The Office of Inspector General (OIG) has found deficiencies in U.S. Immigration and Customs Enforcement’s (ICE) information technology access controls, exposing the agency’s network and IT systems to risks of compromise by potential attackers.
Access controls ensure that only authorized users have job-related access to an organization’s networks, systems, and computer accounts. The Cybersecurity and Infrastructure Security Agency revealed that external attackers had gained access to a Federal agency’s network in February 2022 by exploiting a vulnerability that had been well known since December 2020. Hackers moved throughout the agency’s network, compromised credentials, and then maintained access to the agency to mine cryptocurrency on a U.S. government network. In addition, the 2020 SolarWinds attackers breached cyber defenses to gain access to Federal government networks. Once inside the networks, the attackers successfully set up permissions for themselves to access other programs and applications while being undetected. As well as external attacks, threats can also come from within an organization from employees or contractors who use their authorized access to do harm.
OIG said ICE did not consistently implement effective access controls to restrict access to its network and IT systems. The watchdog found that while ICE took a multi-layered approach to managing access for personnel who change positions or leave the component altogether, the agency did not consistently manage or remove access when personnel separated or changed positions. For example, 84 percent of the accounts for separated personnel OIG examined remained active beyond the individual’s last workday. OIG said these 159 accounts for separated personnel remained active because ICE supervisors and system administrators did not correctly follow procedures for disabling the access as required. Additionally, the audit determined that ICE did not monitor and configure privileged user access, service accounts, and access to sensitive security functions as required. According to OIG, these deficiencies stemmed from insufficient internal controls and oversight of user account management and compliance to ensure access controls were administered appropriately and effectively to prevent unauthorized access.
During the course of the audit, officials told OIG that ICE accepted the risk for not implementing all security settings for its IT systems and workstations because it was concerned that these settings negatively impacted system operations. After obtaining OIG’s results, ICE created a Plan of Action and Milestones to address the noncompliance by July 28, 2023.
In order to increase access security controls, OIG is making seven recommendations to ICE:
- Develop and implement processes to remove separated employees’ access to all ICE systems, networks, and applications in accordance with Department of Homeland Security (DHS) policy.
- Develop and implement a process to identify all transferred employees and ensure their user group access is reviewed and verified immediately at the end of their prior position in accordance with DHS policy.
- Develop and implement a repeatable process to conduct and monitor privileged user and service account reviews in accordance with DHS policy.
- Remove the unnecessary privileges that allow additional users to access a sensitive security account
- Submit requests for waivers or risk acceptance to the DHS Chief Information Security Officer to forgo implementing DHS’ required encryption setting on affected ICE service accounts.
- Develop and implement measures to ensure service account passwords are updated as required.
- Evaluate the vulnerability management program to identify and implement automated tools to help address known vulnerabilities within required timeframes.
ICE agreed with the recommendations and intends to complete work to meet them by July 2024. Some action will be undertaken before then, such as reviewing service accounts to identify those that do not align with DHS policy requirements, and implementing corrective action where necessary.
OIG acknowledged that ICE is taking steps to enhance its access control processes, but warned that until the deficiencies identified in the audit are addressed ICE’s network and IT systems remain at risk.
