- Eight HHS operating divisions were tested for web application and network security and found wanting, according to a recently released OIG report.
The HHS divisions came up short in configuration management, access control, data input controls, and software patching.
To identify the vulnerabilities, OIG contracted with Defense Point Security to conduct penetration testing during FY 2016 and FY 2017.
“Our objectives were to determine whether security controls were effective in preventing certain cyberattacks, the likely level of sophistication an attacker needs to compromise systems or data, and HHS OPDIVs’ [operating divisions] ability to detect attacks and respond appropriately,” explained OIG.
The agency auditor shared with senior-level HHS IT management personnel the results of the testing, information about HHS’s cybersecurity posture, and recommendations to plug the vulnerabilities. OIG did not public share the recommendations.
In addition, the office provided separate reports with detailed results and recommendations to each operating division.
HHS IT management agreed with the recommendations and described actions it has taken or plans to take to ensure they are implemented. It said it would follow up with the operating divisions to ensure vulnerabilities are addressed.
“Based on the findings of this audit, we have initiated a new series of audits looking for indicators of compromise on HHS and OPDIV systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors,” OIG related.
Earlier, OIG carried out wireless networking penetration testing of CMS data centers and facilities. The tests simulated cyberattacks against the wireless networks using tools and techniques employed by attackers to gain network access and steal data.
OIG identified several wireless networking vulnerabilities due to improper configurations and failure to complete upgrades that CMS had previously said were underway.
“Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations. In addition, exploitation could have compromised the confidentiality, integrity, and availability of CMS’s data and systems,” said OIG in its report.
OIG made a number of undisclosed recommendations to address vulnerabilities in the CMS wireless networks. CMS agreed with OIG’s findings and agreed to implement the recommendations.
“CMS appreciates the OIG's suggestion of controls and processes that could be improved to further reduce or mitigate risk. CMS concurred with all of the OIG findings and has already addressed several of the findings and is in the process of addressing the remaining findings,” said then Acting CMS Administrator Andrew Slavitt in a letter to OIG.
Most of the letter detailed the measures CMS had taken to secure its wireless networks.
“To secure against any potential vulnerabilities, CMS vigilantly monitors, tests. and strengthens its systems against cyber-attacks. In addition, CMS has procedures and processes in place to quickly identify, mitigate, and remove threats, in accordance with the Federal Information Security Management Act (FISMA) requirements and guidelines issued by the United States Computer Emergency Readiness Team (US-CERT),” Slavitt related.
“CMS also uses security prevention technology to protect the CMS network and identify rogue wireless access points. which OIG reported worked effectively during their testing. In addition CMS client devices, such as laptops, are denied connections to rogue access points, when used within CMS offsite facilities,” he noted.
“The CMS Employee Wireless network requires two-factor authentication; the internal network can then only be accessed through a virtual private network (VPN) over the wireless connection. The Guest Wireless Network, which provides only public Internet access at CMS buildings, is isolated from the internal network and the CMS Employee Wireless network,” Slavitt related.
“Both wireless networks are continuously monitored and automatically block threats using a security prevention technology,” he said.