Despite much work done since last year, the Dept. of Homeland Security still has not corrected numerous security holes, many of which were previously identified. eWeek reports:
According to a July audit letter from KPMG LLP released last week, the DHS did not correct vulnerabilities in access controls and systems software that had been identified previously, limiting its ability to ensure that data is maintained with confidentiality, integrity and availability. The audit focused on the agency's financial reporting, and the weaknesses found had a negative impact on the financial internal controls, in particular.
One of the most significant problems was found with access control inside the department's firewalls. Reminiscent of the weak "yellow sticky note" password system found all too frequently in the private sector, users at the DHS were sometimes able to use sensitive testing and development devices with a group password or system default password.
Personnel "inside the organization who best understand the organization's systems, applications and business processes are able to make unauthorized access to some systems and applications," KPMG warned. "As a result, test and development devices could be a target of hackers/crackers to obtain information (i.e., user password listings) that can be used to attempt further access into DHS' IT environment."
KPMG also found that many user accounts were not configured for automatic log-off or lockout and that some workstations and servers were configured without necessary security patches.