication at all. The report omits the names of the sites because of the sensitive nature of the findings. The report notes several positive developments. The department did correct the majority of the weaknesses found in the 2012 review. It also established an executive-level Cyber Council, "the principal forum for coordination of its cyber-related activities." The council addresses issues that require the involvement of the secretary.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Weakness that exposed DOE employee data still common Audrey McNeil (Nov 04)