Risk
7/9/2009
02:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

DHS Systems More Secure, Inspector General Finds

Report indicates progress has been made certifying and accrediting the Department of Homeland Security's intelligence systems.

The Department of Homeland Security has significantly improved the cybersecurity of its top secret intelligence computer systems in the last two years, according to the recently released summary of an Inspector General report issued earlier this year.

"Information security procedures have been documented and controls have been implemented, providing an effective level of security for the department’s intelligence systems," the Office of the Inspector General said in its report.

Last year's report noted that DHS had not established a formal training program for employees who have responsibilities for DHS intelligence systems. This year's review notes that the DHS has created the Sensitive Compartmented Information Systems Information Assurance Handbook, "which provides department intelligence personnel with security procedures and requirements to administer its intelligence systems and the information processed."

A 2008 review noted progress on earlier cybersecurity goals, including creating and updating an inventory of Top Secret and sensitive information systems and certifying and accrediting those systems in accordance with intelligence directives. The 2009 report found continued certification and accreditation.

Overall, the report found that the Department of Homeland Security had acted on 10 of the inspector general's 14 recommendations from a 2007 report. The results of annual reviews of these systems have appeared only in heavily redacted summaries, which offered no concrete details between 2005 and 2007, so it's unclear exactly what those recommendations were.

Despite improvements in security controls, the Inspector General still found some gaps.

According to the report, the DHS has provided the IG with plans to implement -- but has note yet implemented -- numerous cybersecurity strategies related to an overall plan of action, disaster recovery, and more formal training.


InformationWeek has published an in-depth report on leading-edge government IT -- and how the technology involved may end up inside your business. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.