Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Reports: DHS, IRS Databases At Risk

Protected critical infrastructure information at risk in DHS data stores, IG report says

Some of the federal government's most critical agencies are falling down on database security with misconfigurations, vulnerabilities, and a lack of best practices, putting sensitive citizen and defense information at risk as a result, new government audits show. Just this week, the Office of the Inspector General (IG) found that the Department of Homeland Security (DHS) -- the agency in charge of ensuring Federal Information Security Management Act (FISMA) compliance among all government agencies -- itself has a number of critical shortcomings within its database defenses.

The new report (PDF) highlighted database security deficiencies within the protected critical infrastructure information (PCII) system data stores, with weaknesses in both the Automated Critical Asset Management System (ACAMS) and the Linking Encrypted Network System (LENS) that put PCII data at risk. Some of the problems highlighted in the report included a failure to follow the rule of least privilege, a lack of communication among personnel to decide who was in charge of locking down the database, and a number of redacted configuration vulnerabilities.

"We all have this sense of concern that develops when the people responsible for keeping us secure are not keeping themselves secure," says John Verry, principal consultant for Pivot Point Security. "I would be hesitant to make an assertion about something I am not directly familiar with -- we haven't done work for DHS, and they may have picked the one database that was wildly insecure. But typically what we find [when] we do enterprisewide database security assessments is that if one database is relatively insecure, most of them will be, and if one database tends to be reasonably secure, most of them will be."

The DHS isn't the only agency under fire from auditors. A recent report (PDF) from the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS has some serious problems with the security of nearly all of its 2,200 databases. Even though the agency has spent $1.1 million on database security tools recently, it has not completed the implementation of tools and requisite best practices to make them effective.

“As all government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated,” said TIGTA Inspector General J. Russell George, in a statement. “Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity.”

TIGTA made a number of recommendations to improve IRS database security, but some experts believe it needed to go further than what it laid out.

"Periodic scanning of databases for vulnerabilities, unpatched and legacy systems, determining excessive rights, and having a documented plan for ongoing assessment and remediation is a good first step, but the IRS should also be implementing the highest levels of security monitoring around their databases," says Mel Shakir, CTO of NitroSecurity. "TIGTA and the IRS should be thinking of correlating vulnerability scan results with every action/access performed against the taxpayer data and profiling user behavior for outliers and exceptional activity. Application logs, OS logs, SQL activity, and configuration changes -- all play a significant part in securing the database, and should not be monitored in isolation of each other using point security solutions."

Both the IRS' and DHS' recent struggles should be a signal to those within government that database security must be a big priority. Unlike enterprise databases, these government data holdings are much more sensitive from a public safety perspective.

"We've done work in law enforcement, and the database is housing the information relating to undercover personnel or schedules for particular police personnel or home addresses of those individuals," Verry says. "Sony doesn't want to leak information about someone's email addresses, of course, but we're probably not going to have people dying or other more significant public issues like we would with a government database."

Unfortunately, at the moment, the government remains spotty, at best, at protecting its sensitive databases.

“Government database security is a mixed bag. Many organizations have just begun to look at implementing security controls for databases for the first time. Some organizations, including IRS, have purchased technology to address the issue, but then struggled with internal politics and resource constraints that have prevented them from using what they bought," says Josh Shaul, CTO for Application Security. "Other federal organizations are approaching a maturity around their database security programs; unfortunately those organizations are few and far between. The federal government has a long way to go before they can start calling their databases secure.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service
PUBLISHED: 2021-05-18
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
PUBLISHED: 2021-05-18
In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
PUBLISHED: 2021-05-18
A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1 via the read_system_page function at libredwg-0.10.1/src/decode_r2007.c:666:5, which causes a denial of service by submitting a dwg file.
PUBLISHED: 2021-05-18
An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage