Education Department OIG uncovers IT vulnerabilities
Longstanding weaknesses in the Education Department’s information technology systems leave it vulnerable to attacks, according to a report this month from the agency’s inspector general.
“[T]he Department has not remediated outstanding issues from previous OIG audit reports and our work showed that 5 of the 11 reporting metrics contained repeat or modified repeat findings from reports issued from FY 2011 through 2013,” according to the report.
The department’s systems store large amounts of confidential data — from financial records to personally identifiable information on its employees and on students across the nation — which, if left vulnerable could be accessed outside the federal government, the IG said. It also warned that employees or contractors within the department could target and potentially exploit that data.
Along with the risk of some sort of data breach, unauthorized activities or excessive use of the resources in the department’s IT systems could make the systems unreliable and put data at risk.
The OIG declined to give FedScoop more detail on the extent of the vulnerabilities.
Penetration and vulnerability testing of a major system at the Federal Student Aid office exposed missing patches that resulted in the high severity findings; however, the number of vulnerabilities was low, according to the report. The OIG declined to tell FedScoop which system was tested because in order “to maintain the integrity of the department’s critical data, this information is not publicly shared.”
The vulnerabilities were discovered through the inspector general’s annual Federal Information Security Management Act of 2002 audit. The audit also exposed problems with incident responses and reporting requirements to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team.
According to the findings, the agency’s Office of the Chief Information Officer did not report 9 percent of the security incidents that hit their systems during fiscal year 2014. U.S. CERT guidelines, however, require that all computer-related malicious code incidents be reported within an hour if the use of the code is widespread across agency networks, or daily if it is an isolated incident.
One of the eleven malicious code incidents the department encountered was never reported to U.S. CERT, the report said.
U.S. CERT guidelines also require agencies to report any incidence of improper network usage or a violation of a security policy each week, and any unauthorized access attempt each month. According to the OIG, the department did not report two improper usage incidents and one attempted access event.
“Not reporting incidents to U.S. CERT as required could impede U.S. CERT’s ability to properly analyze the information to identify trends and precursors of attacks,” the OIG report said. “It is critical to notify U.S. CERT so it can effectively assist in coordinating communications with the other agencies in handling incident response and reporting.”
In addition to reporting to U.S. CERT, some agency guidelines require it to report information security incidents to law enforcement; however, according to the OIG, 94 percent of the sampled incidents that should have been reported were not.
However, according to the department’s management team comments, a new system to aid in the reporting of these claims should be in place by the end of June 2015.
The OIG also said the department’s system authorization procedure needed to be improved. According to the report, by March 2014, the department had 242 systems in its inventory, but 30 percent of those systems are operating with expired system authorization documentation on the department’s network.
“Our review identified many deficiencies in system security plans, authorization to operate documents, security assessment reports and expired system authorizations,” the report said. “We found that 72 systems have been operating on the department’s network on expired system authorization documentation to include security authorizations, self assessment dates and contingency plans that were not timely tested.”
According to a somewhat redacted portion of the report, the CIO’s office also does not have an inventory of its encrypted USB storage drives, something required by a White House Office of Management and Budget policy. According to the report, at some point during the year, a user lost an unencrypted USB drive that contained department data.
“Failure to properly account for its USB drives could lead to data leakage or exposure of sensitive departmental information, especially for unencrypted USB drives,” the report said.
In addition to not having a USB drive inventory, the agency did not restrict some unauthorized devices from connecting to the department’s network. In one instance, an unauthorized device connection led to the introduction of a virus from a contractor that then connected to an unapproved system through an unrestricted port.
The OIG also reported that the Federal Student Aid office did not have a system in place to phase out using Social Security numbers as the primary identifiers for students accessing aid system networks, as required by an OMB memorandum.
“FSA explained that the use of SSNs for account management was necessary and required for a valid agency purpose,” the report said. “Our primary concern is that the continued use of SSNs as the primary identifier when authenticating via a public website could increase the risk of [personally identifiable information] exposure and ultimately identity theft.”
The CIO’s office also does not restrict employees from accessing agency networks via virtual private networks on their own nongovernmental devices. Under NIST guidelines, if an agency were to allow the use of VPN access on a personal device, agencies should use a network access control security procedure to ensure that devices do not upload or download unauthorized files to and from the network. The OIG also reported that mobile devices with root access are allowed to connect to the network, which poses a security risk because the OCIO does not have the ability to detect which devices have rooted access.
According to the OIG, the department mostly complied with standards required by OMB, DHS, and the National Institute of Standards and Technology, especially with continuous monitoring, security training and security capital planning metrics.
All told, the OIG issued 13 new recommendations as well as seven modified recommendations that were repeated from past reports because the department had not acted on them.
Among the recommendations were provisions requiring the agency to put two-factor authentication — required by DHS and OMB policies — in place. According to the OIG, the two-factor authentication was not established for the agency’s Web mail application. The OCIO intended to retire the single-factor authentication system by September of this year, but according to the report, the system remains in place.
The Education Department’s chief information officer’s office did not respond to FedScoop’s requests for comment on the OIG report.