Data securityDHS runs many unsecured databases: IG
DHS Inspector General found that DHS is running dozens of unpatched databases, some of which are rated “secret” and even “top secret.” An audit of the department’s IT infrastructure has found large security gaps, including the fact that 136 systems had expired “authorities to operate” – that is, no one was in charge of keeping them updated. Of the 136, 17 were classified as “secret” or “top secret.”
DHS Inspector General found that DHS is running dozens of unpatched databases, some of which are rated “secret” and even “top secret.”
The Register reports that an audit of the department’s IT infrastructure has found large security gaps, including the fact that 136 systems had expired “authorities to operate” – that is, no one was in charge of keeping them updated. Of the 136, 17 were classified as “secret” or “top secret.”
The audit found that because so many systems were not undergoing regular maintenance, many did not have up-to-date security patches, making them vulnerable to hackers. The problems ranged from browsers to PCs to databases to weak passwords.
“We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,” the 66-page report noted. “If exploited, these vulnerabilities could allow unauthorized access to DHS data.”
The report notes that “improvements have been made,” but also notes a series of worrying discrepancies. “For example, DHS does not include its classified system information as part of its monthly information security scorecard,” the report says. The audit also found “inaccurate or incomplete data” in the DHS’ management systems.
The report makes six recommendations, two of which have since been addressed. DHS has ninety days to correct the remainder, which are: adding its classified systems to the monthly scorecard (a recommendation the DHS has actually formally disagreed with); running compliance programs the whole year “instead of peaking during the months leading up to annual reporting”; checking that the data inputted over security checks is actually accurate; and making the monthly scorecard accurate.
The Register comments that, overall, “despite the dense, jargon-filled reporting, it is clear that the DHS’ security is dire. Worse, however, is the fact that it doesn’t know how bad its security is because its own security audits are lacking. In short, it is a disaster waiting to happen — if it hasn’t happened already.”
The report notes that the Coast Guard tops the list of unsecured databases with 26, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS’ headquarters with 11.
— Read more in DHS Inspector General, Evaluation of DHS’ Information Security Program for Fiscal Year 2015, OIG-16-08 (13 November 2015)
