An office of the Department of Energy recently made a point about how easy it is for unauthorized parties to steal your data when it secretly installing unauthorized data-stealing devices at the Energy Department's 2016 Cyber Conference.
This testing incident was a no-no, but without a gap in procedures and protocols it would simply have been a no-go.
According to a report from Energy's Office of Inspector General, the Office of Cyber Assessments conducted an unannounced, uncoordinated red team exercise when it placed two data-collection computers disguised as mobile device charging stations outside the conference exhibit hall of a non-federal facility located in Atlanta, Ga.
The devices — masquerading within white acrylic boxes with Department of Energy stickers and DoE Cyber Conference "Charging Station" labels on them — only collected device name, serial number, manufacturer and model number to compile statistics, and didn't gather personally identifiable information. But the unannounced assessment illustrated a lack of adequate controls that created an environment in which it was possible to subvert proper procedures.
A conference planning representative discovered the devices within a few hours of their placement and reported them to Office of the Chief Information Officer staff, who sponsored the event. The devices were removed and OCIO management met with Office of Cyber Assessments personnel about the incident.
The IG report finds, however, that security and/or law enforcement staff was not notified upon discovery of the devices, which may have been prudent considering the compromised charging stations were of unknown origin and appeared to be targeting conference attendees.
The report recommends that guidelines for future cyber assessments be reviewed and updated, management oversight procedures be strengthened, and department policies and training procedures for identifying and responding to security threats be addressed.
The entire report can be read at Energy.gov.