OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[ISN] DOE IG reviews security at Oak Ridge

From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jan 09 2008 - 02:16:55 CST

http://www.gcn.com/online/vol1_no1/45646-1.html

By Trudy Walsh
GCN.com
01/08/08

Additional security protocol training for employees, better information
sharing with local counterintelligence officials and periodic review of
laptop PC security procedures are among the recommendations made by the
Energy Departments inspector general after an investigation into a
security breach at the departments Y-12 National Security Complex in Oak
Ridge, Tenn.

According to the IGs report [1], in 2006 an unauthorized laptop with
wireless capability was taken into a "limited area at the Y-12 nuclear
weapons plant. Limited areas are defined as "secure work areas that
employ physical controls to prevent unauthorized access to classified
matter or special nuclear material," the report states.

DOE prohibits any equipment capable of transmitting data wirelessly.
Posted at the entrance to the Y-12 limited area is a large sign that
lists the items prohibited from the area without prior approval. Second
on that list, after firearms, is "Electronic equipment with data
exchange port capable of being connected to automate information systems
equipment (i.e., personal computers, PDAs)."

Four main security violations occurred, the IG said:

    * On Oct. 24, 2006, Y-12 employees discovered a contractor from Oak
      Ridge National Laboratory had brought an unclassified laptop with
      wireless capability into a Y-12 limited area without following
      proper protocols.

    * Y-12 cybersecurity staff did not properly secure the laptop, and
      the user left the area with the computer, contrary to Energy
      policy. The laptop was not retrieved by the department until
      almost an hour later. Because the laptop could have been tampered
      with during that time, it could not be collected as best evidence.

    * Energy requires that within 32 hours of an incident of security
      concern, a written report be submitted to the Headquarters
      Operations Center. The written report was not made until six days
      after the incident was discovered.

    * Subsequent inquiries revealed that as many as 37 additional
      laptops may have been brought into the limited area by ORNL
      employees without following proper security protocols.

The report notes that as soon as the manager of the Y-12 site office
heard about the incident, he required that the individuals involved in
the Oct. 24 incident be removed from the site and that their
unclassified computer accounts be suspended. ORNL officials also
notified the inspection team that they had initiated corrective plans
and revisions to local security procedures.

Further review by the IG team revealed that nine of the 38 laptops that
had been taken into the limited area without authorization had later
been taken on foreign travel; six of those nine had wireless capability;
and two of those six had been to countries that are on Energy's [2]
sensitive countries list. A forensic evaluation of the 38 laptops also
showed that all contained malware, which could potentially be used by
hackers to obtain unauthorized information.

According to the IG, ORNL management agreed with the recommendations of
the report, and has implemented corrective actions to prevent future
breaches. The report added that the IG would evaluate the adequacy of
these corrective measures in the future.

[1] http://www.ig.energy.gov/documents/IG-0785.pdf
[2] http://www.wipp.energy.gov/proc/pdf/SensitiveFNC.pdf

__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/