US-CERT systems riddled with vulnerabilities, audit finds
IG says lack of automated patching has left open some potentially serious holes
A scan of IT systems at US-CERT, the Homeland Security Department’s primary operational cybersecurity agency, found hundreds of vulnerabilities that could allow someone to compromise data, according to a recent inspector general’s report.
Although DHS has policies in place to mitigate and correct problems, the lack of an automated system for patching vulnerabilities has left a large number of unpatched and possibly serious flaws in the agency’s Mission Operating Environment, the IG found.
“These vulnerabilities, if not addressed, could lead to arbitrary code execution, buffer overflow, escalation of privileges, and denial-of-service attacks,” the IG concluded in the report, “DHS Needs to Improve the Security Posture of its Cybersecurity Program System.” The problem is not limited to the operating environment, but could extend to the National Cybersecurity Protection System, the governmentwide intrusion detection system better known as Einstein, because US-CERT analysts gain access to Einstein data via the MOE.
The cyberattack that awakened the Pentagon
DHS releases new dedtails on Einstein 3 intrusion detection pilot
The report also identified failures to adequately track and manage security risks found in Einstein itself, inadequacies in the National Cyber Security Division’s information security training, a lack of documentation for IT systems, and a number of other problems with system testing and physical security.
The inspector general made 10 recommendations for improving the NCSD security posture, and the department has accepted these and begun taking corrective action.
DHS is the lead agency for ensuring the security of the government’s civilian IT infrastructure and also is responsible for coordinating cybersecurity efforts with the private sector. Much of this work is done in the National Cyber Security Division. The U.S. Computer Emergency Readiness Team, US-CERT, is the NCSD branch responsible for gathering, analyzing and making available current threat information. The IG audit focused on US-CERT.
Although the report focused on the agency’s shortcomings, the findings were not entirely negative.
“Overall, NCSD has implemented adequate physical security and logical access controls over the cybersecurity program systems used to collect, process, and disseminate cyber threat and warning information to the public and private sectors,” the report concluded. “However, a significant effort is needed to address existing security issues in order to implement a robust program that will enhance the cybersecurity posture of the federal government.”
NCSD needs to focus on deploying system security patches in a timely manner, finalizing system security documentation and ensuring adherence to departmental security policies and procedures, the report stated.
A scan of US-CERT systems by the IG turned up 540 unique vulnerabilities in the Mission Operating Environment (MOE), 202 of which were rated as “high.” No other systems had vulnerabilities rated as “high,” but Einstein had 89 unique vulnerabilities, eight of them rated “medium.” Overall, there were a total of 671 unique vulnerabilities found US-CERT systems.
Most of the serious vulnerabilities, 189 of them, were in applications, including Microsoft applications, Adobe Acrobat and Sun Java. The remaining 13 were in operating systems, including Windows and Redhat Linux.
The report notes that addressing vulnerabilities in applications has been rated as the top security priority by the SANS Institute. Applications have become the primary source of new vulnerabilities and the favorite vector for delivering malware and attacks.
The problem is not that DHS is ignoring vulnerabilities, but a lack of automation, the report found. NCSD performs vulnerability testing and has established a patch management process, but the process is ineffective because patches are being applied manually on applications in the MOE. Because of the challenge of patching a large number of machines manually, patches are often not applied universally or in a timely fashion.
To address these and other issues the IG recommended:
- Mitigate the vulnerabilities identified during the audit to secure the operating systems and applications deployed on the MOE network.
- Implement a software management solution that will automatically deploy operating system and application security patches and updates on all MOE computer systems to mitigate current and future vulnerabilities.
- Create Plans of Action and Milestones for known security vulnerabilities as required by the Federal Information Security Management Act, assign appropriate resources, and monitor the progress of corrective actions until risks are mitigated.
- Establish an information security training process that includes developing a list of required and recommended courses for NCSD systems personnel and contractors, monitoring training, and maintaining course records.
- Review and approve program and system documentation for its cybersecurity program.
- Update the annual system self-assessments for the division’s cybersecurity systems to include all system information and complete the appendices according to DHS requirements.
- Conduct and document quarterly firewall testing to ensure that cybersecurity program systems are protected from unauthorized access attempts.
- Implement DHS baseline configuration settings on its routers, servers, and workstations for its cybersecurity program.
- Conduct and document physical security inspections of offices and areas housing system equipment according to DHS policy.
- Establish a policy and institute procedures to prevent damage to DHS equipment when the temperature or humidity inside server rooms fall outside of the department’s acceptable range.