Commerce’s Office of the Secretary used default passwords for endpoint detection

Early last year, all it would have taken for a bad actor to breach the Department of Commerce Office of the Secretary’s endpoint protection software was to search for commonly used default passwords for such tools on Google, and the first result would’ve gotten them in.

That’s according to a new report from a Commerce Office of the Inspector General audit, which found that the Office of the Secretary in March 2022 did not have properly configured tools to detect cyber incidents. On top of that, once notified of an incident, the office did not effectively respond to simulated attacks or manage its incident detection and response program in accordance with federal law.

But it all started with the default passwords, per the report.

“When testing OS endpoints, specifically its standard laptops, we observed that OS [security operations center] was using the vendor’s default password to protect access to the local administrator console of its endpoint protection tool,” the IG wrote.

It’s Commerce policy to change a default password once a new solution is installed, tested and configured.

“It is well known that security is only as strong as its weakest links, and default passwords are one of them,” the report says. “Changing a default password is a fundamental security practice and should be quickly prioritized to eliminate an easy path of compromise.”

Yet, with a quick Google search, the IG was able to quickly find a commonly used default password. With that, hypothetically, an intruder could access the administrator console for the office’s endpoint protection solution to disable it and move on laterally into the network.

“As illustrated here, any OS user could log in to the local administrator console by performing a simple web search to identify the default password. Specifically, searching Google for the product default password revealed the password as the first search result,” the report reads. “By using the easily found password to log in to the console, attackers could disable safeguards on the endpoint, such as malware protection and monitoring of web browsing, allowing them to circumvent the tool’s protections. With the tool effectively disabled, attackers could then perform lateral movement to reach more valuable targets within OS.”

Perhaps most egregious, it took 24 days after being notified by the IG of the problem for the office’s CIO to then change the passwords. The DOC Office of the Secretary has its own CIO to serve the needs of the office, separate from the Commerce’s departmentwide CIO

“During our fieldwork, we validated that the default password was changed; however, taking 24 days to make that change demonstrated that prompt action was not taken to fix a significant security weakness,” the report says.

To add additional fuel to the flames, the IG found the endpoint security tool wasn’t properly configured anyway and didn’t detect 98% of the IG’s simulated attacks.

Finally, when it came to responding to those attacks once they were discovered, the team once again dropped the ball, the IG reported.

“Altogether, we exfiltrated more than 100,000 records that contained fictious PII in formats such as spreadsheets and PDFs,” the report says. “We selected this number because CISA defines a loss of 100,000 records as the threshold for a major incident. Our exfiltration utilized multiple network protocols in both encrypted and plain-text formats. We conducted more than 30 successful exfiltration attempts of varying quantities of records that went undetected, including instances of 100,000 records each. Only one instance was automatically blocked and reported by [the office’s data loss prevention] tool. However, OS [local area network team] did not take any action in response to this single instance.”

In addition to the issues described already, the office also failed to use an adequate digital forensics process, communicate adequately with the larger Commerce enterprise security team or adhere to federal cybersecurity requirements to ensure systems have an authority to operate. The office itself didn’t have its own incident response plan.

As a result of the IG’s findings, the office has “taken meaningful steps” to correct the issues, per a response from Commerce’s departmentwide CIO Andre Mendes. That includes ensuring default passwords are no longer used, earning an ATO for all endpoint protection tools and replaced any outdated tools. The office also hired someone to serve as an information systems security officer for governance, risk and compliance, who is responsible the office’s cybersecurity policies and governance.