U.S. Immigration and Customs Enforcement (ICE) has failed to consistently implement effective controls to restrict access to its network and information technology (IT) systems, according to a Department of Homeland Security (DHS) inspector general (IG) report from last week.
The July 19 watchdog audit notes that ICE’s deficiencies expose its network and IT systems to risks of compromise by potential attackers.
The DHS IG found that 84 percent of the accounts for separated personnel remained activated after they served their last day at ICE or switched positions. Additionally, the agency did not monitor and configure privileged user access, service accounts, and access to sensitive security functions as required.
“These deficiencies stemmed from insufficient internal controls and oversight of user account management and compliance to ensure access controls were administered appropriately and effectively to prevent unauthorized access,” the report says.
“Until these deficiencies are addressed ICE’s network and IT systems remain at risk,” the IG wrote. “These deficiencies could have limited the Department’s overall ability to reduce the risk of unauthorized access to its network, which may disrupt mission operations.”
Out of 190 separated personnel that the watchdog looked at, 159 of them had access to ICE systems and information after their last day on the job. Of those, 25 accounts still had access at least 45 days later.
The process for removing personnel that leave or are transferred depends on supervisors to submit requests for those accounts to be disabled. When that process doesn’t happen, a script is supposed to recognize accounts that haven’t logged into an ICE system in over 45 days and disable them.
The report points to the 2020 SolarWinds hack as a potential danger posed by such access control problems, noting that “the Department of Homeland Security’s critical mission of protecting the homeland makes its systems and networks high visibility targets for attackers who aim to disrupt essential operations or gain access to sensitive information.”
The IG issued seven recommendations, including developing a process to ensure separated employees’ access is severed and implementing automation to help address vulnerabilities. The agency concurred with all of them.
“ICE currently uses multi-factor authentication, authorizes access to resources and recertifies accounts,” Max Aguilar, acting chief financial officer and senior component accountable official for ICE, wrote in comments included at the end of the report.
Aguilar also noted that the agency is currently working on new automation capabilities as part of the push to zero trust architecture, including tech to track access rights and inactive accounts. ICE is also working on new standards for enterprise account and vulnerability management.
The inspector general report also notes that it found “similar” problems with access controls at two other DHS agencies: U.S. Citizenship and Immigration Service and the Federal Emergency Management Agency.