So government agencies are immune to hacking, right? I mean, with all the change management, regulations, and audit departments dying to find someone breaking the rules, they’ve got to be immune!
Nope. The Department of Energy got hacked last Friday. Was it their fault? Not known. Does it affect their operations? Oh yeah, it does.
Several hundred contractor and employees’ Personally Identifiable Information (PII) was stolen, and there are rumors it was done by a Chinese team. Nation-state hacking? Not known. But there’s a lot of Chinese hacking going around.
If you worked for the DOE in the last few years, you might receive a letter from them. Here are excerpts from the initial letter to employees.
The Department of Energy (DOE) has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters’ network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information (PII).
We believe several hundred DOE employees’ and contractors’ PII may have been affected. As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft.
If you get a letter stating you are one of the unlucky, take it seriously.
Some simple steps to take:
Let your FSO know. Your Facility Security Officer should be informed, so they can work with you to change every password, security question, and go over your privileges. Why? When you lose PII, the answers to security questions, pin codes, passwords, etc, could be lost, as well.
Check with your FSO to see if you can use a password manager, such as Keypass, Pocket, or similar. If you can, you can use ridiculously strong passwords, since you only have to remember the password to the password manager. It stores your 20 character randomized passwords for you.
Remember, one of the uses of PII is to get credit on your name, benefiting someone else. Put a credit freeze on your name with the three big credit check companies, Transunion, Equifax, and Experian.
The other tactic they might try – and this is specific to people with access to classified information – is use it to gain influence on you. Be upfront with your FSO about any suspicious queries. Now is also a good time to consider what secrets someone with access to your personal information might discover – and if any of those secrets should be reported to your FSO.
The good – or should we say sad – news is that hacks of PII occur with such frequency that there are steps you can take to mitigate the damage, such as those outlined above.
Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the “InfoSec Megaphone”, anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.