[ISN] IG: Energy's Web sites lack security

From: InfoSec News (alerts@private)
Date: Fri Mar 21 2008 - 00:12:38 PST


http://www.fcw.com/online/news/151957-1.html

By Wade-Hahn Chan
FCW.com
March 19, 2008

Visitors to Energy Department Web sites should not be redirected to 
pornography, the departments Inspector Generals Office said in a report.

But that has happened, the oversight office found. DOE sites suffered 60 
security incidents on public servers in the past three years, with some 
22 incidents occurring in the past year, the report states.

More than half of those attacks resulted in defaced home pages, 
including the changing of the home page of Brookhaven National 
Laboratorys Web site to route visitors to pornographic links.

The IG report also found that some sites had lax controls on publicly 
accessible information, resulting in eight incidents in which personally 
identifiable information was exposed. It noted that some of the sites 
did not meet National Institute of Standards and Technology standards 
for securing public Web servers.

The IG report recommended that DOE complete guidance on how to secure 
its agencies Web sites. Previous attempts to create such guidance 
stalled. The agency released a Web guidance manual in 2005 that was 
never released. DOE created another manual last year that has not been 
issued yet, but the IG report criticized the draft manuals lack of 
specificity and a timeline.

Facilitating communication with the citizenry is in the national 
interest, Energy IG Gregory Friedman said in a letter attached to the 
March 13 report. However, the unavoidable fact is that such 
communication may well impact agency cybersecurity vulnerabilities.

The report found that some of the national labs have taken proactive 
steps toward securing their Web sites. The IG praised Oak Ridge, 
Lawrence Livermore, Los Alamos and Lawrence Berkeley national 
laboratories for implementing Web applications that detect possible 
vulnerabilities.

It also noted that the Los Alamos, Lawrence Livermore and Sandia labs 
developed separate Web sites for use in emergency situations. 
Additionally, Oak Ridge moved all of its systems and independent Web 
sites under its central information technology management, resulting in 
enhanced security and possible cost and time savings.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Mar 21 2008 - 00:29:51 PST