Cybersecurity weaknesses persist in Energy unclassified systems
Cybersecurity weaknesses at the Energy Department's unclassified networks overall decreased in the last fiscal year compared to the previous, but the types and severity of known weaknesses "remained consistent with prior years," the departmental office of inspector general says.
In the public version of an annually required report (.pdf), auditors say they identified 38 different types of vulnerabilities in unclassified systems, a decrease from the 56 they found in fiscal 2011.
But, 16 of the extant vulnerabilities were carry-overs from previous years and occurred, in part, because DOE elements continue to lack a fully developed and implemented cybersecurity program, auditors say.
Plans of action and milestones--the mechanisms by which federal agencies are meant to track remediation of vulnerably--excluded 28 of the vulnerabilities auditors found in their fiscal 2011 review. Of the vulnerabilities that were captured by POA&M reports, 39 percent were unremediated past the due date for their resolution, including 74 that were at least 1 year past due, auditors say.
As for specific vulnerabilities, auditors found not atypical instances of unpatched operating systems or applications. Of the 1,952 desktops examined by auditors, 1,132 ran software with patches at least 3 months old missing. Auditors found "at least 157 network systems" running operating systems or application support platforms lacking patches or current configuration settings at least 30 days old.
They also say they found 28 web applications at eight locations vulnerable to cross-site scripting attacks and another six applications at three locations that had flaws that would allow an attacker to gain unauthorized access to a database.
Studies have shown that common security precautions would foil most network penetrations.
- download the report, DOE/IG-0877 (.pdf)
Cyber attacks on critical infrastructure could have been foiled with common precautions
Western Area Power Administration desktops have high risk vulnerabilities, say auditors
ICS-CERT issues search engine and exploit tool alert to critical infrastructure operators