The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.

The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion-detection sensors on nonmilitary government networks, and helps other civil agencies respond to hack attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.

But in a case of "physician, heal thyself," the agency – which forms the operational arm of DHS's National Cyber Security Division, or NCSD – failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes (.pdf).

"The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia," reads the report from assistant inspector general Frank Deffer.

Einstein, the government's intrusion-detection system, passed the security scan with flying colors, as did US-CERT's private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun's Java and some Microsoft applications.

In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.

"To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system-security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures," the report concludes.

In an appendix to the report, which is dated Aug. 18, the division wrote that it has patched its systems since the audit was conducted.

DHS spokeswoman Amy Kudwa said in a statement Wednesday that DHS has implemented "a software management tool that will automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities."

See Also: