Last year, the third of three significant hacking attempts against the DoE network was successful in stealing sensitive personal information on 50,000 to 104,000 DoE workers. Though troublesome, this data breach taught the DoE some valuable lessons, which can also be applied to other organizations in need of boosting cyber security. Here is how the DoE used IT asset management software to solve the issue that paved the way for the cyber attack to happen.
The Department of Energy (DoE) is responsible for safeguarding our national energy resources. This includes overseeing highly sensitive and potentially dangerous energy sources like nuclear power.
When you’re keeping large volumes of personal information on people, you’ve got to have up-to-date software to safeguard it.
The Breach That Exposed the DoE
Like most employers, the DoE keeps an abundance of personal identifiable information (PII) on its workers, including their names, addresses, social security numbers, dates and places of birth, banking information, and answers to sensitive security questions — such as their mothers’ maiden names, which are often used to access other personal accounts in addition to the DoE database.
The software the Department used to store and retrieve this PII was purchased in March of 2013, even though support for this software was discontinued in July of 2012. Since the software was no longer supported by the developer, no security patches were available. This meant hackers were able to breach the system and obtain PII on some 104,000 of the Department’s workers (media accounts often cite 50,000 workers, but the internal investigation revealed compromise affecting most of the DoE employees and contractors). The DoE desperately needed a way to determine when such software was outdated to prevent another embarrassing and costly data leak.
How IT Asset Management Prevents Such Future Breaches
The DoE decided on asset management as a means to track the lifespan of critical software and hardware, which would help them identify when updates are needed, when systems will no longer be supported by the manufacturer, and when patches need to be installed to maintain security. Every system faces numerous unknown risks, but most organizations can use IT asset management to identify and mitigate known risks, improving the overall security of all internal systems.
Asset management systems work by tracking the lifespan of all of the hardware and software on the system. Information on lifespan is obtained from the manufacturer, which is then entered into the asset management system along with information on when and how updates and patches are released. For example, support for the popular Windows XP ended on April 18, 2014. With asset management in place, any organization using XP would have been warned well ahead of time, giving them time to replace XP with a new system that features Microsoft support. This eliminates the possibility that an organization is using outdated software or hardware unawares, blocking many hacking attempts designed to exploit outdated and unsupported systems.
Benefits of IT Asset Management Beyond Security
In addition to offering more security, asset management software offers many other benefits, including the ability to plan ahead and budget for important upgrades. Large organizations like government agencies and enterprises own thousands of different pieces of hardware and software. Managing and tracking these assets is tedious, time-consuming, and ineffective without robust and dynamic asset management software in place.
Asset management can also notify administrators early enough to thoroughly research replacements for outdated assets and allow for time to negotiate great prices for upgrades. This software can improve vendor relations by giving IT a better picture of how individual components of the system are performing and what their actual return on investment (RoI) is for any given part of the system over time. By knowing how each piece of the system performs, IT and executives can identify ways to improve the performance of the overall system infrastructure. Asset management is also helpful in adhering to compliance regulations.