The Department of Commerce’s Office of Inspector General has called on the Census Bureau to improve its cyber incident detection and alerting capabilities after a penetration test identified several key vulnerabilities.
In a heavily redacted report published Nov. 22, the watchdog recommended the agency’s chief information officer implement the periodic review of active directory permissions, implement advanced authentication security controls and develop alerts that align with common detection methods for known cyberattacks.
While the penetration testing team was unable to breach the agency’s external defenses, once Census allowed them into its networks to simulate a successful breach, they were able to move around with ease.
“Once the Bureau provided the red team with an internal foothold under an assumed breach scenario, we determined that the Bureau did not have an effective cybersecurity posture in place to prevent against a simulated real-world attack,” the IG said in its report.
“Specifically, we found that the red team was able to gain unauthorized and undetected access to a Bureau domain administrator account as well as personally identifiable information (PII) of Bureau employees,” it added.
Commerce’s OIG also outlined in its findings that the red team had succeeded in reducing the bureau’s defensive options and sending fake emails.
Census is in the process of rolling out a zero-trust architecture, which is intended to prevent bad actors from moving laterally within an agency’s networks, even after they have breached the perimeter, as was the case in this simulated attack.
Commenting on the findings, a Census spokesperson said: “The Census Bureau believes the best way to ensure a robust system is to thoroughly test it using real-world attack techniques. In that spirit, we agreed to go a step further [with the penetration testing] and grant the red team special internal access to assess any potential areas of improvement. The members of the red team were vetted in advance.”
“During this exercise, the security firm identified areas of improvement and we are already taking action to make our robust cyber network even stronger. Cybersecurity has long been a core priority for the Census Bureau given our role as the nation’s leading provider of quality data. Our deep commitment to protecting data will continue,” the spokesperson added. “The bottom line: the contracted security firm was unable to access our system until we gave the red team the necessary access to complete the assessment. We value OIG’s role and appreciate the audit which allowed for a strong cyber exercise and will help us further improve our already robust cyber framework.”