IG cites CBP for laptop security issues
The agency has failed to establish a standard laptop configuration that meets minimum security requirements and has lagged in devising effective patching procedures, a report states.
U.S. Customs and Border Protection needs to bolster its protection of laptop computers, according to a Homeland Security Department audit.In a December 2006 report, DHS’ Office of the Inspector General said CBP has failed to establish a standard laptop configuration that meets minimum security requirements and has also lagged in devising effective patching procedures. Additionally, CBP lacks sufficient inventory management controls, the report notes.“As a result, sensitive information stored and processed on CBP’s laptop computers may not be protected adequately,” according to the IG’s office.The report, citing DHS’ Computer Security Incident Response Center, said 12 security incidents involving stolen DHS laptops were reported in 2005. Those thefts included laptops from CBP, the Secret Service, Immigration and Customs Enforcement (ICE), and the Science and Technology Directorate.The report states that CBP developed a standard build for its laptops, based on DHS server configuration guidelines for Microsoft Windows 2000. The build, which includes antivirus capability, a personal firewall and a hard-drive encryption, is loaded onto a server as a software image and installed on new laptops.OIG tested a sample of 256 CBP laptops and found that the standard build was not consistently implemented. The audit discovered that 16 percent of the tested laptops were not running Windows 2000. Those laptops were running operating systems such as Linux and Windows 3.1, 95, 98, ME, NT and XP.OIG said the security features of CBP’s standard build, while enhancing data protection, lack “certain critical controls.” The redacted report, however, does not identify those controls.Further, the the IG’s report states that patches and updates were missing from laptops because most of the units included in the audit “are used as secondary or shared laptops.” Those laptops do not regularly connect to the CBP network, which distributes patches, according to the report.In addition, some Border Patrol locations link to the ICE network, rather than CBP.CBP is working toward laptop security improvement, according to OIG. “CBP officials stated that they have already taken or plan to take corrective action to address the weaknesses we identified,” the report states.