Homeland Security Running Hundreds of Sensitive, Top Secret Databases Vulnerable to Attacks

Systems running on expired authorizations

Silhouette of person using laptop
November 19, 2015

The Department of Homeland Security is running hundreds of sensitive and top secret databases without the proper authorization, leaving the agency unsure if it can "protect sensitive information" from cyber attacks.

An audit released publicly Thursday by the inspector general found multiple areas of weaknesses within the agency’s information security programs.

Specifically, the department is operating 136 "sensitive but unclassified," "Secret," and "Top Secret" systems with "expired authorities to operate."

"As of June 2015, DHS had 17 systems classified as ‘Secret’ or ‘Top Secret’ operating without [authorities to operate] ATOs," the inspector general said. "Without ATOs, DHS cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them."

Leading the agencies operating unsecured databases was the Coast Guard with 26, followed by the Federal Emergency Management Agency with 25, and Customs and Border Protection with 14.

The Department of Homeland Security headquarters is operating 11, and the Transportation Security Administration is running 10 sensitive or secret systems with expired authorizations.

The audit also found that security patches were missing for computers, Internet browsers, and databases, and weak passwords left the agency’s information security vulnerable.

"We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations," the inspector general said. "If exploited, these vulnerabilities could allow unauthorized access to DHS data."

The review, which was mandated by the Federal Information Security Modernization Act of 2014, found that internal websites were also susceptible to "clickjacking" attacks and "cross-site and cross-frame vulnerabilities."

"Cross-site and cross-frame scripting vulnerabilities allow attackers to inject malicious code into otherwise benign websites," the inspector general said. "A clickjacking attack deceives a victim into interacting with specific elements of a target website without user knowledge, executing privileged functionality on the victim’s behalf."

"Exploitation of these weaknesses could give unauthorized users access to sensitive government data," they said.

The report follows another review by the agency watchdog that found that the department is facing major management and performance challenges with border security, transportation security, and cybersecurity.

The inspector general said that the department has made some improvements to its information security but is not complying with all of its requirements.

"For example, DHS does not include its classified system information as part of its monthly information security scorecard or its [Federal Information Security Modernization Act] FISMA submission to [the Office of Management and Budget] OMB," the report said.

"Further, DHS Components are not maintaining their information security programs on a year-round, continuous basis," the inspector general said.

"Without addressing these deficiencies, the Department cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them," they said.

Published under: DHS