DHS's public Web sites vulnerable

Published 12 October 2009

DHS’s Inspector General evaluated the nine most popular of the department’s 125 public-facing Web sites, and found that while the component agencies responsible for the Web sites followed DHS policies when setting them up, they left too much to chance afterward

A just-published report from DHS’s internal watchdog says that the department and its member agencies’ public-facing Web sites are vulnerable to attack that could leave them open to defacement, service interruption, and resource loss.

The 21-page, highly redacted report from DHS’ Office of the Inspector General (OIG) evaluated the nine most popular of the department’s 125 public-facing Web sites and discovered that while the component agencies responsible for the Web sites followed DHS policies when setting them up, they left too much to chance afterward.

Patch management practices and periodic security assessments were not consistently being performed, resulting in numerous critical system vulnerabilities,” the report stated. “These vulnerabilities could put DHS data at risk.”

What worried the DHS OIG most was that agencies could introduce  vulnerabilities, like cross-site scripting, into their Web sites when updating or changing content. The failure of many of the evaluated agencies to perform regular vulnerability assessments, the report said, means these vulnerabilities wouldn’t be identified and patched, exposing their Web sites to malicious activity.

Addressing these vulnerabilities seem critical considering DHS has embraced the social media directives of the tech-savvy Obama administration. This summer the department launched a blog, a YouTube channel for public education and emergency preparedness, and a redesigned Web site.

The OIG, however, did praise the Federal Emergency Management Agency (FEMA), the National Protection and Programs Directorate (NPPD), and the Coast Guard for good security management practices. “These components’ security practices, through periodic assessments, patch and update policies, and documented procedures, set the example of an effective defense-in-depth approach to good IT systems security,” according to the OIG report.

Matthew Harwood writes that to fix the vulnerabilities uncovered during their investigation, the OIG recommended that DHS’s Chief Information Officer inventory all of its 125-public facing Web sites, conduct periodic vulnerability assessments, and apply timely security patches when necessary, among other advice.

DHS agreed with all the OIG’s recommendations. The OIG says that DHS is taking, or plans to take, steps to satisfy its recommendations. Until the department shows the OIG documentation proving they have completed the agreed upon corrective actions, the recommendations will remain open.