US-CERT systems riddled with vulnerabilities, audit finds

IG says lack of automated patching has left open some potentially serious holes

A scan of IT systems at US-CERT, the Homeland Security Department’s primary operational cybersecurity agency, found hundreds of vulnerabilities that could allow someone to compromise data, according to a recent inspector general’s report.

Although DHS has policies in place to mitigate and correct problems, the lack of an automated system for patching vulnerabilities has left a large number of unpatched and possibly serious flaws in the agency’s Mission Operating Environment, the IG found.

“These vulnerabilities, if not addressed, could lead to arbitrary code execution, buffer overflow, escalation of privileges, and denial-of-service attacks,” the IG concluded in the report, “DHS Needs to Improve the Security Posture of its Cybersecurity Program System.” The problem is not limited to the operating environment, but could extend to the National Cybersecurity Protection System, the governmentwide intrusion detection system better known as Einstein, because US-CERT analysts gain access to Einstein data via the MOE.


Related coverage:

The cyberattack that awakened the Pentagon

DHS releases new dedtails on Einstein 3 intrusion detection pilot


The report also identified failures to adequately track and manage security risks found in Einstein itself, inadequacies in the National Cyber Security Division’s information security training, a lack of documentation for IT systems, and a number of other problems with system testing and physical security.

The inspector general made 10 recommendations for improving the NCSD security posture, and the department has accepted these and begun taking corrective action.

DHS is the lead agency for ensuring the security of the government’s civilian IT infrastructure and also is responsible for coordinating cybersecurity efforts with the private sector. Much of this work is done in the National Cyber Security Division. The U.S. Computer Emergency Readiness Team, US-CERT, is the NCSD branch responsible for gathering, analyzing and making available current threat information. The IG audit focused on US-CERT.

Although the report focused on the agency’s shortcomings, the findings were not entirely negative.

“Overall, NCSD has implemented adequate physical security and logical access controls over the cybersecurity program systems used to collect, process, and disseminate cyber threat and warning information to the public and private sectors,” the report concluded. “However, a significant effort is needed to address existing security issues in order to implement a robust program that will enhance the cybersecurity posture of the federal government.”

NCSD needs to focus on deploying system security patches in a timely manner, finalizing system security documentation and ensuring adherence to departmental security policies and procedures, the report stated.

A scan of US-CERT systems by the IG turned up 540 unique vulnerabilities in the Mission Operating Environment (MOE), 202 of which were rated as “high.” No other systems had vulnerabilities rated as “high,” but Einstein had 89 unique vulnerabilities, eight of them rated “medium.” Overall, there were a total of 671 unique vulnerabilities found US-CERT systems.

Most of the serious vulnerabilities, 189 of them, were in applications, including Microsoft applications, Adobe Acrobat and Sun Java. The remaining 13 were in operating systems, including Windows and Redhat Linux.

The report notes that addressing vulnerabilities in applications has been rated as the top security priority by the SANS Institute. Applications have become the primary source of new vulnerabilities and the favorite vector for delivering malware and attacks.

The problem is not that DHS is ignoring vulnerabilities, but a lack of automation, the report found. NCSD performs vulnerability testing and has established a patch management process, but the process is ineffective because patches are being applied manually on applications in the MOE. Because of the challenge of patching a large number of machines manually, patches are often not applied universally or in a timely fashion.

To address these and other issues the IG recommended:

  • Mitigate the vulnerabilities identified during the audit to secure the operating systems and applications deployed on the MOE network.
  • Implement a software management solution that will automatically deploy operating system and application security patches and updates on all MOE computer systems to mitigate current and future vulnerabilities.
  • Create Plans of Action and Milestones for known security vulnerabilities as required by the Federal Information Security Management Act, assign appropriate resources, and monitor the progress of corrective actions until risks are mitigated.
  • Establish an information security training process that includes developing a list of required and recommended courses for NCSD systems personnel and contractors, monitoring training, and maintaining course records.
  • Review and approve program and system documentation for its cybersecurity program.
  • Update the annual system self-assessments for the division’s cybersecurity systems to include all system information and complete the appendices according to DHS requirements.
  • Conduct and document quarterly firewall testing to ensure that cybersecurity program systems are protected from unauthorized access attempts.
  • Implement DHS baseline configuration settings on its routers, servers, and workstations for its cybersecurity program.
  • Conduct and document physical security inspections of offices and areas housing system equipment according to DHS policy.
  • Establish a policy and institute procedures to prevent damage to DHS equipment when the temperature or humidity inside server rooms fall outside of the department’s acceptable range.

 

 

 

 

 

 

 

 


 

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Fri, Sep 24, 2010 Kevin

The only Federal organization I have seen that ever takes training with some semblance of seriousness is the U.S. military. Not even the DoD itself; which has mandated IT/IS qualifications for its and the respective service branches' employees and warfighters; dedicates enough time or funding to training. Until there are adequate security awareness programs in place; and line staff with IT and operational responsibilities are adequately trained, they will continue to fall far behind the curve defending their systems. The more fear they have that training them means they will lose them for higher paying opportunities elsewhere; the more the talent will put themselves through training and ~not~ apply it to their current job (you don't pay me to do that...); taking their initiative and talent elsewhere.

Mon, Sep 20, 2010 Rick Bennett

There needs to be a segregation between the identification of weaknesses and the responsibility for correcting them or outcomes that are products of the "system" get flagged for blame rather than correction.

Fri, Sep 10, 2010 Jeffrey A. Williams Frisco Texas

I and a few other IT security professionals reported many of these reported holes to DHS over a year ago now. Glad that the IG finnaly recognized them 'Officially'. However a year after the fact seems far less than adaquate and may have been a cause for much damage that could have been long sense avoided or mitigated accordingly.

Fri, Sep 10, 2010 WOR

It's the same problems that occur everywhere - home users, government, and private sector. The manpower and expense required to check and update the OS and 3rd party applications always causes risk.

Fri, Sep 10, 2010

The cobbler's children have no shoes...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above