by Mickey McCarter
Thursday, 09 September 2010
DHS cyber wing could boost its own security, IG says
The cybersecurity division of the Department of Homeland Security (DHS) could itself improve the security posture of its information systems, the DHS inspector general (IG) reported Wednesday.
While the National Cybersecurity Division (NCSD) has instituted adequate physical and logistical security measures over the computer systems it uses to monitor the security of civilian government systems and to disseminate security information, the division could take further steps to ensure its defenses are as robust as they should be, said the IG report, DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems.
"To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures," the IG report stated.
The IG office focused 10 specific recommendations on the systems used by the US Computer Emergency Readiness Team (US-CERT) to monitor the dot-gov Internet domain and to provide alerts to public and private users of the Internet.
US-CERT holds responsibility for compiling, analyzing, and distributing information on cybersecurity incidents. It also provides technical assistance to federal agencies that require help in defending against cyber attacks. US-CERT also facilitates information sharing between international, federal, state, and local authorities as well as the private sector.
But the very systems US-CERT relies upon at the NCSD to do its job are not as secure as they should be, the IG report warned.
To improve the security of NCSD systems, the IG Office provided its recommendations to the National Protection and Programs Directorate (NPPD), which houses the cybersecurity wing.
The recommendations advised NCSD to address vulnerabilities in the operating systems and applications deployed on its Mission Operating Environment (MOE) network. It should further implement a software management solution that will patch its operations systems and applications automatically to forestall future vulnerabilities.
The NCSD lacks a plan of action and identifiable milestones for addressing known security vulnerabilities, so it should produce them, the IG report suggested. Moreover, the division needs a training program to provide security awareness and specific guidance on roles to its systems personnel.
The IG report further indicated that NCSD should review and approve program and system documentation for its cybersecurity program and update self-assessments for its cybersecurity systems according to DHS requirements.
The division must further conduct and document firewall testing on a quarterly basis to ensure adequate protection by unauthorized users to cybersecurity program information. The cybersecurity unit could do more to implement baseline configurations prescribed by DHS for protecting its routers, servers, and workstations for its activities as well.
NCSD also must conduct inspections of its offices and housing equipment to verify their physical security as per DHS specifications, the report said. Finally, it should set policy and follow-on procedures for protecting its equipment from temperature or humidity fluctuations.
In a written response to the IG findings, NPPD Undersecretary Rand Beers agreed with all ten recommendations, noting that NCSD has taken proactive steps to fulfill quite a few of them even before the completion of the report.
For example, NCSD already had purchased a software management solution and deployed it on June 30. NCSD demonstrated the system to the IG Office to make certain it fulfilled the recommendation to deploy such a system for implementing patches.
In fulfillment of another recommendation, NCSD previously had stepped up its self-assessments as well to validate its security measures.
"As required, NCSD's annual assessments for all National Cybersecurity Protection System (NCPS) systems, which include the MOE, Einstein, the US-CERT, and the Homeland Security Information Network Portals, and US-CERT's public Web site, were approved and validated by the end of February 2010. NCSD however will update its system self-assessments to include missing system information and completed appendices," Beers
wrote.
http://www.hstoday.us/content/view/14648/128/
Thursday, September 9, 2010
Subscribe to:
Post Comments (Atom)
Posts
This brings to mind the phrase "the cobbler's children..." and is an interesting view into one of our government agencies.
ReplyDeleteOne important point I'd stress here is that this report is very similar to the one we read together on the Veteran's Administration. It was prepared by an inspector general doing an audit of an organization and, due to federal law, automatically became available to the public. It's likely that many private organizations received similar reports from their auditors today that we'll never see because they are not required to disclose them.
I agree that the US-CERT system can be extremely effective assuming that the NCSD does its job to protect its security. I am however hesitant to believe that they will take the necessary steps to do so. Similar to what happened in the Veteran's Administration article, I am not convinced that the NCSD will actually take the necessary steps to secure the security of the US-CERTS system as opposed to making an effort to merely appear as though they are doing so. The article mentions that they have already purchased and deployed a software management solution as well as stepping up their self-assessment to validate its security measures. This is a good start. However, this is only a start and I am hesitant to predict that the effort will continue.
ReplyDeleteI agree that cyber security programs at DHS may not be so secure. Cyber security has to be a constant process. The hackers will always find ways to explore vulnerabilities. A proactive approach, which involves regular vulnerability assessment tests, regular threat assessment, employee awareness programs and constant upgrade of IT security assets, is required. The department can hire personnel trained in security certifications offered by organizations such as ec council and CompTIA to pre-empt vulnerabilities. The problem is that many organizations still view cyber security as a mere compliance issue. Therefore, we need a change in mindset.
ReplyDeleteFirst of all, I think it is important that these audits are taking place because a problem like this one could pose potentially disastrous effects if the information fell into the wrong hands. However, I think there is a problem when all of these security problems are being discovered by outside sources such as the IG that prepared this report. I feel that the company should be taking the responsibility to be checking their measures on a regular to basis to ensure that sensitive information remains confidential from those who do not need it, retains its integrity, and is available to those who do need it.
ReplyDeleteSecond, I agree with The Black Knight that these steps are merely that. The department may have stepped up and tried to move towards more secure practices but those steps are still a long way from the optimal amount of security. As we saw with the Veteran's Administration case, initial steps do not always imply a continuation of the improvement. This report worries me because DHS protects some very precious information, and the country needs the department to make every effort to be as protected as possible. Only the future will show whether the information remains secure.
One assumption that seems to be made by both The Dark Knight and kmckiern is that all the changes recommended by auditors can be made. Having had the opportunity to work on an IT security audit team before, I testify that there are instances where an [internal] audit team will be required to make a certain recommendation because actual practices do not comply with company policy - but also knowing that the recommendation is unlikely to be heeded due to technical or budgetary limitations.
ReplyDeleteThis is of course not to say that we should not expect changes to be made. But we also need to accept the fact that change will be slow - people will drag their feet if they feel their position is being undermined by the changes or if they feel that it will make their jobs significantly more burdensome. In addition, it's important to keep in mind that even when new systems are purchased, there is still a lag time for configuring the system, testing it, and training users. Failing to properly test or train users for a new system could create security issues of its own.
Hey Thanks for sharing this blog its very helpful to implement in our work.
ReplyDeleteRegards
Hire a hacker for review