How hackers made minced meat of Department of Energy networks

TL;DR version - if you don&#x27;t apply security patches, or take basic precautions, you will get compromised.<p>It is sad that our government IT organizations are so poor, I would consider <i>that</i> a National Security threat much more than having the FBI help some whack job build a fake bomb so they can publicly &quot;break up&quot; a terror plot.

Direct link to PDF of DOE report - <a href="http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf" rel="nofollow">http:&#x2F;&#x2F;energy.gov&#x2F;sites&#x2F;prod&#x2F;files&#x2F;2013&#x2F;12&#x2F;f5&#x2F;IG-0900.pdf</a>

&gt; <i>Chief among them is the fact that none of the 354 database tables containing social security numbers were encrypted. Using strong cryptography to protect such &quot;at rest&quot; PII has long been considered a best practice in government and corporate data security.</i><p>Really? Although I don&#x27;t work in that field (&#x27;government and corporate data security&#x27;, or generally anything where we have to deal with SSN&#x27;s and such) -- that doesn&#x27;t make a lot of sense to me. Encrypted database tables? I&#x27;ve never even heard of that. Can someone who does work in this domain tell us if this makes any sense at all, or translate this into what it actually means technically?<p>(On the other hand, the fact that 354 database tables existed with SSN&#x27;s is a red flag in the first place, clearly. There&#x27;s plenty of clear problems with what was described, I&#x27;m just curious about this alleged &#x27;encrypted database table best practice&#x27;)

Who ultimately decides the patches cannot be added (for whatever reason)? It&#x27;s ultimately the bean counters and managers beholden to them.<p>So I&#x27;m not really going to look down on the govt IT workers (or contractors).