Audit reveals gaping security holes on DHS networks

The recently released results of a security audit performed on the various systems used by the US-CERT to accomplish its cybersecurity mission revealed an unpleasant reality: a total of 671 unique vulnerabilities – 202 of which were high-risk – have been detected on the Mission Operating Environment (MOE) system.

The other three main information systems – the National Cybersecurity Protection System (sometimes called Einstein), the NCPS Public Web (at www.us-cert.gov) and the Homeland Security Information Network/US-CERT Portal – have passed the audit with flying colors.

The systems were scanned with the Nessus vulnerability scanner, and “the majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on MOE computer systems located in Virginia.”

Most great majority of the high-risk vulnerabilities involved Microsoft applications, Adobe Acrobat, and Sun Java. Those involving operating systems were related to Windows and Redhat Linux.

This is definitely bad news – this is the US-CERT we’re talking about here! They are the ones that help civil agencies when they are under attack, and the ones that are supposed to warn everybody about the latest discovered security holes and the patches available to fix them.

“The MOE is the backbone of US-CERT operations. It provides a basic computing environment that allows US-CERT personnel to exchange and access mission-critical security incident data and information system anomalies,” says the report, so the existence of vulnerabilities that could lead to a compromise of the system should be a big no-no.

The auditors have recommended an immediate patching of the existing vulnerabilities and the implementation of a software management solution that will automatically deploy operating system and application security patches and updates. The National Cyber Security Division plugged the discovered holes, and made known that they were currently testing a software management solution.

Among other things that the NCSD failed to implement successfully were specific FISMA requirements, such as a formal Information Security Training Program and a thorough Plan of Action and Milestones for known vulnerabilities.

The auditors also discovered that system and program documentation has not been reviewed or approved, and that the NCDS has not been found fully complying with DHS policies regarding firewall testing, Secure Baseline Configuration Guides, and physical security of server rooms.