Oversight

IG: Infosec weaknesses at Energy continue

Shutterstock image (by dencg): digital warning sign. 

While the Department of Energy has improved its capabilities in protecting its systems and sensitive data, its progress is hampered by repeat information security weaknesses.

In its annual audit of Federal Information Security Management Act compliance, Energy's Office of Inspector General reported the department had failed to implement past recommendations to shore up its weaknesses in vulnerability management, business web applications and access controls. OIG's review covered unclassified cybersecurity programs.

Auditors reported the department's total number of information security weaknesses increased to 1,408 in fiscal year 2017, up from fiscal year 2016's 928. Of those total weaknesses, 620 are past their scheduled completion date.

In terms of vulnerability management, IG reported a reliance on software that was either missing security patches or no longer supported by the vendor, as well as workstations, laptops and servers that were missing anti-virus software updates.

Specifically, auditors found that 26 of the 153 servers at one site they reviewed were missing security patches at least 30 days old. Of those 26, 16 were missing updates identified as critical severity patches, and 25 were missing updates identified as high risk.

Auditors also found about 480 commercial-off-the-shelf products at one site missing critical or high-risk security patches, plus servers, database management tools and operating systems that have not been supported by vendors in at least five years.

Additionally, the report detailed six weaknesses that jeopardized the information security of nearly 1,400 servers, as well as 207 expired firewall exceptions — some for more than a year — that remained open.

For its web applications, Energy used applications for "key business functions" that did not validate input data or adequately protect the privacy of user credentials to prevent unauthorized access to sensitive information, the OIG reported. Auditors noted these applications could be vulnerable to attacks that would allow an attacker to steal, publicize or alter sensitive data.

Also, auditors found some user accounts maintained authorized access after users had left the organization, and persisted past their expiration dates. One site listed 223 privileged users as capable of accessing the system even after their passwords had expired. That listing also contained more than 300 outdated accounts, 22 of which were administrator accounts, the OIG reported.

These cybersecurity weaknesses occurred, the OIG reported, because Energy officials had not developed or implemented policies based on weaknesses identified in past audits.

The agency concurred with its IG's recommendation, and included planned corrective actions to be completed by the close of fiscal year 2018.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.