Highlights of a new GAO study also addressing VA infosecurity:
What GAO Found
The Department of Veterans Affairs (VA) has taken actions to mitigate previously identified vulnerabilities, but it has not fully addressed these weaknesses:
Incident response: VA took actions to contain and eradicate the effects of a network intrusion detected in 2012, but it could not show that these actions were fully effective. Specifically, the department’s Network and Security Operations Center (NSOC) analyzed the incident and documented actions taken in response, but the department could not provide forensics analysis or digital evidence associated with its efforts. Thus, the effectiveness of its incident response could not be demonstrated. VA policy does not require evidence related to security incidents to be kept for at least 3 years, as recommended by federal guidance. This hinders the department’s ability to show its efforts have been effective. Further, VA did not fully address the vulnerability that led to the original incident, increasing the risk that such an incident may recur. In addition, VA policy does not provide the NSOC with sufficient authority to monitor activity on the department’s networks, limiting its ability to detect and respond to security incidents.
Vulnerabilities in web applications: VA’s NSOC identified nine significant vulnerabilities in two key applications that process veterans’ personal information, and validated that the department had corrected six of them. However, corrective actions for the remaining three vulnerabilities had not been validated, and the department had not developed action plans to ensure they were addressed in a timely manner. VA also did not fully implement a type of testing that can identify root causes of security vulnerabilities in application source code.
Weaknesses on network devices: VA periodically scans the devices (e.g., laptop computers) connected to its network for security vulnerabilities and summarizes the most critical vulnerabilities. For May 2014, the 10 most critical vulnerabilities were related to security patches that had not been applied to VA’s network devices. These missing patches had been available for periods ranging from 4 to 31 months, even though department policy requires critical patches to be applied within 30 days. While the department documented decisions not to apply 3 of the patches, pending tests of the effect they could have on functionality, it did not document controls to compensate for not applying up-to-date security features. Further, the department did not document any reasons for not applying the other 7 patches. The department has established an organization tasked with remediating security vulnerabilities, but it has not developed specific actions, priorities, and milestones for this organization to carry out its responsibilities.
Until VA fully addresses identified security weaknesses, its systems and the information they contain—including veterans’ personal information—will be at an increased risk of unauthorized access, modification, disclosure, or loss.
GAO-15-220T (full report, pdf)
Related: INFORMATION SECURITY: VA Needs to Address Identified Vulnerabilities – GAO (GAO-15-117)