Cybersecurity audit of the US Secret Service found unacceptable vulnerabilities - expert comment
October 2016 by Stephen Gates, chief research intelligence analyst at NSFOCUS
A cybersecurity audit of the US Secret Service found unacceptable vulnerabilities that leave the possibility of insider-threat activity and privacy violations.
According to this article, the Office of the Inspector General performed a cybersecurity audit after the Secret Service improperly accessed and disclosed information about Rep. Jason Chaffetz (R-Utah), chairman of the House Committee on Oversight and Government Reform, which monitors U.S. Secret Service (USSS) operations. A number of weaknesses were found, including inadequate system security plans (SSP), systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections and over-retention of records.
Commenting on this, Stephen Gates, chief research intelligence analyst at NSFOCUS, said "Mandated by Congress, the role of United States Secret Service (USSS) is to protect our leaders, visiting dignitaries, and designated sites and events in the U.S. In addition, they’re tasked with safeguarding the nation’s critical financial infrastructure and payment systems. In other words, they’re responsible for protecting the “stability” of our nation.
Secrecy is in their name; however, that secrecy may be at risk due to the poor state of information security within their organisation that was recently exposed. According to reports, their latest cybersecurity audit points to numerous flaws in their approach to securing themselves, and our national interests. This situation highlights a serious lack of leadership and overall responsibility.
Being tasked with protecting our nation’s critical financial infrastructure and payment systems, how can we expect the nation’s financial organisations to clean up their own acts and harden their cyber defences when the agency who has oversight does not do the same. The USSS is also designated to protect our leaders and visiting dignitaries. Hackers and miscreants gaining inside information about USSS protection plans put out leaders and dignitaries at series risk as well.
Being unsure what it’s going to take to clean up their internal operations, the first step they need to take is shoring up their cyber-defensive posture. Hackers gaining access to “secret” information within their organisation makes us all more vulnerable. An intelligent hybrid security strategy combined with global cyber-threat intelligence, cloud defences, and on-premises defence will reduce their risk; while they take steps to implement good policies and procedures to defend themselves and our national interests."