An audit of the Department of Homeland Securitys system controls for remote access has found an alarming absence of configuration guidelines and several unpatched software products that put the DHS at risk of malicious hacker attacks.
In a report made public this week, the Office of Inspector General in the DHS warned that the audit turned up weaknesses in the systems used to avoid unauthorized access.
“Due to these remote access exposures, there is an increased risk that unauthorized people could gain access to DHS networks and compromise the confidentiality, integrity, and availability of sensitive information systems and resources,” the report said.
The OIG also discovered that the DHS does not provide adequate or effective system security controls over remote access to its computer systems and data.
While the department has established policies and procedures to handle the granting, monitoring, and removing of user access, the audit found that the guidelines had “not been fully implemented by the components because they are still developing processes or they are waiting to obtain automated tools to assist them in performing these functions.”
The auditors found that remote access hosts do not provide strong protection against unauthorized access; systems were not appropriately patched; and modems that may be unauthorized were detected on DHS networks.
“Subsequent to the completion of our audit work, officials from each of the components said that they had taken or planned corrective action to address many of the vulnerabilities identified in our review. However, we did not verify that the problems had been resolved,” the report said.
During the audit conducted between April and August, the OIG used off-the-shelf cracking products to perform scans and proof-of-concept brute-force attacks on 53 remote hosts owned by the DNS.
The auditors analyzed password strength and account policy settings and performed modem discovery tests on 2,868 analog phone lines as part of its mission to determine whether the DHS had provided system security, integrity, and control over remote access to its computer systems and data.
“In assessing the effectiveness of remote access controls, we identified several problems related to remote access host configurations, system patching, and the control of modems. These control weaknesses could provide an attacker with the ability to gain inappropriate access to DHS information systems and resources,” the report warned.
In response, Steve Cooper, chief information officer of the DHS, said the auditors findings were somewhat overblown. While acknowledging that certain procedures needed to be clear and adhered to, Cooper said the DHS uses firewalls and intrusion detection systems and other alarms to flag potential problems.
On the findings that system patches were not applied, Cooper said that all of the patches identified in the audit were in testing to be implemented. “It is not good practice to deploy patches without testing the impact of our essential systems,” the CIO said in a memo released on the DHS Web site. “I support strong patch management and will continue to work to ensure effective implementation.”
Cooper said plans were in place to update the DHS Sensitive Systems Handbook early next year to provide minimum security requirements for remote access. The CIO also accepted recommendations to ensure all procedures are implemented and an effective patch management mechanism is used.