Critical system vulnerabilities exist at Los Alamos
Critical and high-risk weaknesses exist in the national security systems and applications of Los Alamos National Laboratory says the Energy Department's office of inspector general.
In a Feb. 11 report (.pdf), auditors say they found five critical and 15 high-risk weaknesses on Los Alamos national security systems, "including vulnerabilities that were not remediated even though patches had been available since 2008."
Vulnerabilities found include operating systems and applications without up-to-date security patches, network servers and devices with default or no passwords, systems that were accessible to remote control and five applications that accepted malicious input data.
According to LANL policy, unaddressed critical vulnerabilities are supposed to result in a blockage to the system within 24 hours, and high-risk vulnerabilities are supposed to be blocked if not resolved within 5 days.
The lab also has not fully tested its security controls, including those related to authentication, incident response and information integrity, say the auditors. When control tests were performed, says the report, they were not always robust enough to determine that controls functioned as designed. This includes one control made to prevent users from introducing removable media into an information system which did not have this function addressed in its test results.
The report also notes that LANL still relies on some risk assessments determined to be ineffective. The lab still includes results from the Rapid Assessment Process to Outlook Risk tool which was found to only assess individual threats and not how threats can be used in combination.
Auditors recommend that LANL implement and test new control systems, ensure that its risk assessments meet federal cyber security requirements and modify internal procedures to cover scanning processes for vulnerabilities on national security and unclassified environments.
National Nuclear Security Administration management concurred with each recommendation. The administration says it will develop a formal plan of action and milestones that cover the recommendations. It estimates the new internal procedures for vulnerability scanning to be in place by March 30.
- download audit report, IG-0880 (.pdf)