Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/1/2010
09:46 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

FEMA Cybersecurity Fix Could Take Years

Auditors find dozens of security problems with the Federal Emergency Management Agency's financial systems.

The Federal Emergency Management Agency has serious security problems with its financial management systems that will likely take several years to fix, according to an audit by accounting firm KPMG done on behalf of Department of Homeland Security's inspector general.

KPMG's audit uncovered dozens of problems -- 58 in all -- that it says "collectively limit FEMA's ability to ensure critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability."

KPMG did note that FEMA took steps during fiscal 2009 to correct weaknesses found a year earlier, such as backing up its financial system, improving user account management for its financial systems, and improving documentation around the National Flood Insurance Program, which provides insurance assistance to citizens living in flood zones.

However, 22 of the problems KPMG found were holdovers from the previous year, and some of them seem to show a disregard for federal cybersecurity requirements.

For example, two of FEMA's financial systems, the Grants and Training Integrated Financial Management Information System and the Payment and Reporting System, were not certified and accredited before moving into production and were operating without authorization. They had no cybersecurity pros assigned to them, and weren't included in FEMA's systems inventory.

More broadly, KPMG found that systems were developed without proper oversight and direction to contractors; development and approval of some required project documentation; or continual involvement of FEMA's CIO. "Many of these deficiencies originate from policy and system development activities that did not incorporate strong security controls from the outset," the report says.

In addition, vulnerabilities found and corrective actions taken regarding the National Emergency Information System weren't reported and tracked, the certification and accreditation for FEMA's networks didn't include the LAN on which FEMA's primary financial apps reside, and the certification and accreditation for parts of a flood insurance system was expired.

FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out. Strong passwords weren't enforced on several systems, including access to FEMA's LAN.

"The deficiencies identified in FEMA's access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities or that a separated individual could use the account to alter the data contained within the application or database without being detected," the report says.

Though she was singled out by the report, FEMA CIO Jean Etzel concurred with all of KPMG's recommendations. "The CIO is resolute in directing these audit recommendations to be effectively implemented in a timely manner," she wrote, noting that a governance board would hold weekly status meetings to review progress toward that goal.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...