For our evaluation of the Bureau of Industry and Security’s (BIS's) detection of and response to cyber incidents, our objective was to assess the adequacy of actions taken by BIS when detecting and responding to cyber incidents in accordance with federal and departmental requirements. We found that (1) BIS lacked effective detection and response capabilities to handle our simulated malicious activities; (2) BIS misconfigured critical security controls for its export control networks; and (3) BIS mishandled classified and other privileged credentials.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1. | Yes | $0 | $0 | ||
1. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to implement an EDR on Network A. | |||||
2. | Yes | $0 | $0 | ||
2. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to adopt the threat hunting security control and use existing BIS SOC tools to proactively hunt threats and mitigate malicious or unauthorized network activity. | |||||
3. | Yes | $0 | $0 | ||
3. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to establish and implement detailed incident response procedures to detect, contain, eradicate, and recover from threats. | |||||
4. | Yes | $0 | $0 | ||
4. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to implement a method to identify and prevent the exfiltration of PII, BII, and other sensitive data from BIS networks. | |||||
5. | Yes | $0 | $0 | ||
5. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to properly configure network security devices to prevent unauthorized connections from outside BIS networks. | |||||
6. | Yes | $0 | $0 | ||
6. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to properly restrict BIS networks to prevent unauthorized lateral movement between BIS networks. | |||||
7. | Yes | $0 | $0 | ||
7. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to implement a security control to allow only approved software on Network B and consider implementing this control for all BIS networks. | |||||
8. | Yes | $0 | $0 | ||
8. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to review all BIS user access, for networks and applications, to ensure each user is assigned the correct levels of access according to the principle of least privilege. | |||||
9. | Yes | $0 | $0 | ||
9. We recommend the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to immediately search BIS networks for classified credentials and establish a procedure to regularly search for plain-text credentials. | |||||
10. | Yes | $0 | $0 | ||
10. We recommend that the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to ensure passwords are disabled for all user accounts as soon as operationally possible. | |||||
11. | Yes | $0 | $0 | ||
11. We recommend that the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to establish and implement BIS helpdesk procedures for user access issues, including a user verification process. | |||||
12. | Yes | $0 | $0 | ||
12. We recommend that the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to implement an automated solution to change local administrator credentials after sharing them with BIS users and use different local administrator passwords for each system. | |||||
13. | Yes | $0 | $0 | ||
13. We recommend that the Undersecretary of Commerce for Industry and Security direct BIS’s Chief Information Officer to implement a technical control to generate unique, strong passwords for each account created. |