The Inspector General's Office of the United States Department of Energy recently released the results (PDF) of a 15-month audit of the DoE's security practices as they apply to publicly available web sites and services. Unfortunately, the publicly available version of the report removes all details of the vulnerabilities discussed therein, making it impossible for Ars to discuss the severity of any particular flaw. The overall assessment of the report is mixed. While there are specific departments and laboratories within the DoE that have implemented strong security practices, there are also a number of areas where the department needs significant improvement. For instance, visitors to US DoE web sites probably shouldn't be redirected to pornography, but this is exactly what happened last year after an attack on the Brookhaven National Laboratory briefly turned that site into a porn redirector.

According to the report, DoE websites and/or data being are compromised to the tune of nearly 20 incidents a year, totaling 60 security incidents over the past three years. Some of these have resulted in malicious defacement, while others appear to have been allowed by internal mistakes. The audit refers to eight incidents over the past two years which improperly exposed the personally identifiable information of individuals, but the information was available due to user error rather than malicious theft or a hack. But as the report makes clear, whether it's the result of a hack, or just poorly guarded data, it's all stemming from lax security policies and reviews.

Many of the security flaws uncovered during the 15-month audit lead back to one of two root causes. First, many of the web servers in question had not been formally authorized for operation via a process defined as certification and accreditation (C&A). Oftentimes, such servers were not fully compliant with federal security guidelines and rules, and presented potential attack vectors to the public that should have been closed.

The audit singled out one site in particular for allowing public users to transfer sensitive data anonymously to 14 separate public web servers. This is precisely the sort of situation that should have been caught by the site's cybersecurity team, but a general policy of decentralization has left site owners responsible for server security. This decentralization has created other problems for the DoE, as discussed below.

The second issue is one of web site asset management. The report states: "the Department was unable to provide us with an inventory of active public web sites despite an E-Government Act requirement for organizations to maintain that information." Website management, in general, also appears to be unnecessarily decentralized, and the report recommends that this trend be reversed, noting that "inconsistent and weak management and control over web servers may result in improperly configured servers, increasing the risk of defacement or compromise of sensitive information." The DoE's various web servers are quite fragmented; the report cites the example of one (unidentified) site where over 140 web servers were collectively managed by 30 separate departments.

In the grand scheme of things, the Department of Energy's problems aren't all that massive—they certainly don't compare to the kinds of personal data theft we've seen in the past—but the Inspector General's audit clearly indicates that the DoE has more work to do in several areas. The conclusion to the report states that the audit's conclusions were well-received, and further meetings are scheduled to put the report's recommendations into place.

Update: One of our readers pointed out the following page, where the OakRidge National Laboratory reports that visitor personal information may have been acquired, and informs readers that anyone visiting the site between 1990 and 2004 may have had their PII stolen. The report above does not mention this incident, nor give any details on the severity of the breach.