Major ‘Security Weaknesses’ Still Plague Veterans Affairs Computers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://freebeacon.com/issues/report-major-security-weaknesses-still-plague-veterans-affairs-computers/

Systemic “security weaknesses” continue to plague the Department of
Veterans Affairs (VA) two years after a major security breach and could
lead to the unauthorized access and disclosure of even more personal
information, according to a government oversight report.

The VA has failed to address “underlying” security vulnerabilities in its
systems that have led to multiple high-profile breaches that exposed the
personal information of thousands of veterans, according to a recent
Government Accountability Office (GAO) report, which warns that security
breaches are likely to continue until the VA fixes these issues.

“Until VA fully addresses previously identified security weaknesses, its
information is at heightened risk of unauthorized access, modification, and
disclosure, and its systems at risk of disruption,” the report warns.

New warnings of major security gaps at the VA come less than a year after
similar cyber security issues led to the exposure of information belonging
to thousands of veterans.

The government watchdog is now warning that these types of security
breaches will persist unless the VA fully corrects “an underlying
vulnerability” that led to the initial disclosures.

The “VA has not addressed an underlying vulnerability that allowed the
incident to occur,” according to the GAO.

“Specifically, the department has taken some steps to limit access to the
affected system, but, at the time of GAO’s review, VA had not fully
implemented a solution for correcting the associated weakness,” the report
warns. “Without fully addressing the weakness or applying compensating
controls, increased risk exists that such an incident could recur.

Although the VA has implemented some corrective measures, “these actions
were not fully effective,” according to the report.

The VA also could not provide investigators with logs detailing how a 2012
breach occurred and is not properly retaining information about its
networks, the report states.

“VA could not produce a report of its forensic analysis of the incident or
the digital evidence collected during this analysis to show that the
response had been effective,” it says. “VA’s procedures do not require all
evidence related to security incidents to be kept for at least 3 years, as
called for by federal guidance.”

“As a result, VA cannot demonstrate the effectiveness of its incident
response and may be hindered in assisting in related law enforcement
activities,” the report states.

VA officials also did not provide proper access to the National Security
Operations Center (NSOC), which sought to investigate and help correct the
breach, according to the GAO report.

“VA’s policies did not provide the NSOC with sufficient authority to access
activity logs on VA’s networks, hindering its ability to determine if
incidents have been adequately addressed,” the report says. “In an April
2014 report, GAO recommended that VA revise its incident response policies
to ensure the incident response team had adequate authority, and VA
concurred.”

The VA’s efforts to fix vulnerabilities identified in “two key web
applications were insufficient” as well.

“The NSOC identified vulnerabilities in these applications through testing
conducted as part of the system authorization process, but VA did not
develop plans of action and milestones for correcting the vulnerabilities,
resulting in less assurance that these weaknesses would be corrected in a
timely and effective manner,” according to the GAO.

These are not the only security failures taking place at the VA.

Security weaknesses were found in VA’s workstation, which include laptop
computers. These issues “had not been corrected” at the time of the GAO’s
investigation, despite solutions being available in some cases.

“Specifically, 10 critical software patches had been available for periods
ranging from 4 to 31 months without being applied to workstations, even
though VA policy requires critical patches to be applied within 30 days,”
according to the GAO.

“There were multiple occurrences of each missing patch, ranging from about
9,200 to 286,700, and each patch was to address an average of 30 security
vulnerabilities,” the report found. “VA decided not to apply 3 of the 10
patches until it could test their impact on its applications; however, it
did not document compensating controls or plans to migrate to systems that
support up-to-date security features.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!