DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Audit of US DOE on Incidents

Posted on June 26, 2009 by Dissent

Parts of the report were redacted, indicated by x’s below.

Executive Summary:

The Office of Inspector General (OIG) performed a review of the Department of Education’s (Department) external web sites. This audit was conducted in accordance with the Federal Information Security Management Act (FISMA) as enacted by Title III of the E-Government Act of 2002, Public Law 107-347, and the Privacy Act of 1974. Specifically, we assessed whether information technology (IT) security controls were in place to protect Department resources in the areas of incident handling, security awareness and training, and Privacy Act compliance. FISMA requires the OIG to perform independent evaluations and testing of the effectiveness of information security control techniques and to provide an assessment of the Department’s compliance.

Based on our review, the Department’s Chief Information Officer (CIO) must improve security controls over the incident response and handling program and accelerate two-factor authentication for protecting Privacy Act information to adequately protect the confidentiality, integrity, and availability of the personally identifiable information (PII) data residing on public web sites. During our audit, we also identified significant conditions related to the work performed regarding xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and public domain web site establishment and maintenance

Incident Handling

• The Department did not have an effective incident response and handling program. The Department’s CIO: (a) did not provide sufficient security awareness to Department users regarding xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; (b) provided conflicting guidance regarding incident response reporting procedures; and (c) did not properly oversee the Department’s Customer Service staff. The Department has a responsibility to implement all precautions to protect all vital PII data residing on the Department’s network. Compromise of this data would cause substantial harm and embarrassment to the Department and may lead to identity theft or other fraudulent use of the information.

Two-Factor Authentication

• The Department’s CIO did not implement two-factor authentication or other effective compensating controls commensurate with the risk and magnitude of harm resulting from a Department data compromise. Specifically, using information from two public web sites, we were able to use xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx techniques to remotely obtain access to sensitive Department information and PII. If sensitive Department information and PII data are compromised, the Department could suffer substantial embarrassment and that compromise may lead to fraudulent misuse of the information.

XXX Configuration

• The Department did not configure the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Our tests demonstrated that unauthorized access to the system through xxxxxxxxxxxxxxxx attacks could provide a potential malicious attacker with the capability of exploiting systems, deleting and/or modifying sensitive data, and causing serious harm to Department information. Users with malicious intent could gain access to the xxxxx xxxxxxxxxxxxxxxxxxxxx for email spoofing, social engineering, and other possible malicious attacks.

Public Domain Web Sites

• The Department did not properly establish and maintain public domain web sites. Specifically, the Department did not: (a) properly track, update, and verify a directory of public web sites; (b) properly control internet protocol address assignment; (c) properly issue and administer web site certificates; (d) properly monitor public domain web sites; and (e) use approved domain names. The Department’s CIO has the overall responsibility to implement all precautions to protect Department data residing on public domain web sites. Additionally, the public has the right to assume that web sites hosted or provided by the Department are valid and trusted. It is essential that the Department validate its public web sites and adequately protect the confidentiality, integrity, and availability of the PII data residing on public web sites.
In response to our draft report, the Department thanked the OIG for the opportunity to provide comments for this audit report. The Department also stated it concurred, as of the start date of this audit, with the findings and recommendations identified. In response to our system security review, management stated that corrective action plans for the weaknesses will be finalized through the Department’s normal audit resolution process. xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ED-OIG/A11I0006, June 10, 2009


Related:

  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • North Country Healthcare responds to Stormous's claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
Category: Commentaries and AnalysesOf Note

Post navigation

← UCM notifying 7000 of Breach
MA Regs Trumps the Feds →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Clorox Files $380M Suit Alleging Cognizant Gave Hackers Passwords in Catastrophic 2023 Cyberattack
  • Cyberattacks Paralyze Major Russian Restaurant Chains
  • France Travail: At least 340,000 job seekers victims of new hack
  • Legal Silence and Chilling Effects: Injunctions Against the Press in Cybersecurity
  • #StopRansomware: Interlock
  • Suspected XSS Forum Admin Arrested in Ukraine
  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.