IG: Infosec weaknesses at Energy continue

While the Department of Energy has improved its capabilities in protecting its systems and sensitive data, its progress is hampered by repeat information security weaknesses.

In its annual audit of Federal Information Security Management Act compliance, Energy's Office of Inspector General reported the department had failed to implement past recommendations to shore up its weaknesses in vulnerability management, business web applications and access controls. OIG's review covered unclassified cybersecurity programs.

Auditors reported the department's total number of information security weaknesses increased to 1,408 in fiscal year 2017, up from fiscal year 2016's 928. Of those total weaknesses, 620 are past their scheduled completion date.

In terms of vulnerability management, IG reported a reliance on software that was either missing security patches or no longer supported by the vendor, as well as workstations, laptops and servers that were missing anti-virus software updates.

Specifically, auditors found that 26 of the 153 servers at one site they reviewed were missing security patches at least 30 days old. Of those 26, 16 were missing updates identified as critical severity patches, and 25 were missing updates identified as high risk.

Auditors also found about 480 commercial-off-the-shelf products at one site missing critical or high-risk security patches, plus servers, database management tools and operating systems that have not been supported by vendors in at least five years.

Additionally, the report detailed six weaknesses that jeopardized the information security of nearly 1,400 servers, as well as 207 expired firewall exceptions — some for more than a year — that remained open.

For its web applications, Energy used applications for "key business functions" that did not validate input data or adequately protect the privacy of user credentials to prevent unauthorized access to sensitive information, the OIG reported. Auditors noted these applications could be vulnerable to attacks that would allow an attacker to steal, publicize or alter sensitive data.

Also, auditors found some user accounts maintained authorized access after users had left the organization, and persisted past their expiration dates. One site listed 223 privileged users as capable of accessing the system even after their passwords had expired. That listing also contained more than 300 outdated accounts, 22 of which were administrator accounts, the OIG reported.

These cybersecurity weaknesses occurred, the OIG reported, because Energy officials had not developed or implemented policies based on weaknesses identified in past audits.

The agency concurred with its IG's recommendation, and included planned corrective actions to be completed by the close of fiscal year 2018.