Account Privileges ‘Inadequately’ Managed by NOAA on 3 Active Directories
Written by Dave Nyczepir
The National Oceanic and Atmospheric Administration has opened itself up to cyberattacks by “inadequately” managing three active directories and failing to secure “primary targets” like user credentials, according to an audit released Thursday.
The Department of Commerce’s Office of Inspector General established the National Environmental Satellite, Data and Information Service; National Weather Service; and the National Marine Fisheries Service all had mismanaged “excessive” privilege accounts, as well as “vulnerable” end-of-life systems running.
Some of the vulnerabilities discovered by OIG were exploited in the Colonial Pipeline and DarkSide and REvil ransomware attacks, in which hackers gained unauthorized remote access to US entities, and NOAA’s mission to provide forecasts and Dangerous weather warnings is life or death.
“NOAA’s active directories pose a significantly increased risk of successful cyberattacks,” reads the OIG report. “This illustrates the need for periodic assessments of all NOAA active directories to identify and quickly correct weaknesses.”
The OIG recommended that NOAA’s Chief Information Officer periodically ensure that all Active Directory accounts follow the principle of least privilege, a National Institute of Standards and Technology directive that access is limited to areas of function required by user roles and responsibilities.
The audit found that 58 accounts on 202 computers had unnecessary local administrative privileges allowing them to install malware or disable anti-virus software and granting them full access to data. Another 12 users had remote access to computers or the ability to make unintended changes to security settings, which Active Directories began to resolve.
The OIG further recommended that NOAA’s CIO determine whether operational offices can use the specialized Active Directory security tools it used in its audit for periodic reviews, as well as occasionally ensuring that accounts comply with management requirements by using these tools where possible. The CIO should require compensating controls for service accounts that cannot regularly change passwords, according to the audit.
Indeed, OIG discovered that 296 accounts were activated but not used in the last 60 days, 48 account passwords were older than 90 days, 102 account passwords were not set to expire, and 356 account passwords had never expired. – pointing out the lack of uniform NOAA password requirements.
“NOAA has expressed an explicit interest in using specialized security tools – used during the audit – to proactively identify similar Active Directory issues in other NOAA Active Directories,” reads -on in the report. “In addition, NOAA plans to create guidance documentation and compensating controls, which will support preventative measures related to the security weaknesses identified in this report.”
Finally, the OIG recommended that the IOC of NOAA establish plans to upgrade or decommission computers with end-of-life operating systems, after finding 739 computers using operating systems vulnerable. Currently, NESDIS is developing a decommissioning plan; NWS removed its three problematic systems; and the NMFS fixes 576 systems, processes nine more, and retains three due to computer needs for their scientific equipment.
The OIG removed detailed information about specific systems from its report for security reasons at the request of NOAA. NOAA has until April 4 to submit an action plan to the OIG on how the three active directories intend to complete implementation of its recommendations.
NOAA endorsed these recommendations in a letter dated January 19.
“We thank the OIG for highlighting areas for improvement and benchmarking specific tools to improve our security posture,” the letter read. “We are actively working to respond to the findings and are working on business solutions that will help fully address the findings and recommendations.”