DHS Cybersecurity Database Has Its Own Vulnerabilities, IG Reports

July 7, 2011
Cyber Security, FedCyber Wire
No Comment

via National Defense Magazine

A Department of Homeland Security administered database where reports on cyber-intrusions, and potential network security vulnerabilities are collected, analyzed and pushed out to local and state governments is itself vulnerable to internal and external attack, the department’s inspector general said in a report released July 7.

The automated critical asset management system is a web-enabled database where information is “gathered, analyzed and used to prevent, deter, respond to, and mitigate cyber risks, threats and incidents,” the IG report stated.

During an investigation, the department watchdog found that security protocols were not being followed.

The information collected in the database could be used to the advantage of hackers and cyberspies if they were able to gain access, the report suggested.

Local administrators who have access to the databases did not have up-to-date training simply because they were not aware that they needed it, the report said. Accounts that were not active, sometimes for periods of up to five years, were not deactivated. Requirements call for user accounts to be shut down if there is not any activity after 45 days.

Eighty-three percent of users had not logged on to their accounts for more than 45 days, and three of them were categorized as “super users” — those with unrestricted access to sensitive information.

In a heavily redacted section, the report hinted at flaws in the software itself. An unidentified “configuration control” protocol, which is part of the system used for network management, is not permitted. “DHS prohibits the use of this protocol, as it may introduce vulnerabilities into the system,” the report said.

“The need for clearly defined roles and responsibilities, contractor oversight, and communication has culminated in multiple security vulnerabilities that may put ACAMS and its … data at risk of potential exploitations,” the report said.

The National Protection and Programs Directorate, which oversees DHS’ cybersecurity enterprise, said it has addressed many of the IG’s concerns. The inspector general agreed that the directorate was mostly on track to fix the lax security.

Original article here.