IG says computer systems connected to Homeland Security network are not secure
Sensitive information is at risk, watchdog reports.
The Homeland Security Department has failed to validate the security of computer systems that connect to the primary network, introducing vulnerabilities and putting sensitive information at risk, according to a report released by the inspector general on Tuesday.
DHS uses Active Directory, a technology included in Microsoft Windows, to centrally manage network processes and services across the department. According to a report from the IG, a number of the computer systems that rely on Active Directory for enterprise services have security weaknesses.
"A basic tenet of information security is to apply controls to systems that not only exist within a network, but to those that connect to it as well," the IG reported. "By accepting systems from other components without enforcing or confirming security controls, DHS exposes its network to vulnerabilities contained on those systems," including potential unauthorized access to data or interruption of critical services.
Specifically, the IG detected vulnerabilities in systems connecting to the main department network from Customs and Border Control; Immigration and Customs Enforcement; and the Science and Technology division, including missing security patches, weak passwords and a lack of access controls that prevent unauthorized users from opening sensitive applications.
The IG also reported that Homeland Security had no policy in place to verify the quality of security configurations on systems that connect to the primary computer network at DHS headquarters from networks at component agencies.
"Initially designed to support only headquarters, the current Active Directory structure is not optimized for supporting enterprisewide applications," the report said. "To secure the systems that are added, manual procedures and individual validations must be performed. These processes have not proved to be effective in maintaining the level of security required on DHS' network."
DHS Chief Information Officer Richard Spires has started to address the issues outlined in the report, including recommendations by the IG to verify that security controls are implemented and configuration settings are compliant with department policy on systems connected or added to Active Directory enterprise application domain; to address the current weaknesses on systems connected to Active Directory; and to provide guidance to ensure appropriate security measures are taken for all systems.
NEXT STORY: Zap -- Sit Up!