The IT assets of two Interior Department bureaus were found to contain thousands of critical and high-risk vulnerabilities, according to a recent report by the Office of the Inspector General.
The report – which contained an assessment of the effectiveness of the Continuous Diagnostics and Mitigation (CDM) programs in offering protection against vulnerabilities to specific U.S.
Department of the Interior (DOI) bureaus – found more than 20,000 information technology vulnerabilities in the Bureau of Indian Education (BIE) and Bureau of Indian Affairs (BIA), and a CDM program not effective enough to protect IT systems in a core Interior Department data center from potential exploitation of vulnerabilities.
The CDM program is an approach implemented in 2013 to strengthen the security of networks and systems in government departments and agencies through detection and management of malware and vulnerabilities.
The program provides them with hardware and software tools that can identify malware and vulnerabilities on an ongoing basis and scrutinize the risks before prioritizing them to enable IT security personnel to address the more significant vulnerabilities first.
In this test, the Office of the Inspector General looked to establish how well the program was being utilized to detect vulnerabilities and how security personnel respond to its warnings.
Over 1,000 of the bureaus’ network devices including computers, routers and firewalls – 793 from BIA and 209 from BIE – were identified.
185 of the 793 were sampled and 22 percent of them were found to be omitted in the DOI’s hardware inventory, apparently because IBM BigFix (DOI’s inventory management solution) was not installed in the devices.
None of the 209 were included in the inventory – also because the inventory management solution had not been installed in them.
The reason for this, the report found, was because BIA had not funded nor commissioned the purchase of inventory management solution licenses for BIE systems despite the fact that it is a Department policy that all network devices should be inventoried and tracked by the CDM hardware asset management control.
In regards to the software, BIE was found to not have installed the software asset management control in its systems because the software inventory could only be developed by IBM BigFix, which, as previously stated, had not been installed.
The assessors then used their findings to quantify the risk of oversights on the bureaus’ systems, and indeed confirmed the presence of numerous vulnerabilities – most of which were in unsupported software.
Albeit blue-penciled in the report’s public version, the IT assets in question were portrayed as high-value and palpable targets to cyber-attacks.
One of the assets found to contain vulnerabilities held personally identifiable information which, the test found, had been left susceptible for years – an infringement of Department policy that requires critical vulnerabilities to be patched within 30 days of detection.
The report censured the two bureaus and the contractors responsible for the Department’s security program’s implementation for the predispositions – the former for their failure to effectively oversee the latter to ensure the vulnerabilities were timely discovered and mitigated.
Additionally, the bureaus were reproached for failing to adequately brace themselves for the power outage in March 2016, which led to the temporary disruption of several Federal agencies’ mission operations.
The inspector general narrowed down the cause of the vulnerabilities into the following faux pas by the BIA: failure to equip all computers with the DOI’s inventory management software; failure to pinpoint and get rid of unauthorized, unwanted and unsupported data from the bureaus’ systems; not monitoring its implementation contractor to ensure all security requirements for both bureaus were met; failure to check if the computers were securely configured; and the incapacity to meet plan testing and annual contingency planning requisites.
While the report didn’t reveal whether the test checked for any previous or ongoing attempts by unauthorized persons to exploit the vulnerabilities, the assessors found the laxity in such a senior department unwarrantable given its $1 billion annual budget and the sensitivity of the data in its systems.
More to the point, the 4,000 vulnerabilities that had remained unmitigated for years could have been patched using available software updates and not necessarily by replacing or upgrading the software.
The Office of the Inspector General concluded that the CDM program in some of the DOI’s data centers was “immature and not fully effective” to support the IT systems at the BIE and BIA, and gave eight recommendations that the Office of the Chief Information Officer approved of.