Security Weaknesses Found in USPTO Systems

Released on March 24, 2017, an Inspector General (IG) report outlined several security risks the United States Patent and Trademark Office (USPTO) took in securing their vital systems.

The USPTO is the agency responsible for examining, approving and registering the patents and trademarks for innovative concepts of individuals and entities. Thus, the vitality of securing the agency’s systems is increasingly important. The IG report states that “USPTO relies on its 56 information systems, some of which use cloud computing services.”

The report examines a handful of these systems and found the following agency faults:

1. Failed to implement the required security controls for cloud-based subsystems
2. Used non-Federal Risk and Authorization Management Program (FedRAMP) compliant cloud services without proper security assurance
3. Deficiently implemented fundamental security controls, which increased the cybersecurity risk of USPTO systems

It is this last point where I will spend a majority of my focus.

Infrastructure systems under the agency consist of servers and databases that support the application systems that process and store mission-critical information. USPTO uses virtualization technology to host those servers and databases which include Enterprise UNIX Servers (EUS) and Database Services (DBS). These servers and databases support the following application systems:

1. PE2E – the Patent End-to-End next generation system for case and workflow management
2. TMNG – the Trademark Next Generation system for processing trademark applications
3. PSS-PS – the Patent Search System-Primary Search and Retrieval system that is a legacy technology for U.S. and foreign patent data queries
4. PSS-SS – the Patent Search System-Specialized Search and Retrieval System provides access to highly specialized scientific or technology-based data
5. TPS-ES – the Trademark Processing System External Systems that provides support and allows users to complete and register domestic and international trademarks

In examining EUS, it was found that 70 servers supporting legacy systems had operating systems that were no longer supported by the latest versions of software products- allowing room for dire security vulnerabilities. The agency was aware of these unsupported systems and continually extended the upgrade deadline and accepted the risks within the servers due to other pressing business needs.

Moreover, 21 databases within the DBS were found to be unsupported by updated software products, 16 of which were labeled as “susceptible to critical vulnerabilities” and 7 databases unsupported for as long as 6-7 years. The delay in these upgrades was caused by ineffective coordination between the operation teams responsible for maintaining these databases.

To top it off, policy mandates that the agency scan all system components on a quarterly basis. The IG found that in FY 2015, 85% of hypervisors (critical system components that host virtualization infrastructure) had not been scanned that entire year. Not scanning these critical components leaves unknown security weaknesses. Furthermore, the IG found that 66% of databases had not been scanned in Q4 FY 2016, likewise leaving room for unknown and unaddressed security weaknesses to the data stored in these systems.  These limited and inconsistent scanning practices coupled with incomplete inventories of system components and scanning without proper credentials left systems exposed and potentially unknown weaknesses to exist. Again, the agency explained that lack of coordination between cybersecurity and operation teams led to the mishaps.

The IG also discovered weak passwords used to log into these systems and multiple unauthorized ports into system components and running services that increased the risk of security for these systems.

Among a total of 11 recommendations by the IG for USPTO to more securely protect its systems, it was recommended that the agency develop and implement a plan to prioritize resources for component upgrades and replacements. Additionally, the IG suggested that accurate inventories of hardware and software products be established and effective coordination between the Cybersecurity Division and operation teams be instituted for effective credentials and scanning reports.

As reported, USPTO agreed to all recommendations and is working to remediate its multiple security issues.