FDA Network Susceptible to Cyberattacks, OIG Audit Finds
October 22, 2014 in News
Details of Report
OIG performed the audit to determine whether FDA’s network and external Web applications were susceptible to cyberattacks (Slabodkin, Health Data Management, 10/21). It focused on the FDA network and websites that were active between Oct. 21, 2013, and Nov. 10, 2013.
For the audit, OIG attempted to exploit vulnerabilities via external penetration tests and gathered information on FDA’s:
- Applications running on exposed hosts;
- Application and supporting server structure;
- Domain name server records;
- Host names;
- Hosts exposed to the Internet;
- Network address ranges; and
- Operating system and application version information.
While the audit assessed most of FDA’s security controls and information systems, seven external systems were excluded because the agency “considered these systems to be mission critical and did not want to accept the risk of having them go offline.”
OIG also asked to review reports from any third-party testing of the seven external systems, but only one such review had been performed (OIG audit, October 2014).
The external penetration test did not result in unauthorized access to FDA’s systems, but the audit found several vulnerabilities that could have led to:
- FDA’s mission-critical systems being made unavailable; or
- Unauthorized disclosure or modification of data (Health Data Management, 10/21).
Such vulnerabilities included:
- Inadequate Web page input validation that hackers could use to install malicious programs, redirect users to malicious Web pages or hijack a user’s Web browser;
- External systems that did not enforce procedures for account lockouts after repeated failed log-in attempts, which could give hackers unlimited attempts to gain access;
- Error messages that revealed sensitive information, such as application code, which could be used to exploit programs’ vulnerabilities; and
- Demonstration programs that revealed sensitive information, which could be used to perform targeted cyberattacks.
OIG made several recommendations to protect against data breaches.
Specifically, OIG suggested FDA fix the vulnerabilities found in the audit and perform periodic security assessments of its Internet-facing systems. More detailed recommendations were provided directly to FDA.
In written comments to the report, FDA said that it has taken steps to repair its systems. OIG could not verify the actions, as they happened after the period of the audit (OIG audit, October 2014).