IG Discovers Security Vulnerabilities at Additional Locations under Energy

 

Last year’s review of the Department of Energy’s information systems turned up discoveries of security weaknesses in multifactor authentication, lack of security controls at critical applications and incomplete requirements at network and remote access levels. Although many of these weaknesses were resolved, this year’s report by the IG found consistent vulnerabilities related to “configuration management, system integrity of Web applications, access controls, security awareness and privacy training, and security control testing.” The consistency in findings is largely due to the department’s failure to develop and implement security policies. Moreover, the recent report found problems at additional locations throughout the agency. Due to the sensitivity of the report, however, the unclassified version of the report does not detail these specific site locations. The issues and some of the findings under each include:

Vulnerability and Configuration Management

• Despite having the necessary scanning tool in place, one specific location did not conduct necessary scans against all servers and workstations, particularly workstations running other types of operating systems.
• Nine locations were found to be running applications no longer supported by the vendor, even some not supported since July 2010, resulting in a lack of security patches for the system.
• The IG found that one site did conduct all required vulnerability scans but found at least 934 identified critical and high-risk vulnerabilities were not ultimately remediated.
• One location was found to have several weaknesses related to unsupported applications that were missing security updates on workstations and servers.

System Integrity of Web Applications

• Two locations were found to have difficulties in the system integrity of web applications that specifically supported critical business functions, increasing the risk of unauthorized access of sensitive information.

Access Controls and Segregation of Duties

• One location did not properly manage the authorization of several service accounts. As a result, the IG found eight service accounts with unauthorized access.
• Web applications at one site were found to have inadequate access controls, resulting in users able to authorize access to web pages that were strictly for privileged users.

Security and Privacy Training

• The IG found that at four sites, proper security training requirements were not met or maintained, increasing the risk brought by uninformed system users.

Another area of concern that the IG reported includes the lack of testing for security controls where continuous monitoring is required to ensure controls are implemented properly. The report states that the cyber weaknesses found can be categorized as a management challenge in the department and “without improvements to address the weaknesses identified during our evaluation, the Department’s information systems and data may be at a higher-than-necessary risk of compromise, loss, and/or modification.”