Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Reports: DHS, IRS Databases At Risk

Protected critical infrastructure information at risk in DHS data stores, IG report says

Some of the federal government's most critical agencies are falling down on database security with misconfigurations, vulnerabilities, and a lack of best practices, putting sensitive citizen and defense information at risk as a result, new government audits show. Just this week, the Office of the Inspector General (IG) found that the Department of Homeland Security (DHS) -- the agency in charge of ensuring Federal Information Security Management Act (FISMA) compliance among all government agencies -- itself has a number of critical shortcomings within its database defenses.

The new report (PDF) highlighted database security deficiencies within the protected critical infrastructure information (PCII) system data stores, with weaknesses in both the Automated Critical Asset Management System (ACAMS) and the Linking Encrypted Network System (LENS) that put PCII data at risk. Some of the problems highlighted in the report included a failure to follow the rule of least privilege, a lack of communication among personnel to decide who was in charge of locking down the database, and a number of redacted configuration vulnerabilities.

"We all have this sense of concern that develops when the people responsible for keeping us secure are not keeping themselves secure," says John Verry, principal consultant for Pivot Point Security. "I would be hesitant to make an assertion about something I am not directly familiar with -- we haven't done work for DHS, and they may have picked the one database that was wildly insecure. But typically what we find [when] we do enterprisewide database security assessments is that if one database is relatively insecure, most of them will be, and if one database tends to be reasonably secure, most of them will be."

The DHS isn't the only agency under fire from auditors. A recent report (PDF) from the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS has some serious problems with the security of nearly all of its 2,200 databases. Even though the agency has spent $1.1 million on database security tools recently, it has not completed the implementation of tools and requisite best practices to make them effective.

“As all government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated,” said TIGTA Inspector General J. Russell George, in a statement. “Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity.”

TIGTA made a number of recommendations to improve IRS database security, but some experts believe it needed to go further than what it laid out.

"Periodic scanning of databases for vulnerabilities, unpatched and legacy systems, determining excessive rights, and having a documented plan for ongoing assessment and remediation is a good first step, but the IRS should also be implementing the highest levels of security monitoring around their databases," says Mel Shakir, CTO of NitroSecurity. "TIGTA and the IRS should be thinking of correlating vulnerability scan results with every action/access performed against the taxpayer data and profiling user behavior for outliers and exceptional activity. Application logs, OS logs, SQL activity, and configuration changes -- all play a significant part in securing the database, and should not be monitored in isolation of each other using point security solutions."

Both the IRS' and DHS' recent struggles should be a signal to those within government that database security must be a big priority. Unlike enterprise databases, these government data holdings are much more sensitive from a public safety perspective.

"We've done work in law enforcement, and the database is housing the information relating to undercover personnel or schedules for particular police personnel or home addresses of those individuals," Verry says. "Sony doesn't want to leak information about someone's email addresses, of course, but we're probably not going to have people dying or other more significant public issues like we would with a government database."

Unfortunately, at the moment, the government remains spotty, at best, at protecting its sensitive databases.

“Government database security is a mixed bag. Many organizations have just begun to look at implementing security controls for databases for the first time. Some organizations, including IRS, have purchased technology to address the issue, but then struggled with internal politics and resource constraints that have prevented them from using what they bought," says Josh Shaul, CTO for Application Security. "Other federal organizations are approaching a maturity around their database security programs; unfortunately those organizations are few and far between. The federal government has a long way to go before they can start calling their databases secure.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.