Won’t patch systems? Never run malware scans? Welcome to the US State Department!

A branch of the US State Department charged with detecting visa fraud was found to be ignoring basic information security practices.

As pointed out by NextGov, a recent audit conducted by the Office of the Inspector General for the State Department found that its Bureau of Consular Affairs Office of Fraud Prevention was neglecting to perform basic tasks on its systems such as checking for updates and running malware scans.

Created in 1986, the Bureau of Consular Affairs Fraud Prevention Program (CA/FPP) is tasked with “overseeing and coordinating the integrity of U.S. visa and citizenship processes” by stopping fraud in the visa and passport system.

Unfortunately, however, it seems the CA/FPP’s infosecurity programs are woefully inadequate, and in some cases lacked even basic access controls.

Among the problems found by the OIG were outdated and poorly monitored machines. One of those systems was the bureau’s data analytics test network, a standalone network that analyzes data from the DHS Arrival and Departure Information system and the CA’s own internal SAP HANA database.

“OIG found deficiencies that included shared passwords and lack of access control lists or visitor logs,” the report reads.

“In addition, CA/CST’s information systems security officer did not perform regular patch management or anti-virus scanning on the network or regular audit and accountability reviews to identify data loss or potential intruder activities.”

Who watches the watch server? No-one

Additionally, the CA/FPP’s case management system, a SharePoint site the bureau set live in 2008 in order to keep records on “possible consular malfeasance”, had never even been checked to establish what its security categorization should be.

“CA/FPP and CA/CST management were unaware that the system had never undergone an assessment to determine whether it contained information that exceeded SharePoint’s security categorization,” the report read.

“An evaluation of the case management system would enable CA/FPP and CA/CST to determine whether the current SharePoint platform or a different application would provide the most appropriate protection for the information. Without applying appropriate controls, the case management system and its information are vulnerable to unauthorized access or compromise.”

The OIG’s recommendations for the issues were fairly straight forward: Fix it.

The report suggested the unpatched machines be subjected to “security oversight procedures” including access controls and regular patches and scans. The Bureau says it will have that policy in place by November.

The report also suggests the case management system undergo an assessment to first set its security categorization and then set up the needed security controls. Consular Affairs says that will be worked out by February of 2019. ®