Who's running dozens of top-secret unpatched databases? The Dept of Homeland Security

Irony alert

The US Department of Homeland Security is running dozens of unpatched databases, some of which are rated "secret" and even "top secret," according to an audit.

An inspection [PDF] of the department's IT infrastructure found huge security gaps, including the fact that 136 systems had expired "authorities to operate" – meaning that no one was in charge of keeping them updated. Of the 136, 17 were classified as "secret" or "top secret."

Unsurprisingly, with so many systems not undergoing active maintenance, the audit found that many did not have up-to-date security patches, leaving them open to hacking efforts. The problems extended from browsers to PCs to databases. It also found a large number of weak passwords.

"We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations," the department's inspector general noted in a 66-page report. "If exploited, these vulnerabilities could allow unauthorized access to DHS data."

The report details a year-long effort to get the DHS to address its security issues, and a seemingly bureaucratic effort to delay a report announcing the flaws in its systems.

The report notes that "improvements have been made," but highlights a series of worrying discrepancies. "For example, DHS does not include its classified system information as part of its monthly information security scorecard," says the report. In other words, it is lacking basic security reviews of its systems. The audit also found "inaccurate or incomplete data" in the DHS' management systems.


The report makes six recommendations, two of which have since been resolved. Homeland Security has 90 days to fix the remainder, which are: adding its classified systems to the monthly scorecard (a recommendation the DHS has actually formally disagreed with); running compliance programs the whole year "instead of peaking during the months leading up to annual reporting"; checking that the data inputted over security checks is actually accurate; and making the monthly scorecard accurate.

Overall, despite the dense, jargon-filled reporting, it is clear that the DHS' security is dire. Worse, however, is the fact that it doesn't know how bad its security is because its own security audits are lacking. In short, it is a disaster waiting to happen – if it hasn't happened already.

In case you are interested in the worst parts of the DHS in terms of unsecured databases, top of the list comes the Coast Guard with 26, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS' headquarters with 11.

Best of bunch was the Secret Service with just two, but even it failed miserably to hit overall targets. It managed to put just 75 per cent of its secret or top secret databases through the proper security checks, and just 58 per cent of its non-secret databases. The DHS targets are 100 per cent and 75 per cent respectively. ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading

Biting the hand that feeds IT © 1998–2022