Audit Finds a Lack of Security Controls for USBs, Printers and More
Some units within the U.S. Energy Department lack adequate security controls and practices to mitigate risks posed by peripheral devices, such as USBs, printers, scanners and external hard drives, according to an inspector general report.
In an evaluation of removable devices at four Office of Science locations within the Energy Department, the inspector general found security weaknesses in access controls and configuration settings to protect against employees copying sensitive data to one of the devices or a device spreading malware to the wider network. The four locations were not named in the report.
“Without adequate controls, connected devices could be used to introduce viruses or malware to the network, inadvertently expose sensitive information, be subject to loss or theft, or allow unauthorized access to networks or data,” according to the IG report.
The Department of Energy did not immediately respond to Information Security Media Group’s request for comment.
Securing Peripheral Devices
The report found that peripheral devices are often connected to department-sanctioned devices and networks and used to store, process or transfer data, including sensitive information. These lax security practices can lead to the exposure of Energy Department data, the IG report says.
The IG’s investigation found that the security standards on removable media and devices issued by the Energy Department’s Office of the CIO in May 2018 had not been fully implemented in any of the locations it surveyed.
The Office of CIO guidelines, which call for the use of government-furnished devices, require mass storage devices to provide encryption and anti-virus protections. The inspector general’s team, however, found that two of the locations had devices that had not been securely configured to protect against unauthorized access, according to the report.
“The issues identified occurred, in part, because sites had not fully documented or implemented procedures to ensure that peripheral devices were appropriately secured prior to connection to the internal network environment,” according to the report.
The inspector general’s report also notes that other security shortcomings had been identified in the department earlier.
An annual audit conducted by the Inspector General in 2019 found that the Energy Department routinely failed to secure unclassified IT systems in the nation’s critical infrastructure, including nuclear facilities, leaving them open to outside attacks and hacking. The audit had stated that the agency continued to make the same mistakes and security errors year-after-year (see: Watchdog Finds DOE Falling Short on Cybersecurity).
Standards Not Feasible?
Officials at the locations surveyed reported that some of the DOE security standards for portable devices were either not technically feasible or were difficult to implement, according to the IG report. Other employees argued that implementing the standards would be too costly, given the potential risks involved.
Some DOE officials argued that because the security standards could hamper collaboration, they chose to implement alternative controls. The inspector general’s office, however, found vulnerabilities during testing that could affect the confidentiality, integrity and availability of the systems and data, according to the report.
Without proper execution of the access controls, vulnerabilities could allow attackers to access sensitive information and make changes to the peripheral devices, according to the report.
Portable Device Security
Organizations inside and outside the government need complete visibility and control for peripheral devices connected to a network, Yossi Appleboum, CEO of security firm Sepio, tells ISMG.
“Most of these attack tools look innocent to plain sight. A mouse, a keyboard, printers and many other peripheral devices are considered non-weaponized or non-harmful, but foreign adversaries are using these tools to attack the U.S. all the time,” Appleboum says.