Reports: DHS, IRS Databases At Risk

Some of the federal government's most critical agencies are falling down on database security with misconfigurations, vulnerabilities, and a lack of best practices, putting sensitive citizen and defense information at risk as a result, new government audits show. Just this week, the Office of the Inspector General (IG) found that the Department of Homeland Security (DHS) -- the agency in charge of ensuring Federal Information Security Management Act (FISMA) compliance among all government agencies -- itself has a number of critical shortcomings within its database defenses.

The new report (PDF) highlighted database security deficiencies within the protected critical infrastructure information (PCII) system data stores, with weaknesses in both the Automated Critical Asset Management System (ACAMS) and the Linking Encrypted Network System (LENS) that put PCII data at risk. Some of the problems highlighted in the report included a failure to follow the rule of least privilege, a lack of communication among personnel to decide who was in charge of locking down the database, and a number of redacted configuration vulnerabilities.

"We all have this sense of concern that develops when the people responsible for keeping us secure are not keeping themselves secure," says John Verry, principal consultant for Pivot Point Security. "I would be hesitant to make an assertion about something I am not directly familiar with -- we haven't done work for DHS, and they may have picked the one database that was wildly insecure. But typically what we find [when] we do enterprisewide database security assessments is that if one database is relatively insecure, most of them will be, and if one database tends to be reasonably secure, most of them will be."

The DHS isn't the only agency under fire from auditors. A recent report (PDF) from the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS has some serious problems with the security of nearly all of its 2,200 databases. Even though the agency has spent $1.1 million on database security tools recently, it has not completed the implementation of tools and requisite best practices to make them effective.

“As all government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated,” said TIGTA Inspector General J. Russell George, in a statement. “Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity.”

TIGTA made a number of recommendations to improve IRS database security, but some experts believe it needed to go further than what it laid out.

"Periodic scanning of databases for vulnerabilities, unpatched and legacy systems, determining excessive rights, and having a documented plan for ongoing assessment and remediation is a good first step, but the IRS should also be implementing the highest levels of security monitoring around their databases," says Mel Shakir, CTO of NitroSecurity. "TIGTA and the IRS should be thinking of correlating vulnerability scan results with every action/access performed against the taxpayer data and profiling user behavior for outliers and exceptional activity. Application logs, OS logs, SQL activity, and configuration changes -- all play a significant part in securing the database, and should not be monitored in isolation of each other using point security solutions."

Both the IRS' and DHS' recent struggles should be a signal to those within government that database security must be a big priority. Unlike enterprise databases, these government data holdings are much more sensitive from a public safety perspective.

"We've done work in law enforcement, and the database is housing the information relating to undercover personnel or schedules for particular police personnel or home addresses of those individuals," Verry says. "Sony doesn't want to leak information about someone's email addresses, of course, but we're probably not going to have people dying or other more significant public issues like we would with a government database."

Unfortunately, at the moment, the government remains spotty, at best, at protecting its sensitive databases.

“Government database security is a mixed bag. Many organizations have just begun to look at implementing security controls for databases for the first time. Some organizations, including IRS, have purchased technology to address the issue, but then struggled with internal politics and resource constraints that have prevented them from using what they bought," says Josh Shaul, CTO for Application Security. "Other federal organizations are approaching a maturity around their database security programs; unfortunately those organizations are few and far between. The federal government has a long way to go before they can start calling their databases secure.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.