DHS laptops still vulnerable, IG finds

DHS Report

Laptop computers used by the Homeland Security Department’s Office of the Inspector General (OIG) are still susceptible to cyberattacks despite several recent steps taken to harden security, a report has found.

In particular, the IG’s Office of Information Technology (OIT) reported, OIG has not plugged some critical vulnerabilities in its sensitive-but-unclassified (SBU) laptop computers, even though the office had successfully designed a standard software installation based on National Security Agency and DHS guidelines.

The list of specific vulnerabilities was redacted from the IG’s unclassified report.

One major flaw was that OIG "has not implemented consistently its model for SBU laptop computers," OIT said in its report.

A model system is a read-only mechanism used to build new versions of the system. Once developed, the OIG model systems are loaded onto a server as an image or copy and then installed on laptops.

Of the 94 SBU laptops OIT tested, 40 percent had configuration vulnerabilities not found on the model system. Most had one or two additional vulnerabilities, but three had a combined total of 28, and thus deviated significantly from the model system, the report states.

According to the OIG information systems security manager, the deviations were largely the result of the office not ensuring that all laptops go through the standard configuration and issuance procedure.

The three laptops with the excessive weaknesses, for example, were brought over from the Treasury Department when DHS’ OIG was established. They were supposed to be removed from use but instead remained in use. Another laptop was not configured correctly because it was only supposed to be an evaluation unit, but it remained in active use.

OIG had not established effective procedures to patch and update the software on its laptops or an accurate inventory to track the laptops, the report states.

For example, serial numbers on individual units are not entered into the system until the units are assigned to users. OIG has only nonwritten procedures to track loaned and replacement laptops, but the OIG help desk does not follow them consistently. The office also has not established policies and procedures to conduct periodic reviews of its inventory, the report states.

In addition, OIG had not implemented procedures that would ensure all sensitive data had been wiped from laptops before the systems were reused or disposed of. Lost or stolen laptops were not routinely reported to the appropriate authority, in one case not until several months after the computer disappeared.

“In 2005, 12 security incidents involving stolen DHS laptops were reported to the DHS Computer Security Incident Response Center,” the report states. The thefts involved laptops from Customs and Border Patrol, the Secret Service, Immigration and Customs Enforcement, and the Science and Technology Directorate.

The report recommends a series of measures that the department’s chief information officer should take, such as establishing procedures to ensure that model systems are configured to protect OIG data and updated regularly. It also calls for clearing data before laptops are reassigned and implementing a property management system that maintains an accurate laptop inventory.

OIG either concurred with the recommendations or said actions had already been taken independently to tighten security.

David Hubler contributed to this report.