You Won't Believe Where Homeland Security Fails on Cybersecurity

I'm not sure if the headline on this story is accurate because, after the Equifax megabreach, you might possibly believe where the U.S. Department of Homeland Security fails on cybersecurity.

Patching its systems.

I just finished reading the latest cybersecurity audit of Homeland Security by the Office of the Inspector General (OIG). I had to read the part about inadequate patching, twice, just to make sure I was understanding it correctly.  

Are these patching failures really happening at DHS in 2018, in our post-Equifax world?!

From the Inspector General's report:

• Several Windows 8.1 and Windows 7 workstations were missing key security patches, including those to protect against WannaCry ransomware that infected tens of thousands of computers in over 150 countries in May 2017. Other examples of missing patches include those associated with internet browsers such as Mozilla and Firefox, and media players such as Flash player and Adobe Shockwave.
• Windows 2008 and 2012 operating systems were missing security patches for Oracle Java, an unsupported version of Internet Explorer, and a vulnerable version of Microsoft’s Sidebar and Gadgets applications. Some of the missing security patches dated back to July 2013. We also found that DHS components had not applied some critical patches announced in July 2016 Microsoft security bulletins for these operating systems.
• One Headquarters system still used an unsupported version of the Microsoft Windows 2003 server; Microsoft had stopped providing security updates and technical support for the server in July 2015. (Note: Windows 2003 server was found running at DHS headquarters, the U.S. Coast Guard, and the U.S, Secret Service. Although the Secret Service says it has restricted access now to internal users only.)

The OIG's report on Homeland Security cybersecurity also noted that if something disrupts the work of Homeland Security, there is a risk of serious impact, saying DHS "Did not test all system contingency plans, develop procedures for handling sensitive information, or identify alternate facilities to recover processing in the event of service disruptions."

You can read the Homeland Security cybersecurity audit for yourself if you have the time.

DHS has agreed with all of the Inspector General's findings and has promised to fix things.

Patching the WannaCry vulnerability may be a good place to start.

Lastly, a question for you; please let us know what you think. Is it understandable that DHS could fail to implement patches like these? Or is this something an InfoSec team should have nailed?