US-CERT systems riddled with vulnerabilities, audit finds

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Scans of the IT systems of lead Homeland Security division for cybersecurity found numerous vulnerabilities, according to a report from the DHS Inspector General.

A scan of IT systems at US-CERT, the Homeland Security Department’s primary operational cybersecurity agency, found hundreds of vulnerabilities that could allow someone to compromise data, according to a recent inspector general’s report.

Although DHS has policies in place to mitigate and correct problems, the lack of an automated system for patching vulnerabilities has left a large number of unpatched and possibly serious flaws in the agency’s Mission Operating Environment, the IG found.

“These vulnerabilities, if not addressed, could lead to arbitrary code execution, buffer overflow, escalation of privileges, and denial-of-service attacks,” the IG concluded in the report, “DHS Needs to Improve the Security Posture of its Cybersecurity Program System.” The problem is not limited to the operating environment, but could extend to the National Cybersecurity Protection System, the governmentwide intrusion detection system better known as Einstein, because US-CERT analysts gain access to Einstein data via the MOE.

Related coverage:

The cyberattack that awakened the Pentagon

DHS releases new dedtails on Einstein 3 intrusion detection pilot

The report also identified failures to adequately track and manage security risks found in Einstein itself, inadequacies in the National Cyber Security Division’s information security training, a lack of documentation for IT systems, and a number of other problems with system testing and physical security.

The inspector general made 10 recommendations for improving the NCSD security posture, and the department has accepted these and begun taking corrective action.

DHS is the lead agency for ensuring the security of the government’s civilian IT infrastructure and also is responsible for coordinating cybersecurity efforts with the private sector. Much of this work is done in the National Cyber Security Division. The U.S. Computer Emergency Readiness Team, US-CERT, is the NCSD branch responsible for gathering, analyzing and making available current threat information. The IG audit focused on US-CERT.

Although the report focused on the agency’s shortcomings, the findings were not entirely negative.

“Overall, NCSD has implemented adequate physical security and logical access controls over the cybersecurity program systems used to collect, process, and disseminate cyber threat and warning information to the public and private sectors,” the report concluded. “However, a significant effort is needed to address existing security issues in order to implement a robust program that will enhance the cybersecurity posture of the federal government.”

NCSD needs to focus on deploying system security patches in a timely manner, finalizing system security documentation and ensuring adherence to departmental security policies and procedures, the report stated.

A scan of US-CERT systems by the IG turned up 540 unique vulnerabilities in the Mission Operating Environment (MOE), 202 of which were rated as “high.” No other systems had vulnerabilities rated as “high,” but Einstein had 89 unique vulnerabilities, eight of them rated “medium.” Overall, there were a total of 671 unique vulnerabilities found US-CERT systems.

Most of the serious vulnerabilities, 189 of them, were in applications, including Microsoft applications, Adobe Acrobat and Sun Java. The remaining 13 were in operating systems, including Windows and Redhat Linux.

The report notes that addressing vulnerabilities in applications has been rated as the top security priority by the SANS Institute. Applications have become the primary source of new vulnerabilities and the favorite vector for delivering malware and attacks.

The problem is not that DHS is ignoring vulnerabilities, but a lack of automation, the report found. NCSD performs vulnerability testing and has established a patch management process, but the process is ineffective because patches are being applied manually on applications in the MOE. Because of the challenge of patching a large number of machines manually, patches are often not applied universally or in a timely fashion.

To address these and other issues the IG recommended:

  • Mitigate the vulnerabilities identified during the audit to secure the operating systems and applications deployed on the MOE network.
  • Implement a software management solution that will automatically deploy operating system and application security patches and updates on all MOE computer systems to mitigate current and future vulnerabilities.
  • Create Plans of Action and Milestones for known security vulnerabilities as required by the Federal Information Security Management Act, assign appropriate resources, and monitor the progress of corrective actions until risks are mitigated.
  • Establish an information security training process that includes developing a list of required and recommended courses for NCSD systems personnel and contractors, monitoring training, and maintaining course records.
  • Review and approve program and system documentation for its cybersecurity program.
  • Update the annual system self-assessments for the division’s cybersecurity systems to include all system information and complete the appendices according to DHS requirements.
  • Conduct and document quarterly firewall testing to ensure that cybersecurity program systems are protected from unauthorized access attempts.
  • Implement DHS baseline configuration settings on its routers, servers, and workstations for its cybersecurity program.
  • Conduct and document physical security inspections of offices and areas housing system equipment according to DHS policy.
  • Establish a policy and institute procedures to prevent damage to DHS equipment when the temperature or humidity inside server rooms fall outside of the department’s acceptable range.

 

 

 

 

 

 

 

 


 

NEXT STORY: TSA may have a solution for virtual-striptease body scans

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.