- Texas man arrested for powder-letter hoax
- Islamic State opens ‘marriage bureau’ for single jihadists
- Drone almost blocks California firefighting planes
- Tornado rips off roofs, downs trees near Boston
- GOP: Environmental rules keeping agents from accessing border
- John Kerry: Millions displaced by religious fighting in 2013
- Federal appeals court rules against Virginia’s gay marriage ban
- White House says Russia ‘losing’ war in Ukraine
- Hamas turns to North Korea for weapons deal, Iran for money
- Syrian casualties surge as jihadis consolidate
Audit finds lapses in federal cybersecurity
Readiness team not ready itself
Question of the Day
Taxpayers might expect that the U.S. agency charged with warning the public about computer viruses and other cyberthreats - and coordinating the federal government’s response to them - would keep its own information technology systems up-to-date with the latest security patches and software updates.
They would be wrong.
According to a new report by government auditors, systems at the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit.
The report said the issue of inadequate and untimely patching had been raised by another review of the systems more than a year ago.
Homeland Security officials said the vulnerabilities have been fixed since the audit, and new procedures and equipment are in place to ensure the systems will be kept up to date.
The audit, conducted this year by the Homeland Security inspector general, scanned a number of different systems used by US-CERT with software designed to detect flaws or vulnerabilities. It found more than 670, of which 202 were classified as “high-risk” because of the severity of the damage an attacker could do to the system by exploiting them.
“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed,” states the auditors’ report, published Wednesday.
The report noted that patches were “being applied manually” to US-CERT systems and “Issues concerning [the] patching process, first identified during an April 2009 National Security Agency review,” had not been addressed at the time of the audit.
Patches are packages of software code that update or fix computer programs. Software makers distribute them regularly to address flaws they find in their products or that become apparent because computer viruses or other malicious software designed to exploit them begins to spread on the Internet.
Manual application means that individual users or sometimes software engineers have to download and install every patch, rather than the computer automatically doing so for itself.
Computer security specialists say ensuring that every computer in a large network, such as those operated by the government or a major corporation, is updated with every patch for every program it runs is a huge headache for information technology departments, even those that use automated systems.
“Patch management doesn’t work,” said one former Homeland Security official who asked not to be identified because of the sensitive subject matter. “These problems exist on every network. … Ask any IT department in any large enterprise. … There is no network that is 100 percent patched. Eighty-five percent [of machines on the network being patched] is a good number.”
The auditors’ report did not provide a figure for the percentage of machines patched on the US-CERT networks it examined.
The auditors said that of four computer systems used at US-CERT, three - including the ones used to maintain the organization’s public website and compile data about the security of government computer networks - suffered from no significant vulnerabilities.
US-CERT is part of the National Cyber Security Division at Homeland Security. Its mission, according to its website, is to provide “response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and … to disseminate reasoned and actionable cyber security information to the public.”
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
TWT Video Picks
By Richard Rahn
Treaty would let tyrants peer into Americans' financial information
- D.C. seeks to stay judge's order allowing gun owners to carry in public
- Illegal immigrants demand representation in White House meetings
- Hillary Clinton: Forget Obama, George W. Bush made her 'proud to be an American'
- Iraqi Christians rally at White House: 'Obama, Obama, where are you?'
- Romney would win popular vote in rematch against Obama: CNN poll
- White House says Russia 'losing' war in Ukraine
- Babson College, BYU win top spots in Money magazine's college rankings
- Tennessee Gov. Haslam slams White House for secret dump of illegals in his state
- White House defends Kerry failure to broker Middle East cease-fire
- DeSean Jackson working on offensive cohesiveness with Redskins teammates
Obama's biggest White House 'fails'
Celebrities turned politicians
Athletes turned actors
20 gadgets that changed the world
Fighting in Iraq