By Calvin Biesecker
The Department of Homeland Security (DHS) National Cyber Security Division (NCSD) has installed adequate physical and logical access security controls for most of its cybersecurity-related facilities and systems but more security issues need to be addressed to bolster the cyber defense of the federal government, according to a new report by the department’s Inspector General (IG) office.
The report says that NCSD has provided adequate security measures in three of the four main information systems used by its US-CERT branch–which is responsible for coordinating the nation’s defense and response to cyber attacks–to accomplish its mission.
The three systems are the National Cybersecurity Protection System (NCPS), also known as Einstein, which includes sensors to gain situational awareness of cyber attacks, the Homeland Security Information Network (HSIN), which allows US-CERT to share security-related information, and the NCPS Public Web, which allows US-CERT to disseminate technical details of Internet threats to security practitioners, says the report, DHS Needs to Improve the Security Posture of its Cybersecurity Program Systems (OIG-10-111).
However, using a vulnerability scanning software called Nessus at certain audit locations, the IG found that the Mission Operating Environment (MOE), which is the basic computing environment for US-CERT operations, had far more unique vulnerabilities than the other information systems, including over 200 categorized as high.
Overall, the report says that it identified 540 unique vulnerabilities in the MOE, 89 for the NCPS, 31 for the NCPS Public Web, and 11 for the HSIN. Only the MOE had high risk vulnerabilities. There were 106 medium-risk vulnerabilities and 363 low-risk, the report says.
“Existing vulnerabilities can compromise the confidentiality, integrity, and availability of sensitive cybersecurity data,” the IG says. “Medium and low-risk vulnerabilities do not pose significant risks; therefore, our analysis of the scan results focused on the 202 unique high risk vulnerabilities identified on the MOE.”