Investigators with the Department of Transportation’s inspector general broke into the department’s core operating environment using common intrusion tools and spent almost a week poking around before they were detected, according to an audit heavily critical of IT security practices at DoT.
The COE is a primary network of centralized IT services used throughout the department, providing email management, computer infrastructure, Internet access and more to more than 10,000 users in DoT’s operating administrations, and according to the IG, it is not secure from compromise.
COE’s incident handling process did not detect the intrusion and the IG continued to have full access for over a week before the COE’smanagement discovered and terminated its presence on the network, the IG said, citing ineffective security controls: thirty of 205 servers with Internet accessible websites contained critical vulnerabilities.
Further, OCIO does not maintain an accurate inventory of computer devices on the COE, thwarting the identification of unauthorized systems, the IG said.
It said the COE also has weak user identity authentication controls becauseOCIO has not fully implemented multifactor identity authentication, and OCIO does not perform required security testing on the COE to identify and remediate common vulnerabilities typically used by network attackers, and does not effectively document vulnerabilities for resource allocation and remediation.
