Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Sensitive FDA Systems at Risk of Cyberattacks: Audit

A report made available this week by the U.S. Government Accountability Office (GAO) shows that the Food and Drug Administration (FDA) needs to address some serious cybersecurity weaknesses that expose industry and public health data.

A report made available this week by the U.S. Government Accountability Office (GAO) shows that the Food and Drug Administration (FDA) needs to address some serious cybersecurity weaknesses that expose industry and public health data.

An audit conducted by the GAO between February 2015 and August 2016 revealed several problems that put the confidentiality, integrity, and availability of the FDA’s systems at risk.

The GAO’s analysis targeted seven of the FDA’s 80 systems. The machines covered by the audit receive and process sensitive drug information and are essential to the agency’s mission. Since they have a Federal Information Processing Standard of moderate or high impact, if the systems or their information is compromised, it could have a serious or catastrophic impact on the organization.

A total of 87 weaknesses have been identified by GAO, including failure to protect network boundaries, identify and authenticate users, restrict user permissions, encrypt sensitive data, monitor system activity, and conduct physical security reviews.

For instance, the FDA’s internal network was not isolated from the network of the contractor in charge of the agency’s public website. The internal network was also accessible from one of the organization’s untrusted networks.

Another example refers to the FDA’s failure to implement strong password controls, including passwords that remained unchanged for several years, weak credentials and default settings.

As for authorization-related concerns, the GAO discovered that hundreds and even thousands of user accounts had unnecessary or uncontrolled access to file shares. The audit also revealed that sensitive data, including passwords, were not properly encrypted.

The FDA did not properly audit and monitor its systems, which could allow malicious actors to remain undetected for extended periods of time. The GAO pointed out that the agency did not always retain audit logs, and it failed to preserve evidence related to a 2013 security breach that resulted in an external attacker gaining access to sensitive user account information.

Advertisement. Scroll to continue reading.

“FDA has taken steps to safeguard its systems that receive, process, and maintain sensitive data by, for example, implementing policies and procedures for controlling access to and securely configuring those systems. However, a significant number of weaknesses remain in technical controls — including access controls, change controls, and patch management — that jeopardize the confidentiality, integrity, and availability of its systems,” the GAO said in its report.

One of the causes of weak security controls, according to the GAO, is the lack of a properly implemented agency-wide information security program as required by federal laws. These laws require government organizations to implement risk assessments, incident response procedures, regular testing of security controls, reviews and updates for security policies and procedures, vulnerability patching mechanisms, and security training.

The GAO has made over a dozen recommendations for the implementation of an agency-wide information security program and 166 recommendations on addressing specific problems.

Related: Huge US Facial Recognition Database Flawed

Related: DHS’s Einstein Security System Has Limited Capabilities

Related: Internet Connectivity Could Expose Aircraft Systems to Cyberattacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Cisco's enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user's microphone is muted in the software,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Application Security

Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that...