- The Washington Times - Thursday, September 9, 2010

Taxpayers might expect that the U.S. agency charged with warning the public about computer viruses and other cyberthreats - and coordinating the federal government’s response to them - would keep its own information technology systems up-to-date with the latest security patches and software updates.

They would be wrong.

According to a new report by government auditors, systems at the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit.

The report said the issue of inadequate and untimely patching had been raised by another review of the systems more than a year ago.

Homeland Security officials said the vulnerabilities have been fixed since the audit, and new procedures and equipment are in place to ensure the systems will be kept up to date.

The audit, conducted this year by the Homeland Security inspector general, scanned a number of different systems used by US-CERT with software designed to detect flaws or vulnerabilities. It found more than 670, of which 202 were classified as “high-risk” because of the severity of the damage an attacker could do to the system by exploiting them.

“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed,” states the auditors’ report, published Wednesday.

The report noted that patches were “being applied manually” to US-CERT systems and “Issues concerning [the] patching process, first identified during an April 2009 National Security Agency review,” had not been addressed at the time of the audit.

Patches are packages of software code that update or fix computer programs. Software makers distribute them regularly to address flaws they find in their products or that become apparent because computer viruses or other malicious software designed to exploit them begins to spread on the Internet.

Manual application means that individual users or sometimes software engineers have to download and install every patch, rather than the computer automatically doing so for itself.

Computer security specialists say ensuring that every computer in a large network, such as those operated by the government or a major corporation, is updated with every patch for every program it runs is a huge headache for information technology departments, even those that use automated systems.

“Patch management doesn’t work,” said one former Homeland Security official who asked not to be identified because of the sensitive subject matter. “These problems exist on every network. … Ask any IT department in any large enterprise. … There is no network that is 100 percent patched. Eighty-five percent [of machines on the network being patched] is a good number.”

The auditors’ report did not provide a figure for the percentage of machines patched on the US-CERT networks it examined.

The auditors said that of four computer systems used at US-CERT, three - including the ones used to maintain the organization’s public website and compile data about the security of government computer networks - suffered from no significant vulnerabilities.

US-CERT is part of the National Cyber Security Division at Homeland Security. Its mission, according to its website, is to provide “response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and … to disseminate reasoned and actionable cyber security information to the public.”

Story Continues →