Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
3/12/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

DHS Has Some Serious Security Failures, Report Finds

From running outdated versions of Windows, to not having effective backup, the US Department of Homeland Security has some serious security failings, according to a new report.

The US Department of Homeland Security (DHS) has serious cybersecurity problems, according to a recent report by the agency's watchdog -- the Office of Inspector General (OIG).

The OIG's investigation came after an executive order on cybersecurity was signed last May, which mandated that federal agencies audit their systems for vulnerabilities. This order was seen as a direct response to the numerous breaches that the US government has suffered over the past several years. (See US Government Leads World in Data Breaches .)

In its audit, the OIG tested DHS's ability to identify, protect, detect, respond to and recover from cybersecurity issues.

(Source: iStock)
(Source: iStock)

In the report, the OIG found that DHS was using unsupported operating systems in routine work, and the agency also had not installed key security patches designed to protect against "critical" and "high-risk" vulnerabilities. Additionally, it did not monitor the software licenses for unclassified systems.

As an example, inspectors found the department using unsupported Windows 2003 Server software in systems that were in use at DHS headquarters, the Coast Guard and the Secret Service.

The Federal Emergency Management Agency (FEMA) was found to use unsupported Windows 7 in some of its workstations.

Microsoft Windows 8.1 and Windows 7 workstations were found to be vulnerable to the WannaCry exploit, and had not been patched. Patches for Adobe Flash were also not installed.

In Windows 2008 and 2012 operating systems, some patches that dated to 2013 had not been applied. Java, Internet Explorer, and Sidebar applications had not been patched either.

Overall, investigators found 64 vulnerable systems -- 48 unclassified and 16 national security -- on the department's network lacked the "authority to operate," according to the report. Worryingly, more than a dozen of these were storing highly sensitive classified information. Complete information about these systems was not maintained by the departments operating them to remediate security weaknesses in a timely manner.

The report did not specify which particular federal agencies where operating the vulnerable classified systems. However, it did note that FEMA had 15 unclassified systems that lost their authority to operate.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

The investigation did find that DHS had met the OIG's standards to respond to security attacks, but did not meet those that were involved in its ability to recover from these types of attacks.

In recovery efforts, OIG found that contingency plans for DHS IT systems were never tested. It also found that proper procedures for handling sensitive data had not been developed. Additionally, the investigation found no alternative data center was available to carry on if a distributed denial of service (DDoS) attack had been implemented.

In the report, DHS noted that it concurred with the OIG's findings, and made a pledge to resolve them by September.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41355
PUBLISHED: 2022-10-06
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /leave_system/classes/Master.php?f=delete_department.
CVE-2022-39284
PUBLISHED: 2022-10-06
CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vuln...
CVE-2022-39279
PUBLISHED: 2022-10-06
discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Versi...
CVE-2022-27810
PUBLISHED: 2022-10-06
It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode (when asserts were enabled). This issue affects Hermes versions prior to v0.12.0.
CVE-2022-41525
PUBLISHED: 2022-10-06
TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the OpModeCfg function at /cgi-bin/cstecgi.cgi.