[ISN] DOE hacked 199 times last year

[InfoSec News]

http://www.gcn.com/vol1_no1/daily-updates/27489-1.html

By Wilson P. Dizard III 
GCN Staff
09/30/04 

Weaknesses in the Energy Department's cybersecurity allowed hackers to 
successfully penetrate its systems 199 times last year in intrusions 
that affected 3,531 systems, the department's inspector general said. 

Energy continues to have difficulty finding, tracking and fixing 
previously reported cybersecurity weaknesses quickly, the IG said in a 
report, "The Department's Unclassified Cyber Security Program - 2004." [1] 

The report praised the department for improving its cybersecurity
efforts, but pointed to continuing gaps in its virtual defenses, such
as:

* Incomplete certification and accreditation of major systems 

* Missing contingency plans for restoring systems after an emergency 

* Continuing problems with access control, segregation of 
  responsibilities for financial processing and correction of known 
  security vulnerabilities. 

"Without continuing vigilance in this area, it is likely that future 
attacks will continue to jeopardize the availability and integrity of 
critical IT assets," the auditors said. 

The IG urged the department to track corrective actions needed to fix 
cybersecurity weaknesses, verify the effectiveness of the actions, 
strengthen methods of assuring that department employees understand 
the organization's IT policies, and ensure that all major systems are 
certified and accredited. 

The report said Energy management's proposed actions were "responsive 
to our recommendations," without elaborating on or presenting the 
actions. The IG report did not describe specific IT vulnerabilities. 

[1] http://www.ig.doe.gov/pdf/ig-0662.pdf