Infosec's Tediousness Can Cause VulnerabilitiesManual Processes Fail Where Automated Ones Would Suffice
The inspector general report issued Wednesday generally credits the DHS's National Cybersecurity Division and its U.S.-CERT unit for implementing processes to secure IT systems, including the Einstein 1 network monitoring and Einstein 2 intrusion detection systems, but points out a series of deficiencies to secure fully the IT systems the agencies oversee.
Frank Deffer, assistant inspector general for IT Audits, writes in the report that the division and the United States Computer Emergency Readiness Team - the DHS units responsible for helping to secure the IT systems of civilian agencies - need to make a significant effort to address existing security challenges so they can implement a robust program to enhance the cybersecurity posture of the federal government.
The division, Deffer writes, "needs to focus on deploying timely system security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation and ensuring adherence to departmental security policies and procedures."
DHS Undersecretary Randy Beers, in a written response to the IG report, generally concurs with the IG's findings and recommendations, saying the department has either addressed the problems or are in the process of remediating them.
One of the problems the division and U.S.-CERT face is a common one confronting many governmental agencies: relying on a manual rather than an automated process to manage patch updates. "Because of the difficulty in patching a large number of machines manually, patches are often not applied universally, to all computer systems on the network, in a timely fashion," Deffer writes.
The difficulty and inability to deploy patches in a timely way led auditors to discover a high number of application and operating system vulnerabilities that leave systems vulnerable to potential attacks. "These vulnerabilities, if not addressed, could lead to arbitrary code execution, buffer overflow, escalation of privileges and denial-of-service attacks," Deffer says.
Because U.S.-CERT analysts gain access to Einstein data through these systems, the IG says, the vulnerabilities may put sensitive Einstein data at risk.
The inspector general also says the division failed to heed some requirements under the Federal Information Security Management Act, the law that governs federal IT security. Specifically, the division has not properly developed or periodically updated the status of known security weaknesses for its cybersecurity program systems in its plans of action and milestones as well as established an information security training program to ensure that systems personnel and contractors receive adequate security awareness and specialized role-based training commensurate with their specific responsibilities.
DHS also hasn't updated the remediation status of its vulnerabilities in its plans of action and milestones. "NCSD management has no way of knowing whether these weaknesses have been mitigated," Deffer says.