According to the inspector general’s memorandum, the Department of the Interior detected simulated malicious attacks and responded properly, making improvements from 2015 and 2018 evaluations.
The Office of the Inspector General for the Department of the Interior found that the department’s cyber threat detection and defense controls are sufficient, according to a released memorandum. As a result of DOI’s adequate response, OIG is closing its evaluation.
OIG performed penetration tests of DOI’s public-facing systems and found that DOI detected the simulated attacks, in addition to properly responding in compliance with agreed upon steps established by OIG and the Office of the Chief Information Officer.
OIG began to evaluate DOI in October 2020 to determine whether it “deploys and operates a secure infrastructure for its public-facing internet systems in accordance with guidance provided by the National Institute of Standards and Technology, department policy, and industry best practices.”
Specifically, OIG examined security weaknesses to DOI’s public-facing systems by conducting tests from May to November 2021, to look for vulnerabilities that could be exploited. Additionally, OIG utilized ethical hacking tools to mimic actual malicious activity, after which it looked at the DOI’s incident tracking system and incident response tools to see if its simulated attack was detected. These test results were given to DOI for “vulnerability confirmation and mitigation.”
According to OIG, it conducted similar tests in 2015 and 2018 for incident handling as well as vulnerability detection and mitigation practices, which did not produce satisfactory results. In particular, the 2015 report found critical vulnerabilities on public-facing systems and the 2018 report found that alerts created from OIG imitating malicious activity were not picked up by OIG. However, OIG stated that DOI’s efforts have since improved, as the most recent findings show that DOI identified OIG’s simulated attacks and mitigated confirmed vulnerabilities that OIG’s tests detected.
Despite this improvement, OIG stated that DOI must “remain vigilant,” because it has numerous public-facing internet systems “that face a variety of other vulnerabilities that should be considered and addressed.” OIG added that its tests had a broad scope and “did not mimic adversaries who may have the time and resources to focus their attacks.”
OIG did not offer any recommendations in its memorandum and DOI is not required to respond.