Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Reports: DHS, IRS Databases At Risk

Protected critical infrastructure information at risk in DHS data stores, IG report says

Some of the federal government's most critical agencies are falling down on database security with misconfigurations, vulnerabilities, and a lack of best practices, putting sensitive citizen and defense information at risk as a result, new government audits show. Just this week, the Office of the Inspector General (IG) found that the Department of Homeland Security (DHS) -- the agency in charge of ensuring Federal Information Security Management Act (FISMA) compliance among all government agencies -- itself has a number of critical shortcomings within its database defenses.

The new report (PDF) highlighted database security deficiencies within the protected critical infrastructure information (PCII) system data stores, with weaknesses in both the Automated Critical Asset Management System (ACAMS) and the Linking Encrypted Network System (LENS) that put PCII data at risk. Some of the problems highlighted in the report included a failure to follow the rule of least privilege, a lack of communication among personnel to decide who was in charge of locking down the database, and a number of redacted configuration vulnerabilities.

"We all have this sense of concern that develops when the people responsible for keeping us secure are not keeping themselves secure," says John Verry, principal consultant for Pivot Point Security. "I would be hesitant to make an assertion about something I am not directly familiar with -- we haven't done work for DHS, and they may have picked the one database that was wildly insecure. But typically what we find [when] we do enterprisewide database security assessments is that if one database is relatively insecure, most of them will be, and if one database tends to be reasonably secure, most of them will be."

The DHS isn't the only agency under fire from auditors. A recent report (PDF) from the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS has some serious problems with the security of nearly all of its 2,200 databases. Even though the agency has spent $1.1 million on database security tools recently, it has not completed the implementation of tools and requisite best practices to make them effective.

“As all government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated,” said TIGTA Inspector General J. Russell George, in a statement. “Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity.”

TIGTA made a number of recommendations to improve IRS database security, but some experts believe it needed to go further than what it laid out.

"Periodic scanning of databases for vulnerabilities, unpatched and legacy systems, determining excessive rights, and having a documented plan for ongoing assessment and remediation is a good first step, but the IRS should also be implementing the highest levels of security monitoring around their databases," says Mel Shakir, CTO of NitroSecurity. "TIGTA and the IRS should be thinking of correlating vulnerability scan results with every action/access performed against the taxpayer data and profiling user behavior for outliers and exceptional activity. Application logs, OS logs, SQL activity, and configuration changes -- all play a significant part in securing the database, and should not be monitored in isolation of each other using point security solutions."

Both the IRS' and DHS' recent struggles should be a signal to those within government that database security must be a big priority. Unlike enterprise databases, these government data holdings are much more sensitive from a public safety perspective.

"We've done work in law enforcement, and the database is housing the information relating to undercover personnel or schedules for particular police personnel or home addresses of those individuals," Verry says. "Sony doesn't want to leak information about someone's email addresses, of course, but we're probably not going to have people dying or other more significant public issues like we would with a government database."

Unfortunately, at the moment, the government remains spotty, at best, at protecting its sensitive databases.

“Government database security is a mixed bag. Many organizations have just begun to look at implementing security controls for databases for the first time. Some organizations, including IRS, have purchased technology to address the issue, but then struggled with internal politics and resource constraints that have prevented them from using what they bought," says Josh Shaul, CTO for Application Security. "Other federal organizations are approaching a maturity around their database security programs; unfortunately those organizations are few and far between. The federal government has a long way to go before they can start calling their databases secure.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...