Homeland Security Running Hundreds of Sensitive, Top Secret Databases Vulnerable to Attacks

TN Note: Reckless handling of data by the supposed “experts” has been exposed, but hardly remedied. Data leaks (ie, hackers) are not the primary concern of technocrats, because no matter what is small portion leaked, they reason that they still have the original entire data which can only be analyzed by themselves.

The Department of Homeland Security is running hundreds of sensitive and top secret databases without the proper authorization, leaving the agency unsure if it can “protect sensitive information” from cyber attacks.

An audit released publicly Thursday by the inspector general found multiple areas of weaknesses within the agency’s information security programs.

Specifically, the department is operating 136 “sensitive but unclassified,” “Secret,” and “Top Secret” systems with “expired authorities to operate.”

“As of June 2015, DHS had 17 systems classified as ‘Secret’ or ‘Top Secret’ operating without [authorities to operate] ATOs,” the inspector general said. “Without ATOs, DHS cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them.”

Leading the agencies operating unsecured databases was the Coast Guard with 26, followed by the Federal Emergency Management Agency with 25, and Customs and Border Protection with 14.

The Department of Homeland Security headquarters is operating 11, and the Transportation Security Administration is running 10 sensitive or secret systems with expired authorizations.

The audit also found that security patches were missing for computers, Internet browsers, and databases, and weak passwords left the agency’s information security vulnerable.

“We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,” the inspector general said. “If exploited, these vulnerabilities could allow unauthorized access to DHS data.”

The review, which was mandated by the Federal Information Security Modernization Act of 2014, found that internal websites were also susceptible to “clickjacking” attacks and “cross-site and cross-frame vulnerabilities.”

“Cross-site and cross-frame scripting vulnerabilities allow attackers to inject malicious code into otherwise benign websites,” the inspector general said. “A clickjacking attack deceives a victim into interacting with specific elements of a target website without user knowledge, executing privileged functionality on the victim’s behalf.”

Read full story here…

Related Articles That You Might Like

Leave a comment

Your email address will not be published.


*