The U.S. Department of Energy’s (DoE) Office of Inspector General (OIG), Office of Audits and Inspections (OAI), released a report on October 29th, 2013 that details the unclassified cyber security program audit findings for Fiscal Year (FY) 2013. The findings were alarming yet, at the same time, not entirely unexpected. Perhaps the most glaring findings related to access control deficiencies in addition to deficiencies in the Department’s patch and configuration management programs.
During the FY 2013 review, the OIG/OAI identified 12 access control deficiencies at 8 locations. In particular eight account management weaknesses were identified at six locations, including inadequately managed user access privileges and failure to perform periodic management reviews of user accounts. The report details that:
- Access privileges at six locations were not appropriately established, modified, reviewed, disabled and/or removed.
- All six locations failed to remove terminated or inactive user accounts in a timely manner.
- One site had not disabled all inactive users who had not logged into the system within the past 60 days despite the requirement to do so.
- At another site, user accounts with elevated privileges remained active even though users had not logged in for more than 3 years.
“Although one site had implemented tools necessary to ensure that remote access to its network and information systems was secure or properly protected,” details the report. “Several remote access weaknesses were identified at the site.” The OIG/OAI also noted that its auditors found that multi-factor authentication for privileged users had not been implemented on systems – including some that could potentially contain sensitive data such as personally identifiable information. Furthermore, five remote access accounts belonging to terminated users had not been properly disabled in a timely manner.
Other findings documented in the report include:
- One site had 11 network server systems and devices that were configured with default or easily guessed login credentials or that required no authentication for access. These configuration vulnerabilities could have allowed an attacker to obtain unauthorized access to the affected devices and the data stored on them.
- Some of the vulnerabilities could have allowed malicious programs to attack other systems on the internal network.
- Although the site had updated policies and procedures designed to address the identified weakness, that implementation of the policies and procedures was not effective.
- One site maintained seven servers/systems running network services that were configured with open access settings that could have allowed remote systems to obtain access to data on the system without the use of login credentials.
- Sensitive financial data and personnel payroll information was accessible through one of those servers.
- Once the site became aware of the issue, management took corrective action to restrict access and remove sensitive data from servers that had open access settings.
The report notes that, although the Department had made improvements since the FY 2012 review, the OIG/OAI continued to identify issues related to patch management of desktop computers and network systems at six locations. “The weaknesses consisted of varying degrees of vulnerable applications and operating systems missing security updates and/or patches,” stated the report. “Including 3 critical and more than 200 high-risk vulnerabilities.”
Site and management officials told the OIG/OAI that they had “accepted the risks associated with many of the vulnerabilities” however, they could not always provide documentation to support a risk acceptance decision. The auditors also noted that in a number of cases, compensating controls were insufficient to address the observed vulnerabilities. During the course of the audit, more than 100 network systems tested were running operating systems and application support platforms without current security patches or security configurations for known vulnerabilities that were released more than 30 days prior to testing. The OIG/OAI also identified 23 network server systems running operating system versions that were no longer supported by the vendor.
As noted in the report the danger of unpatched systems was demonstrated in July 2013, when an “unpatched application provided the vector for attackers to breach a system at Headquarters containing significant amounts of sensitive information.” As a result, personally identifiable information for more than 100,000 current and former employees, employee dependents and contractors was exfiltrated. As such, the OIG is actively conducting a criminal investigation into the matter and are in the process of performing a special inquiry into the circumstances that contributed to the event. Despite requirements established in FISMA implementing guidance, the Department did not report detailed security information for more than 450 systems operated by its contractors. Given the fact that the majority of the vulnerabilities we discovered during this review and in past years involved contractor-operated systems, such disclosures are both relevant and necessary.
The auditors also identified five weaknesses related to configuration management of information systems at three locations. The weaknesses involved inadequate implementation of configuration change control procedures, failure to develop standard baseline configurations for all systems and insufficient documentation of application change controls. Examples of findings include:
- At two sites, configuration change control procedures had not been implemented consistently even though procedures had been documented.
- Identified 15 changes to a firewall configuration at one site that were not in accordance with configuration management plan procedures.
- Officials at a site had not documented, retained or reviewed information system changes.
- At the aforementioned site, the auditors were unable to obtain or review changes implemented in FY 2013. As such, the OIG/OAI could not determine whether changes were adequately documented, tested and approved prior to implementation.
- One site had not developed or documented an organizational configuration management policy and related procedures for managing hardware and software. Even though the site maintained standard baseline configurations for centrally managed operating systems and applications, the OIG/OAI found that a minimum security configuration policy and requirements for non-centrally managed systems had not been established or documented.
- Another site had weaknesses related to managing its application change control process. Although the site used an application to track and monitor configuration changes, the auditors found that change requests for the application had not been documented and maintained. Rather, all change requests had been made verbally to the developer, and no change control forms had been completed.
If you’ve ever worked in an organization the size of the DoE you are likely not that surprised by the audit findings. We, as security professionals, tend to focus on the most recent and highly publicized threat vectors and attacker methodologies. We also tend to forget about securing the low hanging fruit, such as ensuring default credentials have been changed, access is controlled, and detected vulnerabilities are elevated for deeper investigation. What could have, and can be, been done to correct the address the audit findings? Here are a few tips:
- Deploy centrally administered host-based firewalls to control access to the server and application ports that are too sensitive to leave exposed to attack.
- Employ two-factor authentication that allows you to define policy assignment by server group, with automatic updates as group members change.
- Identify events of interest (EoI) in application and operating system logs that could indicate a potential problem.
- Deploy effective file integrity monitoring and intrusion detection technology to ensure applications and operating systems do not deviate from the approved baseline – and generate an alert should they ever drift.
- Deploy system configuration security tools to monitor deviations in certified configuration standards.
- Centrally administer local user accounts to enforce password complexity, group membership, and account expiration timelines – and alert on deviations from the accepted standard.