DHS websites vulnerable to exploits amid lacking cybersecurity training
The Office of Inspect General issued a report on the Department of Homeland Security's cybersecurity practices earlier this week.
The Department of Homeland Security (DHS) needs to better coordinate among its various offshoots, as well as address multiple other issues when it comes to the agency's cybersecurity, according to a new Office of Inspector General (OIG) report.
The performance audit included nine OIG recommendations that primarily concern the development of a department-wide cyber strategy and a security training program. Of the nine issued recommendations, only two remain unresolved.
Individuals with major security responsibilities haven't received “annual specialized security training,” for example.
“When the required specialized training is not provided, components cannot ensure that their personnel with significant security responsibilities have the appropriate skills and knowledge to properly administer and secure systems against potential attacks,” OIG wrote.
This finding didn't go unnoticed, however. DHS acknowledged the lack of training and said by November 30 it would “leverage any/all applicable Virtual University training opportunities related to information system security.”
The report also identified a variety of vulnerabilities on internal websites. Although the OIG didn't deem these bugs “critical,” it said they could allow “unauthorized individuals to gain access to sensitive data.”
Among the flaws were cross-frame scripting vulnerabilities that could be used to mislead an authentic user into turning over sensitive information, and a structured query language injection vulnerability that could lead to the modification of supporting infrastructure, including databases. The United States Immigration and Customs Enforcement (ICE), which is part of DHS, confirmed it doesn't use a vulnerability assessment tool to scan its websites.
While the OIG report didn't exactly paint a rosy picture of the department's cybersecurity practices, the group acknowledged that DHS had “strengthened coordination in performing their cyber missions.”