Sunday, November 27, 2011

Department of Homeland Security (DHS) Cyber Security Audit FAIL

The DHS US-CERT office is currently plagued by at least 600 vulnerabilities

A new report warns that the Department of Homeland Security (DHS) is falling short on some cybersecurity protocols.

The news of cybersecurity shortcomings at the agency are more than slightly concerning, as DHS has been tapped to lead information security efforts nationally for both the public and private sectors.

The report, titled DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems, indicates that the DHS has failed a security audit conducted by the agency's own Inspector General:

The objective of our audit was to determine whether adequate physical and logical access controls are in place to secure the cybersecurity program systems utilized by US-CERT and safeguard the data collected and disseminated by US-CERT. Specifically, we:
  • Determined what and how cybersecurity data is collected and maintained by US-CERT

  • Evaluated the adequacy of physical security controls implemented to protect NCSD’s cybersecurity program systems

  • Determined whether US-CERT has implemented effective system security controls to safeguard the confidentiality, integrity, and availability of cybersecurity data.

  • Determined whether the system documentation for DHS’ cybersecurity program systems has been completed in compliance with DHS and FISMA requirements
"Adequate security controls have not been implemented on the [Mission Operating Environment] to protect the data processed from unauthorized access, use, disclosure, disruption, modification, or destruction," the IG concluded.
The report indicates the DHS US-CERT is grappling with more than six hundred network vulnerabilities, with more two-hundred of them having been identified as critical.

"The results of our vulnerability assessments revealed that [National Cyber Security Division] is not applying timely security and software patches on the [Mission Operating Environment]," the report continued.

DHS indicated that the agency has implemented "a software management tool [to] automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities," according to a statement by DHS spokeswoman Amy Kudwa.

No comments: