An OIG investigation found that the Interior Department has not fully implemented multifactor authentication and that its “outdated and ineffective” password requirements leave employees’ accounts vulnerable to exploitation.
The Interior Department’s lax cybersecurity practices—including employees’ use of easily hackable passwords and inconsistent deployment of multifactor identification—leave the agency vulnerable to phishing scams and hacks, according to a report conducted by Interior’s Office of Inspector General that was publicly released on Friday.
OIG said in the report that, over the course of its investigation, it was able to crack 18,174 of 85,944—or 21%—of active user passwords, “including 288 accounts with elevated privileges and 362 accounts of senior U.S. government employees.” The report added that inspectors were able to crack 16% of Interior’s user accounts “in the first 90 minutes of testing.”
OIG said that this was due to Interior’s “outdated and ineffective” password complexity requirements, which enabled users to select easy-to-crack passwords and “allowed unrelated staff to use the same inherently weak passwords.”
“For example, the most commonly reused password (Password-1234) was used on 478 unique active accounts,” the report noted. “In fact, five of the 10 most reused passwords at the department included a variation of ‘password’ combined with ‘1234’; this combination currently meets the department’s requirements even though it is not difficult to crack.”
The report found that Interior “failed to enforce its own account management policies regarding account disabling and password changes,” which it noted were critical to agency cybersecurity efforts because “unused accounts pose a higher risk to department systems and networks, because they offer more opportunities for a malicious actor to gain unauthorized access.” Although Interior’s policies require that inactive accounts be disabled after 45 days, the report found “that 6,243 of all active accounts had not been used for more than 45 days.”
“The department failed to disable these accounts per its own policy and instead left implementation and enforcement of this policy to the bureaus and offices,” the report said, adding that OIG reviewers “cracked 23% (1,405) of these accounts.”
OIG also found that Interior did not fully utilize multifactor authentication across the department, “including for 89% of its high value assets (assets that could have serious impacts to the department’s ability to conduct business if compromised), which left these systems vulnerable to password compromising attacks.” The report added that multifactor authentication “is a highly effective method of protecting accounts,” even if a password is compromised, since it adds an additional level of security before users can access internal applications.
OIG cited the May 2021 Colonial Pipeline ransomware attack as “an example of the potential consequences of [a] lack of multifactor authentication and weak account management practices,” while also acknowledging that a similar breach at Interior “would not produce the same widespread disruption to businesses and consumers.”
OIG’s report offered eight recommendations to help strengthen Interior’s user account management practices, including implementing multifactor authentication “that cannot be bypassed to allow single-factor authentication for all applications,” revising “password complexity and account management policies” and prohibiting related accounts from using the same passwords.
Interior concurred with all eight of OIG’s recommendations, although the department pushed back on the report’s references to the Colonial Pipeline attack in the context of its cybersecurity practices by noting that it “has key safeguards that lower the risk of exploitation from similar methods because of a defense-in-depth posture.”