Topics:
IG: LockMart census system had vulnerabilities
The system used to read 2010 census paper forms contained security vulnerabilities, finds a just-released Commerce Department inspector general report dated Sept. 25.
Parts of the Decennial Response Integration System, designed by Lockheed Martin (NYSE: LMT), were made up of Microsoft (NASDAQ: MSFT) stations not configured to prevent removable devices such as a USB thumb drive to automatically execute code, auditors say.
The report notes that the potential for a security breach was minimized by the system's seclusion from the Internet and that Lockheed Martin and the Census Bureau began mitigation of the security holes after an initial briefing.
But, putting DRIS through the certification and accreditation process almost two years before it went into operation without a rigorous continuous monitoring program opened the door for vulnerabilities to creep in, according to the report.
In addition to finding that some system components lacked the patch to disable the ability of removable media to automatically execute code, auditors also found that workstation audit setting weren't in compliance with the Federal Desktop Core Configuration.
Vulnerabilities in servers had the "the potential to allow an attacked immediate access into a machine or allow highly-privileged access," the report states. Lockheed Martin officials at first told auditors that the server settings couldn't be changed since legacy applications wouldn't work otherwise, but later told auditors that the legacy software had been updated.
"Routers and switches were running insecure services as defined by an industry benchmark and DRIS's own network design document," the report adds.
In all, configuration settings weren't defined and documented per departmental policy, auditors conclude. Since the Census Bureau and Lockheed Martin took steps to remediate the vulnerabilities, the only recommendation the final reports makes is that Census ensure that configuration settings be defined, documented and implemented.
Rebecca Blank, the Census under secretary for economic affairs, said in the bureau's official response that it will do so.
For more:
- download the report, OAE-19888 (.pdf)
Related Articles:
Smart grid cybersecurity encompasses IT and the power grid itself
Auditor questions DoT financial system database
Ross: Agencies should better manage cybersecurity risk
Comments