A custom-coded State Department continuous monitoring tool has limitations, says the Government Accountability Office.

In a report dated July 8--but not posted online until Aug. 8--GAO auditors say State has been at the forefront of federal efforts to develop and implement a continuous monitoring capability. The department has an application dubbed iPost that monitors its global unclassified network, OpenNet.

OpenNet has tens of thousands of hosts and about 5,000 routers and switches. But iPost is only capable of scanning Windows machines, the report says. Windows servers and workstations compromise a majority of devices on the network, but GAO auditors nonetheless note that mainframes, databases, non-Windows machines and other devices on the network fall outside of the continuous monitoring application's scope.

Even machines that fall within iPost's scope are not always monitored according to schedule, the report adds. According to State policy, each host should come under an iPost scan once a week, but a GAO review of scanning data for 15 sites during an 8-week period in summer 2010 showed that only 7 percent of weekly scans successfully checked all Windows hosts. A slight majority--54 percent--of scans captured between 80 and 99 percent of hosts.

A host might not be scanned because it is turned off, or its Internet protocol address isn't included in the scan's range, or iPost lacks permission, GAO says. iPost cannot scan tens of thousands of machines at once without significant network performance degradation, meaning the department must establish scanning schedules.

Even when successful, scans don't necessarily check each control setting as expected and sometimes create a false positive, the report also says. One scanning tool wasn't updated consistently with new data from the National Vulnerability Database due to a vendor not doing so, GAO auditors also say.

The iPost dashboard of at risk sites can also be based on obsolete data, the report adds. The length of time it takes for scan results to be uploaded into iPost from the staging database is inconsistent. As a result, six of the 15 sites examined by the GAO had vulnerability scores based on data from two scans ago. "Consequently, iPost users may make risk management decisions based on inaccurate or incomplete data," the report says.

iPost helps identify, monitor and prioritize the mitigation of vulnerabilities, "but it does not provide a complete view of the information security risks to the department," the report says.

For more:
- download the report, GAO-11-149 (.pdf)

Related Articles:
Middle East, North Africa bloggers could be more vigilant about security, says Berkman Center 
China suspected in Operation Shady RAT hacks 
Confusing documentation threatens DoD cyber efforts