The Interior Department must update the procedures and policies it uses for determining who gets what access to its various systems, auditors said.
In a report released this week, Interior’s inspector general found that eight of the nine systems it tested failed to meet the minimum logical access control benchmarks most recently set forth by the National Institute of Standards and Technology.
Meeting the NIST standards, the report says, would “ensure that general users do not have access to privileged functions and that audit trails are in place to monitor actions taken by privileged users to mitigate risk from insider threats.” It noted the Office of the Chief Information Officer expected to instate the logical access controls by the end of the year — “more than two and a half years late.”
John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity research organization, said the reason strong logical access controls are important is “quite often” organizations would give staffers access to all systems to make things easier. But if a bad actor gets access to a staffer’s credentials, it can wreak havoc.
“You only want the people to get to the things they need to do their job — not give everybody access to everything,” he said.
Auditors also noted in the report that the department needs to ensure that its laptops and smartphones are encrypted and securely configured, an issue raised in a previous IG report. And the report found that currently Interior does not have the capability to analyze encrypted traffic, though the department plans to install a device that will help them inspect such traffic for “malicious content.”
The report comes as the result of the Cybersecurity Act of 2015, signed by the president late last year as part of a larger bill, which requires agency inspector generals to report to Congress on their security practices by Sunday. The law, which came after the recent breaches at the Office of Personnel Management, aims to take a close look at some of the most important cybersecurity indicators, Pescatore said.
Authors of the Interior report did give the department credit for its work to establish multifactor authentication — where users must verify their identitythrough another control, like a smart card, in addition to a username and password to access federal systems — across the agency. The agency reports 100 percent of its privileged users now use multifactor authentication, according to a Performance.gov progress update.
Multifactor authentication has long been a priority of agency CIO Sylvia Burns, but the agency ramped up efforts after the administration’s cyber sprint earlier this year. Indeed, Burns told congressional lawmakers that the importance of using two-factor authentication was one of the “lessons learned” from the OPM breach, where the personal information of millions of people was exposed. During the breach, a bad actor used OPM privileged username and password to access Interior’s systems.
“Many high-profile data breaches, including the 2015 U.S. Office of Personnel Management data breach, could have been prevented with multifactor authentication in place,” the report notes.