The report, edited for public distribution, said investigators uncovered 3,000 “critical and high-risk vulnerabilities in hundreds of publicly accessible computers” managed by three unnamed Interior bureaus, a finding highlighted during the Wednesday House oversight subcommittees’ hearing.
Much of the public report echoed comments that Mary Kendall, deputy inspector general at Interior, made during the hearing — that the vulnerabilities could allow bad actors to take charge of publicly accessible computers or render them unavailable.
Lawmakers received a draft of the Interior inspector general’s report following news of the breaches at the Office of Personnel Management that exposed the data of millions of federal employees. One of the breaches occurred in an Interior data center. The IG’s office would not say on the record how many systems it tested at the three bureaus, but cybersecurity experts told FedScoop when news of the report came out earlier this week that the volume of detected vulnerabilities was worrisome.
In the report, authors take the department to task for not centralizing its cybersecurity policy, guidance and enforcement, and noted that the department does not mandate how security measures should be deployed, tested or enforced. As a result, there’s inconsistency throughout the department.
“The OCIO is unable to adequately measure or enforce security solutions protecting its data,” the report said.
During the hearing this week, Interior Chief Information Officer Sylvia Burns acknowledged the department’s IT was disparate. Indeed, she said that she’s only personally responsible for $200 million of the department’s $1 billion IT budget. Though, she said that would change when the department carries out the Federal Information Technology Acquisition Reform Act.
Investigators issued six recommendations for Burns:
1. Require and enforce the secure development and management of all publicly available IT services — including an official approval process, cloud candidacy evaluation, testing requirements, architectural designs and data flow, minimum layered security controls, and standardized platforms and utilities.
2. Perform periodic discovery activities and reconcile results with approved inventory of bureau and department services, including all service site URLs, all public IP ranges, and identification of public systems housing sensitive or mission-critical data.
3. Expand existing external vulnerability scanning services to include advanced service exploit testing, advance website (URL-based) exploit testing, oversight of various remediation activities, and trend analysis.
4. Require all publicly available systems to be hosted in an isolated infrastructure.
5. Perform periodic advanced testing to validate the effectiveness of controls in isolating public systems from internal systems.
6. Implement an intrusion-monitoring solution that can analyze and correlate internal traffic patterns and detect attack signatures across bureaus, including the capability for active traffic interception.
Authors of the report included a response from Burns, who said vulnerabilities have been “corrected or are in the process of being addressed.”
“The OCIO will monitor the correction of any remaining vulnerabilities’ and require the impacted bureaus to resolve them within the next 30 days,” she wrote.