by Phil Leggiere
Monday, 25 October 2010
DHS OIG cites continuing lack of robust security controls.
The National Cyber Security Division (NCSD) needs to focus on deploying a
more timely system of security patches to mitigate risks to its
cybersecurity program systems, according to a report released by the
Department of Homeland Security Office of Inspector General.
The report titled
<http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-111_Aug10.pdf> DHS Needs to
Improve the Security Posture of Its Cybersecurity Program Systems, focused
on the security of the systems that US-CERT uses to accomplish its
cybersecurity mission.
Overall the report found that, although NCSD has implemented adequate
physical security and logical access controls over the cybersecurity
program, a significant effort is needed to address existing security issues
in order to implement a robust program that will enhance the cybersecurity
posture of the federal government.
"We identified that the system security controls implemented on NCPS
Einstein, HISN/USCERT Portal, and NCPS Public Web adequately protect the
data collected, stored, and disseminated," the report said. "However,
adequate security controls have not been implemented on the Mission
Operating Environment (MOE) to protect the data processed from unauthorized
access, use, disclosure, disruption, modification, or destruction."
The report identified 1,085 instances of high-risk vulnerabilities on the
MOE; 202 were unique across 174 MOE computers scanned. The majority of the
high-risk vulnerabilities involved application and operating system and
security software patches that had not been deployed on MOE computer systems
located in Virginia.
"While NCSD performs vulnerability testing and has established a patch
management process," the report explained, "the process is ineffective
because the vulnerabilities identified are not being properly managed and
mitigated in a timely manner on the MOE."
According to NCSD, the report added, "MOE application patches are currently
being applied manually. Because of the difficulty in patching a large number
of machines manually, patches are often not applied universally, to all
computer systems on the network, in a timely fashion. Issues concerning
NCSD's MOE patching process, first identified during an April 2009 National
Security Agency review, have not yet been addressed.
The report makes numerous recommendations to the Director, NCSD.
One recommendation calls upon the NCSD Director to "mitigate the
vulnerabilities identified during the audit to secure the operating systems
and applications deployed on the MOE network."
Another calls for implementation of "a software management solution that
will automatically deploy operating system and application security patches
and updates on all MOE computer systems to mitigate current and future
vulnerabilities."
The report also urges the establishment of "an information security training
process that includes developing a list of required and recommended courses
for NCSD systems personnel and contractors, monitoring training taken, and
maintaining course records. This should help to ensure that systems
personnel and contractors receive security awareness training and
specialized training commensurate with their roles and responsibilities."
Additionally the report calls upon the NCSD to update the annual system
self-assessments for the division's cybersecurity systems to "include all
system information and complete the appendices according to DHS
requirements."
The National Cyber Security Division (NCSD) was established to serve as the
national focal point for addressing cybersecurity issues in the public and
private sectors.
The United States Computer Emergency Readiness Team (US-CERT), created under
NCSD, is responsible for compiling and analyzing information about
cybersecurity incidents and providing timely technical assistance to
operators of agency information systems regarding security incidents. The
team provides response support and defense against cyber attacks for the
federal civil executive branch (.gov); disseminates reasoned and actionable
cybersecurity information to the public; and facilitates information sharing
with state and local government, industry, and international partners.
http://www.hstoday.us/content/view/15180/149/
