FDA Network, Systems Vulnerable to Data Breaches
While an external penetration test of the Food and Drug Administration's computer network and information systems by the Department of Health and Human Services Office of Inspector General did not result in unauthorized access, an IG audit did identify a number of cybersecurity vulnerabilities that could put FDA data at risk.
The purpose of the audit was to determine whether the FDAs network and external web applications were vulnerable to compromise through cyberattacks. What auditors found were vulnerabilities that could lead to unauthorized disclosure or modification of FDA data, or FDA mission-critical systems being made unavailable.
We identified FDA web pages that did not perform adequate input validation on data entered by the user. Exploitation of this vulnerability could result in malicious input being sent from an attacker to FDA web pages to hijack a users web browser application, install malicious programs, or redirect users to malicious web pages, states the IG report.
Though auditors were allowed to test the majority of FDAs external web applications, they did not perform penetration testing on seven external systems because the FDA considered these systems to be mission critical and did not want to accept the risk of having them go offline. As a result, the IG could not verify whether security vulnerabilities existed within these systems and whether the vulnerabilities could be exploited to gain unauthorized access to FDA systems and data.
However, the potential dangers are not hypothetical. Last October, before the IG conducted its fieldwork, a wide-scale cybersecurity breach involving an FDA system occurred that exposed sensitive information in 14,000 user accounts.
To prevent these kinds of breaches, the IG recommends that the FDA implement corrective actions to address such vulnerabilities as: inadequate web page input validation; external systems that do not enforce account lockout procedures; a lack of security assessments performed on all external servers; as well as error messages and demonstration programs that reveal sensitive information.
When it comes to error messages, the IG warns that an attacker could use information obtained from the messagessuch as software version informationto launch specific attacks against FDA systems and these messages can also help attackers pinpoint vulnerabilities to focus their attacks.
In general, we recommended that FDA fix the web vulnerabilities identified, implement more effective procedures to protect its computer systems from cyberattacks, and periodically assess the security of all of its Internet-facing systems, concludes the report. In written comments to our draft report, FDA indicated that our findings have been addressed by the system owner(s) and remediation actions have been appropriately applied. We have not verified these actions because they took place after our audit period.