US-CERT Still a Big Fat Failure

Two years ago I wrote about how US-CERT was criticized because its Einstein program didn’t allow analysts to see payloads in their analytical stream. They probably still don’t, which is why so many Federal agencies still don’t fully participate with the program. There is little value from the system. Now an Inspector General found that US-CERT and the National Cyber Security Division still doesn’t have a way to automatically patch systems they use at the office. Which is laughable because one of the failed programs US-CERT once considered taking on was national validation of security patches. Fail fail and fail again.

From GCN here:

A scan of IT systems at US-CERT, the Homeland Security Department’s primary operational cybersecurity agency, found hundreds of vulnerabilities that could allow someone to compromise data, according to a recent inspector general’s report.

Although DHS has policies in place to mitigate and correct problems, the lack of an automated system for patching vulnerabilities has left a large number of unpatched and possibly serious flaws in the agency’s Mission Operating Environment.

“These vulnerabilities, if not addressed, could lead to arbitrary code execution, buffer overflow, escalation of privileges, and denial-of-service attacks,” the IG concluded in the report.

The report also identified failures to adequately track and manage security risks found in Einstein itself, inadequacies in the National Cyber Security Division’s information security training, a lack of documentation for IT systems, and a number of other problems with system testing and physical security.

Hey US-CERT, get a freakin’ WSUS server.