Cracks in security leave DHS financial systems vulnerable to abuse

Investigators posing as technicians tricked employees into sharing passwords, and auditors found credit cards, laptops and sensitive information lying around offices after hours.

Security weaknesses in the computers that track money for the Homeland Security Department could lead to a substantial mistake in the agency's financial statements, according to a federal audit.

KPMG analysts hired by the DHS inspector general to assess the department's various financial systems for the fiscal year ending Sept. 30, 2010, found about 160 deficiencies, or inadequate controls, most of which -- 65 percent -- were repeats of the previous year's problems. The IG office released a redacted version of the April 26 report on Monday.

Among the information technology inadequacies highlighted: ex-employees were still able to logon to their accounts and unauthorized outsiders successfully acquired user passwords from DHS personnel.

"Collectively, the IT control deficiencies limited DHS' ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity and availability," the report stated. "We consider them to collectively represent a material weakness for DHS" based on accounting industry standards.

An auditor impersonating a help-desk employee tricked unwitting DHS staff into providing their system user names and passwords at several agencies, according to the assessment. Recently, hackers used this increasingly popular tactic, known as social engineering, to gain entry into and steal data from federal contractor RSA Security. In that incident, the culprits posed as a recruiting website and sent company employees human resources-related emails containing malicious software that obtained access to the RSA network.

KPMG analysts used a less sophisticated lure -- a phone call. Masquerading as DHS technical support staff, auditors dialed randomly selected employees at DHS agencies and asked them to provide user passwords to help fix a network issue. At Customs and Border Protection, two of the 16 people who answered the phone divulged their network passwords. At the Transportation Security Administration, the fake technicians snagged three passwords, after an unspecified number of attempts.

At the Federal Emergency Management Agency, several personnel shared their user IDs and passwords, the report said. Some staff, however, looked up the imposters' assumed names in an agency directory to check identification, asked for help desk ticket numbers, or reported the attempted breaches to supervisors.

The audit did not say how many employees handed over their passwords at each DHS component.

KPMG analysts also discovered that some agencies neglected to promptly disable the accounts of employees who stopped working for the agency. CBP staff shutdown ex-employee accounts bi-weekly, a violation of agency policy that requires deactivation on the employees' last day. And at Immigration and Customs Enforcement, someone accessed the account of a former employee, even though the agency had installed a feature that disables user accounts after 45 days of inactivity.

While attempting to physically break into systems after hours, investigators found employees left government credit cards, financial system user IDs and passwords, laptops, and server names and network addresses, unguarded in their cubicles or offices.

At FEMA, analysts noted seeing large stacks of documents and compiled spreadsheets that contained sensitive, personal information belonging to business partners. Auditors also found a non-locking server room.

The departmentwide inspection determined that many agencies were either not monitoring audit logs for potential cyber incidents, or they assigned personnel with conflicting roles to review the logs.

For example, at the Coast Guard, staff were not recording and reviewing all failed log-in attempts. At CBP, personnel were not reviewing security audit logs for the system that keeps track of commercial goods entering the United States. Meanwhile, a FEMA employee with "super user" system administration access was responsible for monitoring other super users' activity, a duty that should have been delegated to a separate individual without those access privileges.

An examination of IT system performance found that many DHS agencies, including the Coast Guard, ICE and U.S. Citizenship and Immigration Services, could not install mechanisms to prevent duplicate payments. One unnamed component disbursed duplicate payments two times during 2009 and 2010.

Homeland Security recently abandoned long-held aspirations of deploying a unified finance, acquisition and asset management system, following several procurement protests.

In an undated letter attached to Monday's audit, DHS Acting Chief Financial Officer Peggy Sherry, Chief Information Officer Richard Spires, and Chief Information Security Officer Robert West said that they agreed with the findings in a draft report.

The CIO and CFO "continue to work jointly in ensuring the timely remediation of financial system security weaknesses and strengthening the department's information systems controls environment," they wrote.

On Tuesday afternoon, a DHS spokesman said in a statement that the department "takes this, and all audits, very seriously as indicated by the response to the auditors' findings and recommendations in the report. As in the past, all audit findings will be addressed through the department's formal plan-of-attack and milestones process. Over the last two years, the department has made significant progress in improving the security and functionality of our financial systems, and we will continue to improve in the future."