Watchdog slams laptop security at Dept. of the Interior

Nearly 12,000 Interior Department laptops are inadequately protected against the theft of personally identifiable information due to poorly configured software.

In a management advisory obtained by FedScoop, the department’s Deputy Inspector General Mary Kendall wrote that a large number of laptops have their full-disk encryption software configured to run post-boot user authentication, which can be hacked relatively easily. Interior laptops were previously set to run pre-boot authentication, the software’s default setting and the one recommended by the National Institute of Standards and Technology.

Pre-boot authentication requires a number of steps — username and password or PIV card, plus a PIN — before users can load their laptop’s operating system and encryption key. Post-boot authentication only requires login after an OS and key have been loaded.

With post-boot authentication, laptops are vulnerable to a variety of attacks, including direct memory access hacks. The Dec. 21 memo warns that all a person needs to commit a direct memory access attack on a stolen or lost laptop is free software, a $30 network card and cable, and 15 minutes of spare time. Once the encryption key is extracted, everything stored on the laptop from employee Social Security numbers to login information for department networks is exposed.

The IG’s office discovered the security flaw while conducting an evaluation of the department’s cybersecurity measures which it published last July.

According to the memo, the configuration was changed by low-level officials without conducting a valid risk assessment. Since 2012, the department has documented 64 incidents in which laptop drives were lost or stolen without pre-boot authentication.

When a meeting was held in August 2015 to address the security flaw, the department reported that 14,426 of its 40,695 laptops were incorrectly configured. As of Nov. 16, the department reduced that figure to 11,593.

The department’s cybersecurity measures have come under fire since it was discovered that information stolen in last year’s Office of Personnel Management hack was taken from Interior Department servers.

Additionally, Interior CIO Sylvia Burns stated last March the department would be ramping up its use of two-factor authentication.

The memo recommends Burns mandate the use of pre-boot authentication on all laptops, as well as implement a monitoring and enforcement program that mitigates noncompliant systems.

When asked about the report, a spokeswoman said the Interior Department “takes this finding very seriously and we are currently working to resolve the misconfigurations, based upon the Inspector General’s recommendations.”

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.