Oversight

IG: Infosec weaknesses at Energy continue

Shutterstock image (by dencg): digital warning sign. 

While the Department of Energy has improved its capabilities in protecting its systems and sensitive data, its progress is hampered by repeat information security weaknesses.

In its annual audit of Federal Information Security Management Act compliance, Energy's Office of Inspector General reported the department had failed to implement past recommendations to shore up its weaknesses in vulnerability management, business web applications and access controls. OIG's review covered unclassified cybersecurity programs.

Auditors reported the department's total number of information security weaknesses increased to 1,408 in fiscal year 2017, up from fiscal year 2016's 928. Of those total weaknesses, 620 are past their scheduled completion date.

In terms of vulnerability management, IG reported a reliance on software that was either missing security patches or no longer supported by the vendor, as well as workstations, laptops and servers that were missing anti-virus software updates.

Specifically, auditors found that 26 of the 153 servers at one site they reviewed were missing security patches at least 30 days old. Of those 26, 16 were missing updates identified as critical severity patches, and 25 were missing updates identified as high risk.

Auditors also found about 480 commercial-off-the-shelf products at one site missing critical or high-risk security patches, plus servers, database management tools and operating systems that have not been supported by vendors in at least five years.

Additionally, the report detailed six weaknesses that jeopardized the information security of nearly 1,400 servers, as well as 207 expired firewall exceptions — some for more than a year — that remained open.

For its web applications, Energy used applications for "key business functions" that did not validate input data or adequately protect the privacy of user credentials to prevent unauthorized access to sensitive information, the OIG reported. Auditors noted these applications could be vulnerable to attacks that would allow an attacker to steal, publicize or alter sensitive data.

Also, auditors found some user accounts maintained authorized access after users had left the organization, and persisted past their expiration dates. One site listed 223 privileged users as capable of accessing the system even after their passwords had expired. That listing also contained more than 300 outdated accounts, 22 of which were administrator accounts, the OIG reported.

These cybersecurity weaknesses occurred, the OIG reported, because Energy officials had not developed or implemented policies based on weaknesses identified in past audits.

The agency concurred with its IG's recommendation, and included planned corrective actions to be completed by the close of fiscal year 2018.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected