Homeland Insecurity: OIG audit identifies numerous deficiencies
'May allow unauthorized individuals access to sensitive data'. You don't say
An Office of the Inspector General audit into the US Department of Homeland Security has identified a range of deficiencies across the agency, which is responsible for America's cybersecurity.
The 36-page audit (PDF) was published with the positive title "[Department of Homeland Security (DHS)] Can Strengthen its Cyber Mission Coordination Efforts" and was publicly released yesterday, Tuesday, 15 September.
The auditors identified a hatstand of vulnerabilities on the internal websites at both Immigration and Customs Enforcement (ICE) and the United States Secret Service (USSS) "that may allow unauthorized individuals to gain access to sensitive data".
These internal website vulnerabilities included:
- Cross-frame scripting vulnerabilities at ICE and USSS. Successful exploitation of these vulnerabilities could allow an attacker to mislead a legitimate user to providing sensitive information, conduct privileged functions, or execute clickjacking attacks
- Reflected cross-site scripting vulnerabilities at ICE. If exploited, this may allow an attacker to hijack a user account, assist in worm propagation, and cause a denial of service attack
- A structured query language injection vulnerability at ICE. Exploitation of this vulnerability can lead to the modification of supporting infrastructure, such as a database
- A file potentially containing sensitive information was unprotected on a USSS website. Viewing this file could give an unauthorised individual detailed system information about the web server that hosts the website
- A session fixation vulnerability on the USSS website that allows an attacker to impersonate a legitimate user. Twelve Successful exploitation of this vulnerability may impact the department’s cyber data confidentiality and integrity
The auditors said: "ICE stated that its selected websites are not scanned with a vulnerability assessment tool. This limits the ability of ICE to identify and resolve website-based weaknesses. ICE was unaware of the specific vulnerabilities our tool identified."
On the USSS, it only "recently acquired a website assessment tool and was in the process of resolving identified issues at the time of our audit."
In addition, the audit complained that "ICE has not implemented on its Windows workstations and servers all the DHS baseline configuration settings that are required to maintain an effective and standardized set of security controls."
DHS established the required baseline configuration settings to provide the guidelines and parameters for ensuring a minimum baseline of security when installing or configuring operating systems.
The guidelines include controls such as user access, password management, auditing, and computer services.
The OIG audit revealed ICE had only implemented 79 per cent of the selected Windows 7 control settings outlined in the baseline configuration guidance.
Additionally, ICE implemented only 58 per cent of the selected Windows 2008 server security control settings outlined in the DHS baseline configuration guidance.
The auditors added that subsequent to the audit, ICE had "updated selected controls for its Windows 2008 servers with the exception of renaming the local administrator account."
The DHS mission was stated to be coordinating "national protection, prevention, mitigation of, and recovery from cyber incidents," as well as oversee "the protection of the Federal network (.gov)."
A table was provided depicting "some of the core cyber responsibilities of DHS and several of its components" including ICE, the USSS, and the National Protection and Programs Directorate (NPPD).