The very systems the Homeland Security Department uses to monitor cybersecurity across the federal government were plagued by their own vulnerabilities, which placed the cybersecurity data they maintain at risk, according to an inspector general report.
The inspector general performed an audit on the security of the systems DHS' U.S. Computer Emergency Readiness Team uses to compile and analyze information about cybersecurity incidents that civilian agencies report. According to an August report released on Wednesday, a significant effort is needed to address existing security issues, to "ensure the confidentiality, integrity and availability of its cybersecurity information."
Specifically, adequate security controls have not been included on the mission operating environment, which US-CERT personnel use to access and share data on cyberattacks, system anomalies and other incidents that affect mission-critical networks. The system, which the inspector general defined as "the backbone of US-CERT operations," supports the organization's program functions such as e-mail and user access to the intrusion detection system Einstein.
Auditors used vulnerability scanning software to find security problems in multiple computer systems that support the cybersecurity program. The inspector general classified each security issue as high, medium or low risk based on the severity of the vulnerabilities and damage they could inflict on systems. According to the report, a scan of the mission operating environment identified 540 vulnerabilities, with 202 categorized as high risk. Scans of other systems, including Einstein, identified no significant IT security vulnerabilities.
The majority of the high-risk vulnerabilities involved failure to apply security and software patches. DHS informed the inspector general that patches for the mission operating environment are applied manually, which often results in failure to insert them quickly on all computer systems on a network .
"[Homeland Security's] difficulty and inability to timely deploy patches led to our discovery of a high number of application and operating system vulnerabilities that leave the MOE vulnerable to potential attacks," the IG reported. "Additionally, since US-CERT analysts gain access to Einstein data via the MOE, the vulnerabilities may put sensitive Einstein data at risk."
Identified vulnerabilities could lead to an attacker remotely carrying out commands on a target machine, security controls being bypassed to gain unauthorized access to resources, and denial-of-service attacks, which bombard a system with traffic to force it to shut down.
DHS reported to the inspector general that it had mitigated the vulnerabilities and agreed to provide results of a subsequent scan of the mission operating environment system. The department also said it deployed a software management solution in June that automatically sends out patches and updates for all systems in the mission operating environment.