An audit of the Department of Energy has shown that 29 new weaknesses emerged on the agency’s networks this year in addition to 10 existing that the DoE failed to fix after a 2012 audit.
The audit, undertaken by the Office of Inspector General and the Office of Audits and Inspections, revealed weaknesses in security reporting, access controls, patch management, system integrity, configuration management, segregation of duties, and security management at 11 of the DoE’s 26 facilities. The audit report does not name specific locations or identify specific vulnerabilities.
At five locations, auditors discovered that systems administrators were doing a poor job of implementing software, application, and operating systems patches, leaving department machines exposed to scores of known vulnerabilites. The audit report notes that these are the sorts of weaknesses that gave attackers the ability to steal the personally identifiable information of more than 100,000 individuals stored in those systems earlier this summer.
This is why red teaming is so important for national infrastructure and basic utilities security. A good red team can work continiously to make sure security is at the forefront of the managers and planners.
There is an important lesson to be learned in this article.