recommended reading

Poor security leaves VA systems open to attack, watchdog says

The Veterans Affairs Department runs unsecure Web application servers, uses weak or default passwords to protect its hardware and software, and does not comprehensively monitor connections between its systems and the Internet, according to an internal agency watchdog.

These conditions leave department systems vulnerable to penetration or attack, said VA Assistant Inspector General Belinda Finn in testimony before the House Veterans Affairs Committee Wednesday.

The 2002 Federal Information Security Management Act requires federal agencies to develop, document and adhere to detailed information security programs. But Finn said VA continues to have significant information security deficiencies.

She said the IG office found several VA database systems used outdated software that could allow unauthorized users to access mission-critical data and alter databases.

Most of VA's 153 hospitals do not segment access to their medical networks, according to Finn. As a result, IG investigators were able to penetrate the networks -- including those hosting medical diagnostic and imaging systems -- from remote locations.

VA had not identified, managed or monitored a significant number of system connections with external sources, meaning "an attacker could penetrate VA's internal network and systems over an extended period of time without being detected," she said.

The department has made progress improving its IT security during the past several years, Finn told committee members, but still needs to complete the majority of 11,000 action plans to mitigate and eliminate security risks.

Roger Baker, VA's chief information officer, testified that the department monitors its core enterprise network 24 hours a day, has deployed 160 intrusion detection systems nationally, and blocks delivery of 16.4 million e-mails a day viewed as spam or containing malware.

VA has moved to isolate networks that host X-ray machines and other medical devices from other networks, Baker said.

The department's most important ongoing security project is its Visibility to the Desktop program, which Baker said he expects to complete by September. It will allow VA to check the status of all machines in a network from a central location at the enterprise level.

"This is a huge security tool for us," he said, "and it means that VA can review and run reports on any of the 333,000 machines on our network. This also gives VA the ability to apply patches which will greatly improve the security of the network."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.