DHS Information Security Program, Dozens secret databases vulnerable to hack

Evaluation of DHS Information Security Program for Fiscal Year 2015 revealed the existence of dozens of top-secret unpatched databases.

The story I’m about to tell you is staggering, the US Department of Homeland Security is running dozens of unpatched and vulnerable databases, a number of them contained information rated as “secret” and even “top secret.”

The discovery emerged from the “Evaluation of DHS’ Information Security Program for Fiscal Year 2015” conducted on the department’s IT infrastructure by the US Government.

The audit of the DHS Information Security found serious security issues in the Government systems, including 136 systems that had expired “authorities to operate,” a circumstance that implies the stop of maintenance activities. The principal problem discovered by the inspectors is that a number of systems, despite are still operative and under maintenance have no up-to-date security patches, leaving them open to cyber attacks.

Of the 136 systems, 17 were containing information classified as “secret” or “top secret.”

Giving a deep look at the report on the DHS Information Security Program, it is possible to note that the Coast Guard runs 26 vulnerable databases, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS’ headquarters with 11.

Although Secret Services have only two vulnerable databases, they have failed other targets.
It implemented proper security checks just for 75 percent of its secret or top secret databases, and just 58 per cent of its non-secret databases. The DHS targets are 100 per cent and 75 per cent respectively. The experts discovered several security issues affecting the majority of assessed systems, including PCs, databases and also browsers.

The assessments conducted to evaluate the DHS Information Security Program, revealed several deficiencies in the systems analyzed, for example, Windows 8.1 and Windows 7 workstations which were missing security patches for the principal software.

“We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,” the department’s inspector general noted in a 66-page report. “If exploited, these vulnerabilities could allow unauthorized access to DHS data.”

The inspectors have found many other security issues in the DHS Information Security Program, including weak passwords, websites susceptible to cross-site and/or cross-frame vulnerabilities and poor security settings.

The Government environments suffer bureaucratic obstacles in bug fixing and patch management, it could take more than a year to fix a leak from the moment it is reported.

The results of the evaluation confirm that improvements have been made but there are a lot of serious issues that have to be urgently addressed.

“While improvements have been made, the Department must ensure compliance with information security requirements in other areas. For example, DHS does not include its classified system information as part of its monthly information security scorecard or its FISMA submission to OMB. In addition, USCG is not reporting its PIV data to the Department, which is a contradiction to the Under Secretary for Management’s guidance that requires Components to submit this information to the Department.5 In addition, we identified deficiencies with DHS’ enterprise management systems, including inaccurate or incomplete data.”

The report also provides a set of recommendations to solve the security issued emerged after the assessment.

The DHS has 90 days to fix the issues, two of which have been already solved.

Pierluigi Paganini

(Security Affairs – DHS Information Security Program, vulnerable databases)