DOE Cyber-Security Audit Shows Incident Reporting, Management Hurdles
Some of that, Kwon said, has to do with the maturity level of security operation centers, while it also relates to the way incidents are reported. The audit appears to back that up, at one point stating that "the reporting instructions developed by JC3 lacked detail and were subject to interpretation as to the definition of a reportable incident, which contributed to problems we identified related to reporting. In particular, sites were inconsistent when making determinations as to what constituted a reportable incident." Government reporting and accountability of compromises, incidents and loss of protected networked knowledge remain disjointed and inadequate, according to Sean Bodmer, chief researcher at security vendor CounterTack. The biggest issues are not the incident responders in the trenches who want to honestly do their jobs, but almost always one of the typical political or policy challenges that "plague the Information Assurance and Security professionals working for and in the U.S. government," he said.The audit makes several recommendations to address the issues it uncovered, starting with the development of an enterprise-wide cyber-security incident-management program that establishes clearly defined lines of authority and responsibility, eliminates duplicative efforts, and requires all departmental elements—including the National Nuclear Security Administration (NNSA)—to contribute to a unified program that ensures a timely response. According to the audit, the DOE and the NNSA management agreed with the findings of the report and stated that corrective actions will be taken. "Although these findings are alarming from a budgetary and security perspective, it appears DOE management is moving in the right direction," said Dave Pack, director of labs for LogRhythm. According to the Management Comments memorandum, the department has begun transforming its incident-management program, which specifies recommendations of the audit and more, Pack noted. "When implementing a program of this scale, it will be important to choose tools and technologies that can effectively collect and normalize large amounts of different types of data from disparate locations to ensure a centralized body can efficiently analyze, identify and report security incidents according to department-wide policies," said Pack.
"The underlying issue is still within an overarching mandate that requires each independent site and dispersed teams to report incidents in a timely fashion or be fined in some way," said Bodmer. "Without the proper level of authority to enforce reprimands of offending organizations, the JC3 will continue to have the reoccurring issues."