IG Identifies VA's IT Security DeficienciesInconsistent Enforcement of Security Programs Behind Failings
An inspector general's audit of the Department of Veterans Affairs, to be released later this month, will highlight control deficiencies in four key areas: configuration management controls, access controls, security management and contingency planning.
Linda Halliday, VA assistant inspector general for audits and evaluations, offered a preview of the results of a fiscal year 2012 security audit at a June 4 hearing of the House Veterans Affairs Subcommittee on Oversight and Investigation.
Also at the hearing, the committee chairman revealed that VA computers have been attacked by hackers from at least eight nations, including China and likely Russia [see VA Systems Hacked from Abroad]. The nearly 3-hour hearing uncovered significant cybersecurity problems the VA is trying to address.
Lackadaisical Approach to Security
Mac McMillan, CEO of the IT security consultancy CynergisTek, says the vulnerabilities found in the VA's systems are likely the norm for non-classified government IT.
"What all this really speaks to is a lackadaisical approach to security on the part of the VA and sloppiness by the VA information services organization," he says. "These are very basic things that they are not doing. ... These are mandated requirements. ... Every other healthcare provider has to do [these things] and most do better than this."
The Veterans Health Administration, a VA unit, is the nation's largest integrated healthcare system.
The security problems facing the VA aren't much different from those other large federal government departments or many private-sector enterprises face, says Patricia Titus, former chief information security officer at IT security provider Symantec and the Department of Homeland Security's Transportation Security Agency. "Unfortunately, getting control of these complex environments requires proper planning, and many government agencies are not properly educated on how to merge infrastructures together," she says.
4 Major Control Deficiencies
The VA's inspector general, according to Halliday's testimony, found problems with:
- Access Controls: Password standards were not consistently implemented and enforced across multiple VA systems. Multi-factor authentication for remote access had not been implemented. Inconsistent reviews of networks and application user access resulted in numerous generic, system and inactive user accounts that were not deactivated. Allan Friedman, research director of the Brookings Institute's Center for Technology Innovation, says access control systems weren't designed to be modular but built as part of legacy systems. "A proper implementation would be built such that each component could be upgraded, swapped out or supplemented," he says. "This is an enormous undertaking that has been recognized as a truly 'wicked problem' by both the public and private sector."
- Security Management: Documentation, including the risk assessments and system security plans, were outdated and did not accurately reflect the current system environment or federal standards. Background re-investigations were not performed timely or tracked effectively. In addition, personnel were not receiving the proper level of investigation for the sensitivity levels of their positions.
- Contingency Planning Controls: Documentation had not been updated to reflect lessons learned from the contingency and disaster recovery tests, and detailed recovery procedures for all system priority components had not been documented and/or did not reflect current operating conditions. Backup tapes were not encrypted before being sent to offsite storage at selected facilities and data centers.
- Configuration Management Controls: Systems were not patched in a timely way or securely configured to mitigate information security vulnerabilities. Baseline configurations were not consistently implemented to mitigate significant system security risks and vulnerabilities across the facilities. Change control procedures for authorizing, testing and approval of system changes were inconsistently implemented.
"Security configuration management can be daunting because organizations often don't know where to begin and don't understand how to embed scalable security configuration management practices into their daily processes and culture," says Dwayne Melancon, chief technology officer at Tripwire, a provider of risk-based security and compliance management solutions. "So they end up kicking the can down the road. This phenomenon is one of the key reasons organizations like the VA have insecure configurations, unpatched systems and inadequate security control. This is not an impossible problem, but organizational structure and politics can make it a frustrating one."
The IG is continuing to identify significant weaknesses in databases, servers and network devices that support transmitting sensitive information among VA's medical centers, data centers and headquarters. "Many of these weaknesses are due to inconsistent enforcement of an agencywide information security program across the enterprise and ineffective communication between VA management and the individual field offices," Halliday said.
Still, the VA isn't in as bad shape today as it was two years ago, when the IG identified nearly 15,000 outstanding vulnerabilities that had not been addressed in plans of action. That figure has since plunged to about 4,000. "That's still 4,000 security weaknesses and vulnerabilities that haven't been addressed; it's too many," Halliday said.
Helping to close that gap is the year-old Continuous Readiness in Information Security Program, known as CRISP, which takes an integrated approach to protecting sensitive information from inappropriate exposure or loss, based on preliminary and early testing.
The VA has made progress in defining policies and procedures supporting its departmentwide information security program, including positive steps to safeguard personal and proprietary information that VA employees and contractors use.
For example, the VA implemented cybersecurity and privacy awareness training to ensure that the VA and its contract employees were familiar with applicable laws, regulations and policies. In addition, the VA strengthened its policies to identify and report incidents involving information management and security violations; that ensures the incidents are promptly and thoroughly investigated. The agency also has a clear chain of command and accountability structure for information security.
But there's much to do, and the IG's Michael Bowman estimates it could take 18 months or longer for the VA to adequately address 32 recommendations for fixing information security vulnerabilities that the inspector general will make in its audit.
"VA plans to implement a fully developed continuous monitoring program in the next six to eight months. Using that, they should have a better visibility of the security posture of their IT systems," Bowman, the IG's information technology and security audits director, told the House panel. "If we could convene a year from now, VA may be able to communicate significant progress in its IT security program."