IG: computer systems connected to DHS network are not secure
DHS IG reports that DHS has failed to validate the security of computer systems that connect to the primary network, introducing vulnerabilities and putting sensitive information at risk; specifically, the IG detected vulnerabilities in systems connecting to the main department network from Customs and Border Control (CBP); Immigration and Customs Enforcement (ICE); and the Science and Technology Directorate (S&T), including missing security patches, weak passwords, and a lack of access controls that prevent unauthorized users from opening sensitive applications
DHS computer systems insecure // Source: silentthundermodels.com
DHS has failed to validate the security of computer systems that connect to the primary network, introducing vulnerabilities and putting sensitive information at risk, according to a report released by the inspector general on Tuesday.
DHS uses Active Directory, a technology included in Microsoft Windows, centrally to manage network processes and services across the department. According to a report from the IG, a number of the computer systems that rely on Active Directory for enterprise services have security weaknesses.
“A basic tenet of information security is to apply controls to systems that not only exist within a network, but to those that connect to it as well,” the IG reported. “By accepting systems from other components without enforcing or confirming security controls, DHS exposes its network to vulnerabilities contained on those systems,” including potential unauthorized access to data or interruption of critical services.
GovExec’s Jill R. Aitoro writes that, specifically, the IG detected vulnerabilities in systems connecting to the main department network from Customs and Border Control (CBP); Immigration and Customs Enforcement (ICE); and the Science and Technology Directorate (S&T), including missing security patches, weak passwords, and a lack of access controls that prevent unauthorized users from opening sensitive applications.
The IG also reported that DHS had no policy in place to verify the quality of security configurations on systems that connect to the primary computer network at DHS headquarters from networks at component agencies.
“Initially designed to support only headquarters, the current Active Directory structure is not optimized for supporting enterprise-wide applications,” the report said. “To secure the systems that are added, manual procedures and individual validations must be performed. These processes have not proved to be effective in maintaining the level of security required on DHS’ network.”
Aitoro notes that DHS chief information officer Richard Spires has started to address the issues outlined in the report, including recommendations by the IG to verify that security controls are implemented and configuration settings are compliant with department policy on systems connected or added to Active Directory enterprise application domain; to address the current weaknesses on systems connected to Active Directory; and to provide guidance to ensure appropriate security measures are taken for all systems.
