The inspector general’s at the EPA has recommended that the agency strengthen controls for detecting and removing unapproved software on EPA networks, following an audit that found 7,000 “nonbase” programs in them.
The report cited an internal review by the EPA that identified “foreign software and malware programs that gather user information, allow remote control and viewing of the EPA user’s computer via virtual network computing, and have a history of targeted attacks.” The IG looked more closely at 10 instances of software on the networks of one program office and four regional offices and found that in no case had the software been approved.
“Unauthorized software puts the agency’s network, including systems and data, at risk of being compromised from exploited vulnerabilities associated with unapproved software on EPA network,” it said.
The report did not examine how such software got onto the systems, but the potential for employees inadvertently allowing such software in—by responding to phishing and similar attacks—is a common theme of data security programs across government.
It said the agency agreed with its recommendations to better document procedures to detect and remove unapproved software and provide targeted training on those procedures.