IG says Defense systems lack reliable safeguards against hackers

Recommendations include developing audit software to track and investigate unauthorized access to sensitive data.

The Defense Information Systems Agency's primary computing centers cannot audit some of its systems for suspicious activity and until recently did not have the means to determine if unauthorized users attempted to enter, manipulate or disable the agency's computer systems, according to a report the Defense Department inspector general released on Tuesday.

Comment on this article in The Forum.The agency's Center for Computing Services operates 18 data centers nationwide, which contain 35 mainframes and more than 6,000 servers that host sensitive Defense applications. Among them is one of the world's largest databases, the central data repository for the Armed Forces Health Longitudinal Technology Application. The electronic health record system contains medical information on 9.2 million active-duty and retired military personnel and their families.

Data centers use audit trails, or records of computer events, to monitor system activity and identify whether unauthorized users attempted to access information they were not supposed to see. But the IG report said the Center for Computing Services "did not have control procedures in place to ensure that access is monitored, suspected security violations are investigated and appropriate remedial action is taken."

The IG recommended that DISA develop software audit capabilities that would allow security personnel to extract critical events from computer systems on a daily basis and conduct in-depth reviews of audit trails for suspicious activity and investigate security incidents.

In response to the inspector general, DISA officials said the agency does not have the automated tools to satisfy these recommendations, and development and deployment is pending guidance from its field security operations office.

The Defense IG, which based its report on fieldwork from April 2007 to March 2008, found that DISA had not deployed intrusion detection software on a large sample of its systems, including all of its 23 Unix servers and 11 out of 32 Windows servers. The IG recommended that DISA deploy intrusion detection on all major network management systems and domain name servers for Internet use.

DISA officials said they recently awarded a contract for an enterprisewide intrusion detection system, but did not identify the value or the vendor by press time.