More than half of U.S. Department of Energy desktop systems tested by the DoE's inspector general failed to apply security patches for known vulnerabilities, although the software fixes were issued months earlier, a just-released audit reveals.
In a letter accompanying the audit, Energy Department Inspector General Gregory Friedman notes that vulnerabilities his office identified decreased to 38 from 56 in fiscal year 2011. "While this is a positive trend," he says, "our current evaluation found that the types and severity of weaknesses continued to persist and remained consistent with prior years."
Indeed, 16 of the 38 vulnerabilities identified existed in previous years, but were not fixed. The IG also discovered 22 new weaknesses during its 2012 audit. Friedman says the weakness involve problems with access controls, vulnerability management, integrity of web applications, planning for continuity of operations and change control management.
IG examiners, for instance, tested 1,952 desktop systems between February and November and discovered that 1,132 PCs, or 58 percent, ran operating systems and/or client applications without patches for known vulnerabilities, although the fixes been released more than three months before the audit, and in some cases, up to six months earlier.
The audit also reveals that at least 157 network systems ran operating systems and application support platforms without security patches and/or security configurations for known vulnerabilities that were released more than 30 days prior to the IG examination. In addition, the IG identified 41 network servers running operating system versions that were no longer supported by the vendor.
Examiners also identified vulnerabilities on servers supporting critical financial and non-financial applications and data. "The vulnerabilities could have resulted in a compromise of business information or unauthorized access to critical application functionality and data, as well as loss or disruptions of critical operations," the audit says.
At eight locations, the IG says, examiners found 28 web applications that accepted malicious input data that could be used to launch attacks against legitimate application users. That, the IG says, could have resulted in unauthorized access to the application. Such attacks, referred to as cross-site scripting attacks, could allow an attacker to compromise legitimate users' workstations and application login credentials, the IG says. In 2011, a security industry report indicated that attacks such as these were the most commonly exploited security vulnerabilities for web applications
"Web applications that do not adequately protect access control functions are at risk of malicious attacks that could result in unauthorized access to application functionality and sensitive data stored in the application," the audit report warns.
The IG also points out that DoE didn't fully implement policies and procedures, noting that many of the sites reviewed failed to follow program or site-level patch management processes to ensure security updates were consistently applied in a timely manner. Despite existing policies, the IG says sites had not consistently followed such policies for terminating or disabling user access. The IG cites one instance of an administrator's account not being removed despite more than eight months of inactivity, although policies required deletion or deactivation of any user account that had been inactive for three months.
Responding to the audit, Energy CIO Robert Brese and Undersecretary for Nuclear Security Thomas D'Agostino say the department will fix the problems the IG cites.