A new agency watchdog report has found fundamental cybersecurity deficiencies at the Department of Commerce’s (DoC) Office of the Secretary (OS) that increase the risk of cyberattacks.
In response, the agency said it is taking steps to correct those deficiencies.
DoC’s Inspector General (IG) found that the OS’s Security Operations Center (SOC) “had not properly configured its security tools to detect” simulated attacks conducted by the IG. And when it finally became aware of the simulated attack, the OS SOC struggled to effectively respond to the incident following Federal law.
According to the report, the defects begin with default passwords.
“When testing OS endpoints, specifically its standard laptops, we observed that OS was using the vendor’s default password to protect access to the local administrator console of its endpoint protection tool,” the IG wrote, adding that this goes against DoC policy to change a default password once a new solution is installed, tested, and configured.
In performing its simulated attack, the IG conducted a quick Google search and found a commonly used default password illustrating that any OS user “could log in to the local administrator console by performing a simple web search to identify the default password,” the report reads.
“By using the easily found password to log in to the console, attackers could disable safeguards on the endpoint, such as malware protection and monitoring of web browsing, allowing them to circumvent the tool’s protections. With the tool effectively disabled, attackers could then perform lateral movements to reach more valuable targets within OS,” the report states.
In addition, the report explains that even after the IG alerted OS leadership of this issue on March 22, 2022, and issued a formal management alert on April 20, 2022, it took 24 days for the office’s chief information officer (CIO) to then change the passwords.
“During our fieldwork, we validated that the default password was changed; however, taking 24 days to make that change demonstrated that prompt action was not taken to fix a significant security weakness,” the report states.
The IG also found that the endpoint security tool wasn’t properly configured and failed to detect 98 percent of the IG’s simulated attacks. And once again, the DoC OS failed to respond promptly to those attacks once they were discovered, the IG reported.
“Before an organization can respond to a cybersecurity incident, it must have an effective method to detect it. OS SOC utilized a combination of hardware and software tools, including an endpoint protection tool, which can provide malware detection and prevention. However, we found during our testing that these tools were misconfigured and ineffective,” the report states.
The OS also failed to use an adequate digital forensics process, communicate adequately with the larger DoC enterprise security team, or adhere to Federal cybersecurity requirements to ensure systems have the authority to operate. Additionally, the office didn’t have an incident response plan, the report states.
As a result of its findings, the IG provided 14 recommendations to the office’s CIO. Including:
- review all software tools used within OS to ensure that default passwords are not used;
- ensure that OS CIO holds its contractors accountable for implementing department policy on default passwords;
- establish a process to regularly review OS SOC tools and ensure they are configured correctly and operating as intended;
- establish processes and procedures to periodically review OS office of the CIO (OCIO) firewall configurations and rulesets;
- update OS OCIO’s cybersecurity incident response plan to include procedures for carrying out digital forensics; and
- establish tracking and reporting processes to ensure OS OCIO cybersecurity policies and procedures are developed, up to date, and in compliance with Federal requirements.
In its response to the IG report, the office explained it has “taken meaningful steps” to correct the issues. That includes ensuring default passwords are no longer used and replacing any outdated tools. The office also hired someone to serve as an information systems security officer to manage the office’s cybersecurity policies and governance.