IG: Interior Dept. computer infected with malware after employee surfed porn sites

Three years after hackers stole sensitive personal information on more than 22 million current and former federal employees in the Office of Personnel Management data breach, the Interior Department, whose compromised systems gave the hackers access to OPM’s databases, still has gaps in its cyber defenses, according to its inspector general.

In a report sent to Interior Department Chief Information Officer Sylvia Burns, Deputy IG Mary Kendall determined that the CIO’s office lacked an enterprise-wide plan to detect and respond to cyber incidents.

“OCIO’s incident response program was not capable of detecting some of the most basic threats from inside the enterprise network. Without detecting these threats, the OCIO could not contain them in a timely manner, which left compromised systems on the network for months at a time,” the March 12 IG report stated.

During its investigation, the Office of Inspector General found that a U.S. Geological Survey (USGS) employee had been watching pornography on an agency workstation and saving videos onto an external hard drive.

Advertisement

The computer, the OIG found, was infected with Russian malware.

“During our technical testing at a USGS facility, we discovered suspicious traffic originating from a user workstation. Our device, which was monitoring USGS network traffic, identified a USGS workstation attempting to communicate with IP addresses of known malware command and control websites in Russia. After we alerted the bureau team of the anomalous traffic, they discovered that the machine in question had been compromised,” the report said.

The inspector general’s office also found that the OCIO didn’t have active threat-hunting operations looking for enterprise-wide cyber threats, and instead relied on automated cyber alert systems.

The IG report determined that automated systems have a tendency to produce a lot of false positives or negatives if they’re not given enough input data.

“The department was missing the human interaction when analyzing alerts, events and active processes across the environment necessary to find well-hidden intruders and tune systems to capture the most relevant event data,” the report said.

The OCIO, the report said, didn’t have an enterprise-wide view of cyber incidents on its network, nor did it have insight into cyber incidents at its bureaus and individual offices.

Part of the problem, the IG reported, was the agency’s practice of  patching malware-infected computers and putting them right back into use, as opposed to the pulling them off the network and conducting a cyber threat analysis.

The report also found that the OCIO hadn’t fully implemented the recommendations outlined in National Institute for Standards and Technology’s (NIST) Special Publication 800-61 Revision 2, a guidance released in August 2012 aimed at helping agencies set up incident response programs.

With nine technical bureaus and more than 2,400 operating locations, the Interior Department is a regular target for cyber attacks because of the breadth of their computer networks.

In October 2014, hackers breached OPM’s computers networks through a trusted connection from the Interior Department’s data center. The intrusion wasn’t noticed until April 2015.

“In today’s cyber threat landscape, security incidents that result in the loss of sensitive data and disruption of business operations occur on a daily basis. As such, the department must be able to detect and respond to security incidents to protect sensitive data and maintain business operations,” the report stated.

Interior Department officials concurred with all of the IG’s 23 recommendations, and gave the watchdog office deadlines to implement the recommendations.

Five of the recommendations will take more than five years to carry out, according to the IG’s office, and four recommendations will take at least three years to put into place.

Until those improvements are made, the OIG recommends the agency seeks out temporary, stopgap cyber solutions.

“We understand that some of these recommendations may require significant investment in cyber security infrastructure as well as the recruitment of additional staff, but the intended time frame to implement these recommendations remains a concern,” the report stated.

The Interior Department didn’t immediately return comment for this story.