A security assessment at AmeriCorps found “an exploitable vulnerability that could result in a complete system compromise” of its headquarters IT network while 9 out of 85 employees who were sent test phishing emails interacted with them.
The review included tests of the system that supports the agency headquarters and employees’ vulnerability to phishing attacks. The former found 746 vulnerabilities “with known exploits” that had the potential to “allow unauthorized access to the target system, and there were no effective controls in place to identify malicious activities once on the system. If an exploitable system were compromised, the malicious attacker could operate for an extended time without detection,” the report said.
In a test of one vulnerability, auditors “were able to execute the exploit and gain unauthorized, privileged access to the system” and extract the password file, although the passwords themselves were adequately protected, it said.
In the phishing test, the audit found that the controls for automated detection of phishing were not effective in prohibiting the emails from arriving in the user’s inbox” in the first place. Employees fell for common ruses in phishing emails including by clicking on links to review documents or undelivered emails. “Had the attack been malicious, AmeriCorps’ systems and data would have been compromised,” it said.
It said that management concurred with its recommendations, including for stronger training of employees, and provided plans and target dates for carrying them out.