DHS IT systems missing security patches for 'critical' vulnerabilities

A watchdog group found the US Department of Homeland Security lacking in key areas of cybersecurity readiness.

How the Department of Homeland Security is cracking down on phishing Federal domain adoption of DMARC increased 38 percent in a 30 day period, but is it enough to secure government agencies from email fraud? Agari founder Patrick Peterson explains how the system works.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The IT systems of the US Department of Homeland Security fall short in key areas of cybersecurity readiness. -- Office of Inspector General, 2018
  • The US Department of Homeland Security did not monitor software licenses for unclassified systems and lacked key patches for "critical" flaws. -- Office of Inspector General, 2018

Some IT systems of the US Department of Homeland Security (DHS) used unsupported operating systems and missed key security patches to protect against "critical" and "high-risk" vulnerabilities, according to a recent report from the department's Office of Inspector General (OIG).

Three systems used by DHS were still running Microsoft Windows 2003 server, which was no longer supported and hadn't been patched since July 2015, the report found. Some systems hadn't been patched since 2013, and many Windows 7 and Windows 8.1 workstations weren't even patched against WannaCry.

In its report, the OIG tested the DHS's ability to identify, protect, detect, respond to, and recover from cybersecurity issues. The issues of patching and unsupported operating systems fell under the protect category.

SEE: Security awareness and training policy (Tech Pro Research)

While the OIG did note that the DHS systems met the standards to identify security issues, it also found that "64 systems lacked valid authority to operate, and components did not remediate security weaknesses timely."

As reported by Zack Whittaker of our sister site ZDNet, more than a dozen of those 64 systems were national security systems that are used to store "highly sensitive classified information."

Detecting security issues was also a problem for the DHS IT systems, the report found. The systems didn't monitor software licenses for unclassified systems and relied on data calls--instead of proper enterprise management tools--to monitor national security systems looking for potential security issues.

The DHS met the OIG's standards to respond to security attacks, but not those to recover from them. According to the report, the DHS failed to test contingency plans for its IT systems or to develop proper procedures for handling sensitive data. It also never found an alternate data center to use in failover instances if there was a denial of service.

"Additional oversight is needed to address the identified deficiencies. Otherwise, DHS cannot ensure its systems adequately protect the sensitive data they store and process," the OIG report said.

The report comes after a cybersecurity executive order was signed by President Donald Trump in May 2017, requiring security audits of federal systems.

Also see

Image: iStockphoto/DJMcCoy