Department of the Treasury
Oct. 17, 2013
INFORMATION TECHNOLOGY: OCC's (Office of the Comptroller of the Currency) Network and Systems Security Controls Were Deficient
PDF available at: http://www.treasury.gov/about/organizational-structure/ig/Audit%20Reports%20and%20Testimonies/OIG-14-001.pdf
... To accomplish our objective, we performed a series of internal and external vulnerability assessments and penetration tests on OCC’s workstations, servers, network-attached peripherals (such as cameras and printers), infrastructure devices, and Internet websites.
... We determined that OCC’s security measures were not sufficient to fully prevent and detect unauthorized access into its network and systems by internal threats,or external threats that gained an internal foothold. Also, OCC’s security measures were not adequate to fully protect personally identifiable information (PII) from Internet-based threats.
We found that default factory-preset administrative usernames and passwords were present in OCC’s systems. In one test we conducted, we discovered a default username and password of an internal service account on an OCC server which had local administrator privileges. We used those privileges and deployed our penetration test tool’s agents to the host server. That server contained password hashes for local and domain administrator accounts. Using these hashes, we obtained a domain administrator’s password, which we then used to log on to the network domain controller. With full access given to a typical domain administrative account, we created a domain administrator account and thereby had full control of OCC’s network.
... In accordance with our Rules of Engagement, we did not attempt to perform actions that would disrupt OCC’s operations, such as deleting data, powering off servers or other resources, locking out accounts, and similar activities, any of which could have resulted in interruption or shutdown of devices or services. However, malicious attackers would have no such restrictions against performing these actions
... Because systems and devices connected to OCC’s internal network could freely communicate between one another, with very little internal partitioning, we successfully attacked multiple OCC systems in a very short amount of time from a single workstation.
I offer no additional comments other than, if Treasury's IT security is this lax, just imagine how secure your health information is, sitting on servers at Podunk Hollow General Hospital.