Who's running dozens of top-secret unpatched databases? The Dept of Homeland Security

The US Department of Homeland Security is running dozens of unpatched databases, some of which are rated "secret" and even "top secret," according to an audit.

An inspection [PDF] of the department's IT infrastructure found huge security gaps, including the fact that 136 systems had expired "authorities to operate" – meaning that no one was in charge of keeping them updated. Of the 136, 17 were classified as "secret" or "top secret."

Unsurprisingly, with so many systems not undergoing active maintenance, the audit found that many did not have up-to-date security patches, leaving them open to hacking efforts. The problems extended from browsers to PCs to databases. It also found a large number of weak passwords.

"We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations," the department's inspector general noted in a 66-page report. "If exploited, these vulnerabilities could allow unauthorized access to DHS data."

The report details a year-long effort to get the DHS to address its security issues, and a seemingly bureaucratic effort to delay a report announcing the flaws in its systems.

The report notes that "improvements have been made," but highlights a series of worrying discrepancies. "For example, DHS does not include its classified system information as part of its monthly information security scorecard," says the report. In other words, it is lacking basic security reviews of its systems. The audit also found "inaccurate or incomplete data" in the DHS' management systems.

Recommendations

The report makes six recommendations, two of which have since been resolved. Homeland Security has 90 days to fix the remainder, which are: adding its classified systems to the monthly scorecard (a recommendation the DHS has actually formally disagreed with); running compliance programs the whole year "instead of peaking during the months leading up to annual reporting"; checking that the data inputted over security checks is actually accurate; and making the monthly scorecard accurate.

Overall, despite the dense, jargon-filled reporting, it is clear that the DHS' security is dire. Worse, however, is the fact that it doesn't know how bad its security is because its own security audits are lacking. In short, it is a disaster waiting to happen – if it hasn't happened already.

In case you are interested in the worst parts of the DHS in terms of unsecured databases, top of the list comes the Coast Guard with 26, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS' headquarters with 11.

Best of bunch was the Secret Service with just two, but even it failed miserably to hit overall targets. It managed to put just 75 per cent of its secret or top secret databases through the proper security checks, and just 58 per cent of its non-secret databases. The DHS targets are 100 per cent and 75 per cent respectively. ®