Information Security:

VA Needs to Address Identified Vulnerabilities

GAO-15-117: Published: Nov 13, 2014. Publicly Released: Nov 17, 2014.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

While the Department of Veterans Affairs (VA) has taken actions to mitigate previously identified vulnerabilities, it has not fully addressed these weaknesses. For example, VA took actions to contain and eradicate a significant incident detected in 2012 involving a network intrusion, but these actions were not fully effective:

The department's Network and Security Operations Center (NSOC) analyzed the incident and documented actions taken in response. However, VA could not produce a report of its forensic analysis of the incident or the digital evidence collected during this analysis to show that the response had been effective. VA's procedures do not require all evidence related to security incidents to be kept for at least 3 years, as called for by federal guidance. As a result, VA cannot demonstrate the effectiveness of its incident response and may be hindered in assisting in related law enforcement activities.

VA has not addressed an underlying vulnerability that allowed the incident to occur. Specifically, the department has taken some steps to limit access to the affected system, but, at the time of GAO's review, VA had not fully implemented a solution for correcting the associated weakness. Without fully addressing the weakness or applying compensating controls, increased risk exists that such an incident could recur.

Further, VA's policies did not provide the NSOC with sufficient authority to access activity logs on VA's networks, hindering its ability to determine if incidents have been adequately addressed. In an April 2014 report, GAO recommended that VA revise its incident response policies to ensure the incident response team had adequate authority, and VA concurred.

Further, VA's actions to address vulnerabilities identified in two key web applications were insufficient. The NSOC identified vulnerabilities in these applications through testing conducted as part of the system authorization process, but VA did not develop plans of action and milestones for correcting the vulnerabilities, resulting in less assurance that these weaknesses would be corrected in a timely and effective manner.

Finally, vulnerabilities identified in VA's workstations (e.g., laptop computers) had not been corrected. Specifically, 10 critical software patches had been available for periods ranging from 4 to 31 months without being applied to workstations, even though VA policy requires critical patches to be applied within 30 days. There were multiple occurrences of each missing patch, ranging from about 9,200 to 286,700, and each patch was to address an average of 30 security vulnerabilities. VA decided not to apply 3 of the 10 patches until it could test their impact on its applications; however, it did not document compensating controls or plans to migrate to systems that support up-to-date security features. While the department has established an organization to improve its vulnerability remediation, it has yet to identify specific actions and milestones for carrying out related responsibilities. Until VA fully addresses previously identified security weaknesses, its information is at heightened risk of unauthorized access, modification, and disclosure and its systems at risk of disruption.

Why GAO Did This Study

In carrying out its mission to ensure the health, welfare, and dignity of the nation's veterans, VA relies extensively on information technology systems that collect, process, and store veterans' sensitive information. Without adequate safeguards, these systems and information are vulnerable to a wide array of cyber-based threats. Moreover, VA has faced long-standing challenges in adequately securing its systems and information, and reports of recent incidents have highlighted the serious impact of inadequate information security on the confidentiality, integrity, and availability of veterans' personal information.

GAO was asked to review VA's efforts to address information security vulnerabilities. The objective for this work was to determine the extent to which selected, previously identified vulnerabilities continued to exist on VA computer systems. To do this, GAO reviewed VA actions taken to address previously identified vulnerabilities, including a significant network intrusion, vulnerabilities in two key web-based applications, and security weaknesses on devices connected to VA's network. GAO also reviewed the results of VA security testing; interviewed relevant officials and staff; and reviewed policies, procedures, and other documentation.

What GAO Recommends

GAO is making eight recommendations to VA to address identified weaknesses in incident response, web applications, and patch management. In commenting on a draft of this report, VA stated that it concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: VA de-commissioned the VPN that led to the 2012 intrusion.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should fully implement the solution to address the weaknesses that led to the 2012 intrusion incident.

    Agency Affected: Department of Veterans Affairs

  2. Status: Closed - Implemented

    Comments: In 2015 we verified that VA, in response to our recommendation, established time frames for completing planned initiatives to improve incident response capabilities.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should establish time frames for completing planned initiatives to improve incident response capabilities.

    Agency Affected: Department of Veterans Affairs

  3. Status: Closed - Implemented

    Comments: In 2015 we verified that VA, in response to our recommendation, developed plans of action and milestones for critical and high-risk vulnerabilities affecting two key web applications.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should develop plans of action and milestones for critical and high-risk vulnerabilities affecting two key web applications.

    Agency Affected: Department of Veterans Affairs

  4. Status: Closed - Implemented

    Comments: In 2015 we verified that VA, in response to our recommendation, finalized and implemented a policy memorandum specifically requiring all developers conduct security-focused code reviews of VA enterprise applications using the Static Application Security Testing (SAST) Tool.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should finalize and implement the policy requiring developers to conduct source code scans on key web applications.

    Agency Affected: Department of Veterans Affairs

  5. Status: Closed - Implemented

    Comments: In 2015 we verified that VA, in response to our recommendation, applied missing critical security patches within established time frames.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should apply missing critical security patches within established time frames, or in cases where security patches cannot be applied, document compensating controls or, as appropriate, longer-term plans to migrate to newer platforms, hardware, and/or technologies where security patches can be applied and new security features enabled.

    Agency Affected: Department of Veterans Affairs

  6. Status: Open

    Comments: Subsequent to the agency indicating it has acted on this recommendation, we will review the supporting evidence.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

    Agency Affected: Department of Veterans Affairs

  7. Status: Closed - Implemented

    Comments: In 2015 we verified that VA, in response to our recommendation, created a database, the Nessus Enterprise Web Tool, to track remediation and patch implementation tasks. Additionally, VA?s Security Flaw Remediation Management Process identifies specific actions, priorities, and milestones for the remediation of vulnerabilities.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should identify specific actions, priorities, and milestones for accomplishing tasks to facilitate vulnerability remediation.

    Agency Affected: Department of Veterans Affairs

  8. Status: Closed - Implemented

    Comments: In 2015 we verified that VA, in response to our recommendation, updated the department's standard operating procedure to require evidence associated with security incidents to be maintained for at least 3 years.

    Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should update the department's standard operating procedure to require evidence associated with security incidents to be maintained for at least 3 years, consistent with National Archives and Records Administration guidance.

    Agency Affected: Department of Veterans Affairs

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Looking for more? Browse all our products here