Federal Reports

We have completed our fiscal year (FY) 2023 Federal Information Security Modernization Act of 2014 (FISMA) penetration test and vulnerability assessment. The objective of this evaluation was to test and verify the technical implementation of a limited set of security controls on judgmentally selected U.S. Department of Housing and Urban Development (HUD) information systems and applications.HUD demonstrated successes in securely configuring networks and systems. The local area network (LAN) configurations in the Regional Office we tested ensured that our security testing tools could not operate properly, which prevents unauthorized use of security tools on network-connected devices. We also found that HUD improved its ability to detect active threats. HUD’s security information and event management solution detected one of our simulated malicious activities. Lastly, HUD made progress at addressing known vulnerabilities, as they mitigated a structured query language injection vulnerability on one of the web applications we tested.Our testing did identify potential security weaknesses within one of the tested systems. We exploited an authentication bypass vulnerability, reducing the effectiveness of HUD's least privilege, non-repudiation, and session auditing controls. Using a nonprivileged account, we discovered a plain text password file from 2003. This password file was not current, but a lack of encryption allowed us to learn password trends of users. We accessed privileged information on a HUD system without a privileged account. We discovered that a select number of HUD usernames can be associated with an employee’s identity, leading to a higher risk of additional attacks.We discovered some systems used unsupported or end-of-life operating systems. While we discovered strengths in some of HUD’s security posture, this evaluation revealed security weaknesses in one of the systems we tested which HUD should continue to improve. This report issues recommendations that address the specific weaknesses we discovered. We also offer opportunities for improvement, which will not be formally tracked as recommendations, to help guide HUD in technical system improvements. Continued collaboration between OCIO and program offices will help address weaknesses and improve HUD’s overall security posture. The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.Open configuration optionsRECOMMENDATION STATUS DATE ISSUED SUMMARY2023-OE-0001a-01 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-02 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-03 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-04 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-05 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-06 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

This report presents the results of our verification inspection of the U.S. Small Business Administration’s (SBA) corrective actions for the five recommendations from the Office of Inspector General (OIG) evaluation report SBA’s Handling of Identity Theft in the COVID-19 Economic Injury Disaster Loan Program (Report 21-15).We initiated this verification inspection to determine whether the closed recommendations were fully implemented or if further corrective actions were needed. Accordingly, our objective was to determine the effectiveness of the corrective actions SBA implemented to 1) resolve credit-related issues for Coronavirus Disease 2019 Economic Injury Disaster Loan identity theft victims, 2) charge-off fraudulent loans and remove Uniform Commercial Code filing fees for loans associated with identity theft, and 3) review over 150,000 returned billing statements and resolve any involving identity theft.We determined OIG Report 21-15 recommendations 1, 2, 3, and 4 to be fully implemented; however, SBA management has not fully implemented recommendation 5. We will track management’s execution by reopening the recommendation and will work with SBA to establish a target date for enacting corrective actions through the audit follow-up process.