Risk
7/9/2009
02:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

DHS Systems More Secure, Inspector General Finds

Report indicates progress has been made certifying and accrediting the Department of Homeland Security's intelligence systems.

The Department of Homeland Security has significantly improved the cybersecurity of its top secret intelligence computer systems in the last two years, according to the recently released summary of an Inspector General report issued earlier this year.

"Information security procedures have been documented and controls have been implemented, providing an effective level of security for the department’s intelligence systems," the Office of the Inspector General said in its report.

Last year's report noted that DHS had not established a formal training program for employees who have responsibilities for DHS intelligence systems. This year's review notes that the DHS has created the Sensitive Compartmented Information Systems Information Assurance Handbook, "which provides department intelligence personnel with security procedures and requirements to administer its intelligence systems and the information processed."

A 2008 review noted progress on earlier cybersecurity goals, including creating and updating an inventory of Top Secret and sensitive information systems and certifying and accrediting those systems in accordance with intelligence directives. The 2009 report found continued certification and accreditation.

Overall, the report found that the Department of Homeland Security had acted on 10 of the inspector general's 14 recommendations from a 2007 report. The results of annual reviews of these systems have appeared only in heavily redacted summaries, which offered no concrete details between 2005 and 2007, so it's unclear exactly what those recommendations were.

Despite improvements in security controls, the Inspector General still found some gaps.

According to the report, the DHS has provided the IG with plans to implement -- but has note yet implemented -- numerous cybersecurity strategies related to an overall plan of action, disaster recovery, and more formal training.


InformationWeek has published an in-depth report on leading-edge government IT -- and how the technology involved may end up inside your business. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4907
Published: 2014-07-11
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.

CVE-2014-4908
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper hand...

CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.