The Department of Homeland Security is running hundreds of sensitive and top secret databases without the proper authorization, leaving the agency unsure if it can “protect sensitive information” from cyber attacks.
An audit released publicly Thursday by the inspector general found multiple areas of weaknesses within the agency’s information security programs.
Specifically, the department is operating 136 “sensitive but unclassified,” “Secret,” and “Top Secret” systems with “expired authorities to operate.”
“As of June 2015, DHS had 17 systems classified as ‘Secret’ or ‘Top Secret’ operating without [authorities to operate] ATOs,” the inspector general said. “Without ATOs, DHS cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them.”
Leading the agencies operating unsecured databases was the Coast Guard with 26, followed by the Federal Emergency Management Agency with 25, and Customs and Border Protection with 14.
The Department of Homeland Security headquarters is operating 11, and the Transportation Security Administration is running 10 sensitive or secret systems with expired authorizations.
The audit also found that security patches were missing for computers, Internet browsers, and databases, and weak passwords left the agency’s information security vulnerable.
“We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,” the inspector general said. “If exploited, these vulnerabilities could allow unauthorized access to DHS data.”
The review, which was mandated by the Federal Information Security Modernization Act of 2014, found that internal websites were also susceptible to “clickjacking” attacks and “cross-site and cross-frame vulnerabilities.”
“Cross-site and cross-frame scripting vulnerabilities allow attackers to inject malicious code into otherwise benign websites,” the inspector general said. “A clickjacking attack deceives a victim into interacting with specific elements of a target website without user knowledge, executing privileged functionality on the victim’s behalf.”