The Department of Homeland Security Severely Lacks In IT Security

The Department of Homeland Security Severely Lacks In IT Security

This post is also available in: heעברית (Hebrew)

You’d think that as an agency tasked with security, the Department of Homeland Security (DHS) would be for the challenge of maintaining its own security. Apparently, that couldn’t be further from the truth.

Turns out, the DHS is running hundreds of databases – many of them extremely sensitive and top-secret – without the proper security or authorization policies. A recent security audit by the Inspector General found that the agency is not always able to “protect sensitive information” from cyber attacks. The audit found multiple areas of weakness in the security programmes of the DHS.

The audit implicates 136 instances of the Department operating “sensitive but unclassified,” “Secret,” and “Top Secret” systems with “expired authorities to operate (ATOs).” The Inspector General said that “without ATOs, DHS cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them.”

The US Coast Guard was found to be operating the highest number of unsecured databases, with 26 such instances. The Federal Emergency Management Agency follows in a close second with 25, and the Customs and Border Protection agency has 14. DHS’ headquarters alone were found to operate 11 unsecured databases, and the Transportation Security Administration has 10 sensitive or secret systems without up-to-date authorizations.

General IT best – or even minimal – practices are not followed by the agency, either. Security patches for operating systems, web browsers, servers, and databases are not regularly updated, leaving the agency’s networks highly vulnerable.

“Exploitation of these weaknesses could give unauthorized users access to sensitive government data,” the office of the Inspector General said.