Not a good steward: DHS with multiple vulnerabilities
The national government is entrusted with many aspects of our lives. The law enforcement departments are tasked with applying the laws to our daily lives and relationships. The Department of Defense (DoD) is responsible for defending the US. The Department of the Interior and other government agencies have their own duties also. These functions are spread across many areas and departments in the national government. One such area is the Department of Homeland Security (DHS). This agency is responsible for a massive amount of confidential and sensitive information. This is allegedly safeguarded within their system. Seemingly these systems would have the up-to-date InfoSec applications and use state of the art hardware to ensure unauthorized parties don’t access the systems.
The true nature of the situation is the data and systems are not as secure as thought. The Office of Inspector General (OIG) examined the DHS InfoSec practices. The OIG noted many of the systems were running outdated operating systems (OS). A portion of these had not updated their security features in five (5) years and the systems were no longer supported. This included three servers using Windows Server 2003. These servers had not uploaded any patches since 2015, when these became end-of-life (EOL). In total there were 64 vulnerable systems.
This is not how the DHS, or any government unit is supposed to operate. This is not appropriate behavior and is potentially dangerous if these systems and servers were to be compromised. This may allow for a pivot point for attackers. This is not even remotely a prudent business practice. This left the DHS vulnerable to attacks, apparently from very unskilled attackers due to the level and number of vulnerabilities noted.
With the mission of the DHS, this is not acceptable and provides a lesson for the remainder of the industry. The sensitive data and systems should be protected and secured. It does not matter of these are at a small-, or medium-, or large-business, this needs to be done.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.