Security issues in DHS systems potentially exposes confidential data at risk

Despite DHS components have strengthened coordination in performing their cyber missions a recent audit made by the OIG has found several security issues.

Among the missions assigned to the DHS there is the coordination of activities related to the prevention, mitigation and recovery from cyber incidents, the Department also oversees the IT security of the US Government.

The DHS is supported in these critical activities by three agencies: the US Immigration and Customs Enforcement (ICE), the National Protection and Programs Directorate (NPPD), and United States Secret Service (USSS).

The intense collaboration between the agencies is crucial to ensure the Homeland Security.

After this premise, let me show you the results of a report released on Tuesday by the Department of Homeland Security’s Office of Inspector General (OIG). The audit , conducted  by the OIG, called for improved coordination between DHS agencies in order to meet cyber threats in order to avoid serious cyber incidents.

According to the report “DHS Can Strengthen Its Cyber Mission Coordination Efforts ” published by the OIG, DHS and above components have taken significant steps to improve the information sharing and respond to the cyber attacks in an effective way.

However, the OIG discovered several security related a lack of coordination with existing policies and the organization of a Department-wide Cyber Training Program.

Without developing the department-wide training program, internal staff is not able to perform correctly their assigned incident response duties or investigative responsibilities in the event of a cyber incident.

“Despite these positive steps, the Department can take additional actions to improve its cyber mission coordination. For example, CIR has not developed a cyber strategic implementation plan due to its recent establishment and limited staff. Without a strategic plan, DHS cannot effectively align the components’ cyber responsibilities and capabilities with DHS’ overall mission.” states the report.

“Further, DHS needs to establish a cyber training program to provide its analysts and investigators with the skills needed to effectively perform their duties at ICE, NPPD, and USSS. An automated cyber information sharing tool is needed to enhance coordination among the components. Moreover, deficiencies we identified in ICE and USSS’ implementation of DHS baseline configuration settings, vulnerability management, weakness remediation, and specialized security training as required may result in loss, misuse, modification, and unauthorized access of the Department’s information systems and data.”

The OIG also discovered a number of vulnerabilities affecting the internal websites of ICE and USSS. The flaws include cross-site scripting (XSS), cross-site request forgery (CSRF), information leakage, session fixation, and command injection flaws.

The ICE failed to implement configuration settings on Cyber Crimes Center (C3) servers and workstations exposing sensitive data to the risk of cyber attacks.

The OIG already reported the flaws to the internal agencies, some of the security issued discovered in the audit had been already resolved, but OIG is still not completely satisfied with the result obtained by the components and their IT staff.

Pierluigi Paganini

(Security Affairs – DHS, OIG audit)