RSS Alerts
Uh-oh. That ain't good.

Share

More services

Related Links

Related Stories

Top 5 Stories

News

Report: The Department of Homeland Security could try harder on web security

14 October 2009

The Department of Homeland Security is putting its websites at risk by failing to patch software and conduct regular security assessments, according to a report from the inspector general, Richard Skinner.

The Office of the Inspector General assessed nine websites operated by the Department of Homeland Security, which has over 125 publicly accessible websites in total. It found that, while operating system configuration followed best practices, few of them have the tools or experience to assess web applications in the same way.

This discovery reflects a recent report from the SANS Institute, which said that organisations were too heavily focused on securing operating systems, when web applications represented the biggest security vulnerability.

"These vulnerabilities could put DHS data at risk", said the report. "In addition, DHS can make improvements in managing its system inventory and providing technical oversight and guidance in order to evaluate the security threats to its public facing websites."

Website inventory was still poor, according to the report, which said that the Customs and Border Patrol website was not certified or accredited. Neither was it inventoried under a general support system or major application. And the main public website for the United States Secret Service is still hosted by the Treasury Department, with no official agreement to ensure its protection.

Large sections of the report detailing exact vulnerability assessments were redacted. However, the recommendations to the Department of Homeland Security were left public. It should require periodic security vulnerability assessments, apply security patches promptly, clarify its vulnerability assessment policy and guidelines, and inventory the public-facing website elements of major applications, the report said.

It should also direct the Customs and Border Patrol to certify and accredit its public facing website. The United States Secret Service should also move its website under the Department of Homeland Security's security program.

The websites operated by other agencies such as the Federal Emergency Management Agency, National Protection and Programs Directorate, and United States Coast Guard contained no critical or high security vulnerabilities, according to the report, which said that they set the example of an effective defense-in-depth approach to security.

This article is featured in:
Internet and Network Security • Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012