The National Oceanic and Atmospheric Administration opened itself to cyberattacks by “inadequately” managing three active directories and failing to secure “prime targets” like user credentials, according to an audit published Thursday.
The Department of Commerce Office of Inspector General found the National Environmental Satellite, Data, and Information Service; National Weather Service; and National Marine Fisheries Service all had accounts with “excessive” privileges that were improperly managed, as well as “vulnerable” end-of-life systems running.
Some of the vulnerabilities OIG found were exploited in the Colonial Pipeline and DarkSide and REvil ransomware attacks, in which hackers gained unauthorized remote access to U.S. entities, and NOAA‘s mission to provide hazardous weather forecasts and warnings is life-or-death.
“NOAA active directories have a significantly increased risk of successful cyberattacks,” reads the OIG report. “This illustrates the need for periodic evaluations of all NOAA active directories to identify and quickly remediate weaknesses.”
OIG recommended NOAA’s chief information officer periodically ensure all active directory accounts adhere to the principle of least privilege, a National Institute of Standards and Technology guideline whereby access is limited to function areas required by users’ roles and responsibilities.
The audit found 58 accounts on 202 computers had unneeded local administration privileges enabling them to install malicious software or disable anti-virus software and granting them full data access. Another 12 users had remote access to computers or the ability to make unintended security settings changes, all of which the active directories have begun to address.
OIG further recommended NOAA’s CIO determine if line offices can use the specialized active directory security tools it used in its audit for periodic reviews, as well as occasionally ensure accounts comply with management requirements using those tools when possible. The CIO must require compensating controls for service accounts that can’t regularly change passwords, according to the audit.
That’s because OIG found 296 accounts were enabled but not used in the last 60 days, 48 account passwords were older than 90 days, 102 account passwords weren’t set to ever expire and 356 account passwords had never expired — highlighting NOAA’s lack of uniform password requirements.
“NOAA demonstrated explicit interest in the use of specialized security tools — utilized during the audit — to proactively identify similar active directory issues in other NOAA active directories,” reads the report. “Furthermore, NOAA plans to create guidance documentation and compensating controls, which will support preemptive measures related to the security weaknesses identified in this report.”
Lastly OIG recommended NOAA’s CIO establish plans for upgrading or decommissioning computers with end-of-life operating systems, having found 739 computers using vulnerable OSes. Currently NESDIS is drafting a decommissioning plan; NWS removed all three of its problematic systems; and NMFS is remediating 576 systems, addressing nine others and keeping three because of computers’ need for their scientific equipment.
OIG removed detailed information on specific systems from its report for security reasons at NOAA’s request. NOAA has until April 4 to submit an action plan to OIG on how the three active directories intend to finish implementing its recommendations.
NOAA concurred with those recommendations in a letter dated Jan. 19.
“We thank the OIG for highlighting areas for improvement and referencing specific tools to enhance our security posture,” reads the letter. “We are actively working to address the findings and are working on enterprise solutions that will help fully address findings and recommendations.”