IG: Interior Has 3,000 Vulnerabilities
House Panels Explore Link Between Interior IT, OPM Breach. CEO Richard Blech Comments.
While the debate on Capitol Hill rages on publically, the hacker is regrouping and preparing for the next successful attack, post OPM. Immediate and aggressive response to the lost data of millions of Americans sensitive data is not as critical protecting the data at the core. Using strong encryption, multi-factor authentication that provides access to said data would eliminate the conversation of spending more tax payer money on assessing situation, and how to clean up the mess.
At a hearing on the role the Interior Department played in a recent breach at the Office of Personnel Management, the Interior deputy inspector general painted a picture of how a hacker might have breached the agency’s computer system.
Interior Deputy IG Mary Kendall, in remarks prepared for the July 15 House hearing, said an IG investigation of the OPM breach “found that a remote attacker could … use a compromised computer to attack the department’s internal or nonpublic computer networks.”
Kendall did not link the nearly 3,000 vulnerabilities the IG found in Interior’s IT systems to the OPM breach. However, the IG office characterized the vulnerabilities found in hundreds of publicly accessible computers operated by three of the agency’s bureaus as either “critical” or “high-risk.” “If exploited,” she said, “these vulnerabilities would allow a remote attacker to take control of publicly accessible computers or render them unavailable.”
The House Oversight and Governmental Reform Subcommittees on Information Technology and Interior held the joint hearing to explore the role the Department of Interior played in a recent OPM breach. Interior’s computers housed OPM personnel file databases in which the personally identifiable information of 4.2 million government employees and retirees was exposed. Another OPM breach, unrelated to the Interior Department, exposed the PII of 21.5 million individuals who had sought security clearances. Agents of the Chinese government are the leading suspects in the cyber-attacks, according to James Clapper, the director of national intelligence.
Loss of Sensitive Data Possible
Kendall, in her prepared remarks, said Interior’s internal networks host computer systems that support mission-critical operations and contain highly sensitive data, explaining that a successful cyber-attack against these internal computer networks could severely degrade or even cripple the department’s operations, potentially causing the loss of sensitive data.
“These deficiencies occurred because the department did not effectively monitor its publicly accessible systems to ensure they were free of vulnerabilities or isolate its publicly accessible systems from its internal computer networks to limit the potential adverse effects of a successful cyber-attack,” she said.
The IG has prepared a report documenting the vulnerabilities related to the OPM breach and made a series of recommendations to mitigate the identified cyberthreats. A draft of the IG report was made available to the committee and department, but has yet to be publicly published. According to the committee’s website, the IG identified as areas of high concern the lack of inventory of IT resources as well as the lack of network segmentation between public facing and internal websites.
Interior CIO Sylvia Burns, in her prepared remarks, acknowledged the IG’s findings and recommendations, promising lawmakers that the department will incorporate the recommendations in its cybersecurity action plan. She said the vulnerabilities identified by the IG have been corrected by the three bureaus. Neither witness identified the three bureaus in their prepared testimonies.
Burns said the department “immediately and aggressively” responded to the breach that resulted in the loss of OPM data.
Need for More Examiners
Kendall, in her testimony, said the increased cyberthreat facing Interior means the IG office needs additional examiners.
She said Congress provided the funding for the IG to hire two IT audit staffers for the current fiscal year, which ends Sept. 30, but did not fund a request for fiscal year 2016, which begins Oct. 1, to hire a dedicated staffer for its insider threat program. She said the IG’s fiscal year 2017 budget request would seek funding for two IT staffers to conduct cybersecurity audits.
Article courtesy of Data Breach Today.