The United State Patent and Trademark Office (USPTO) did not properly manage its active directory, leaving multiple vulnerabilities and showing little improvement from previous audits of the agency’s cybersecurity posture, according to a Department of Commerce Office of Inspector General (IG) report released June 13.
The inspector general’s report found poor configuration of the active directory, granting users excessive permissions, not having a review process in place to remove unnecessary permissions, and not separating users based on their job functions. Additionally, around 200 of the 30,000 account passwords were stored with weak encryption, including some privileged accounts. The inspector general’s office was able to obtain access to all of them within 50 minutes, the report noted.
While cracking the encryption, the inspector general’s office also found that 97 percent of passwords did not comply with department policy. While USPTO has a password policy enforcement tool for newer systems, it remains incompatible with legacy systems, leaving them “very susceptible to cyberattack.”
In addition to the directory’s configuration, the domain controllers that support the active directory also suffered from cyber vulnerabilities. Vulnerability scans were often skipped or performed with outdated tools that couldn’t detect new attacks, and hypervisors were scanned rarely, leaving virtual machines at risk.
“These deficient scanning practices are the result of two shortcomings: (1) USPTO did not have a formal, documented standard operating procedure for performing and managing scans, and (2) there was a lack of government contractor oversight,” the report finds.
Patching also emerged as a weakness at USPTO, with critical and high vulnerabilities being left unfixed due to “a cumbersome process for testing patches prior to deploying them to production.” Ports were also not well managed, as every documented port was authorized to be open and 14 unneeded ports were open on domain controllers – “characteristic of malicious activity” – the report stated.
USPTO’s cyber issues are not new to the agency either.
“We found recurring security practice weaknesses noted previously in our March 2017 audit report. In that earlier report, we specifically pointed out the security weaknesses relating to vulnerability scanning and port management, and made recommendations for USPTO to take corrective actions. However, we have now observed that the same inadequate security practices still exist,” the inspector general noted.
The report makes eight recommendations to USPTO’s CIO, including removing unneeded privileges, ensure all passwords meet department policy, finalize the vulnerability scanning standard operating procedure, and streamline the patch management review policies. USPTO agreed with all the recommendations