'Significant deficiencies' in VA cybersecurity


Significant deficiencies in configuration management and identity management pervaded Veterans Affairs Department information technology during the last fiscal year, says an audit commissioned by the department's office of inspector general.

The audit (.pdf), the latest edition of an annual look at security practices at the VA (and required under the Federal Information Security Management Act), also attaches the "significant deficiency" tag to access controls. In addition, it says incident response teams let a high number of known malware infections fester for more than 30 days. In March 2012, the VA launched a new effort dubbed the Continuous Readiness in Information Security Program--aka CRISP--meant to improve multiple areas of security management, and it has resulted in improvements, the audit says. Nonetheless, VA must "continue to address control deficiencies existing in other areas across all VA locations," the audit says.

Overall, many security weaknesses identified in the audit "can be attributed to VA's ineffective enforcement of its agency-wide information security risk management program and ineffective communication from senior management to the individual field offices," the audit says.

When it comes specifically to configuration management deficiencies, the auditing company says assessments of web-based applications uncovered several instances of unsecure web-based services that could allow a malicious user unauthorized access to VA systems. Vulnerability assessments also found a "significant number" of unsecure configuration settings on databases that would allow any user to gain unauthorized access to critical system information.

As for identity management and access control. The audit notes the continued presence of weak passwords and numerous instances of users granted unnecessary system privileges. It also notes that multifactor authentication for remote access via a virtual private network hadn't been uniformly implemented.

The audit makes 32 recommendations in all, although two were closed during fiscal 2012 because VA successfully remediated the underlying risk, and another was closed because it was superseded by a more current one.

For more:
- download the report, 12-01712-229 (.pdf)

Related Articles:
State-sponsored groups infiltrated VA IT systems
IG: VA transmitting sensitive data over unencrypted carrier network
VA data exchange practices lack security