DoE Audit Reveals New Weaknesses, and Unpatched Older Flaws

An audit of the Department of Energy has shown that 29 new weaknesses emerged on the agency’s networks this year in addition to 10 found in an 2012 audit that have yet to be remediated.

An audit of the Department of Energy has shown that 29 new weaknesses emerged on the agency’s networks this year in addition to 10 existing that the DoE failed to fix after a 2012 audit.

The audit, undertaken by the Office of Inspector General and the Office of Audits and Inspections, revealed weaknesses in security reporting, access controls, patch management, system integrity, configuration management, segregation of duties, and security management at 11 of the DoE’s 26 facilities. The audit report does not name specific locations or identify specific vulnerabilities.

It found 11 access control deficiencies distributed across eight facilities. The infractions at these locations included sub-par management of user access privileges, inappropriate granting of physical access to sensitive facilities, failure to implement multifactor authentication for remote access, and wide deployment of default or easily guessable log-in credentials on servers or network services.

At five locations, auditors discovered that systems administrators were doing a poor job of implementing software, application, and operating systems patches, leaving department machines exposed to scores of known vulnerabilites. The audit report notes that these are the sorts of weaknesses that gave attackers the ability to steal the personally identifiable information of more than 100,000 individuals stored in those systems earlier this summer.

Six locations housed machines with improperly implemented Web applications, some of which contained poorly conceived validation and user-authentication features in systems that support financial management and other sensitive functions.

Auditors identified five different configuration management weaknesses at three separate locations. IT teams at these locations failed to develop organizational configuration management policies, inconsistently implemented configuration change control procedures, and did not adequately manage application change control procedures.

At one location, the audit revealed that employee roles were neither clearly defined nor regularly followed.

The last weakness listed in the audit relates to proper security training for employees, not all of whom had completed security training. They also failed to report cyber security incidents, maintain a system inventory of such events, and regularly review the logs detailing those events.

Beyond these, the department also failed to issue reports on the security information of the more than 450 contractor-operated systems, which, the report claims, are the same systems that contained most of the vulnerabilities detailed in this and former audits.

The Inspector General’s office is conducting a criminal investigation of the July 2013 attack that exposed the PII of hundreds of thousands of individuals. The results of that inquiry will be made public in a separate report at a later time.

The report issued the following recommendations to DoE staff: correct the weaknesses identified with the implementation of appropriate controls. Ensure that policies and procedures are developed, as needed, and are implemented in accordance with federal and department requirements to adequately secure systems and applications. Ensure that effective performance monitoring practices are implemented to assess overall performance for protecting information technology resources. Fully develop and use plans of actions and milestones to prioritize and track remediation of all cyber security weaknesses requiring corrective actions. And ensure that the department includes information for both federal and contractor systems when reporting the status of performance metrics annually to the Department of Homeland Security.

DoE management received the report, largely agreeing with its findings, and has committed to correcting the weaknesses identified therein.

You can read the full report here [PDF].

Suggested articles

Threatpost News Wrap, January 29, 2016

Mike Mimoso and Chris Brook discuss the news of the week, including the latest on the BlackEnergy APT Group, Amazon getting into the SSL certificate game, and government agencies being told to audit their systems for the Juniper backdoor.