The U.S. Department of the Interior (DOI) must update its access controls to meet current standards, according to an inspector general report issued this week. Eight of the nine systems the inspector general's office tested did not meet the minimum logical access controls outlined in the National Institute of Standards and Technology (NIST) guidelines, the report stated.
The eight systems that didn't pass muster included seven DOI systems and two contractor systems. “These deficiencies occurred because DOI has not adopted NIST's current standards and instead is following outdated standards,” Deputy Inspector General Mary L. Kendall wrote in the report. “According to NIST, federal agencies have up to one year from the date of final publication to fully comply with new security standards. The Office of the Chief Information Officer (OCIO) stated that DOI will implement the current logical access controls by December 31, 2016, more than two and a half years late.”
The report said updating the Interior Department's access controls to meet NIST guidelines would “ensure that general users do not have access to privileged functions and that audit trails are in place to monitor actions taken by privileged users to mitigate risk from insider threats.”
Standards such as the NIST guidelines are a “double edged sword,” according to Nok Nok Labs CEO Phillip Dunkelberger. “As we continue to see large repositories hold encrypted data, those targets will continue to be exploited,” he wrote in an email to SCMagazine.com about the report. “Creating a standard implementation won't make for better security.”
The inspector general report also called on the department to encrypt and securely configure its laptops and mobile phones to prevent the risk of a data breach “when these devices are lost or stolen.” The audit also said the DOI “needs the ability to inspect encrypted traffic for malicious content to prevent the loss of sensitive data.”A DOI inspector general report last year identified nearly 3,000 critical and high-risk vulnerabilities were identified in three DOI bureaus. The vulnerabilities could allow a remote attacker to take control of publicly accessible computers or render them unavailable, the 2015 report said.