The Department of Commerce (DOC) Office of Inspector General (OIG) reported that the Census Bureau was hacked in early 2020 via a publicly available exploit. But the attack was only partially successful in that the attackers’ attempts to maintain access to the system by creating a backdoor in the affected servers were unsuccessful.
According to the OIG, the attack on the servers began Jan. 11, 2020, and targeted servers that “provide the Bureau with remote-access capabilities for its enterprise staff to access the production, development, and lab networks.”
Once the servers had been exploited, the Bureau didn’t discover and report the incident in a timely manner, the OIG said. In addition, the Bureau did not maintain sufficient system logs, which hurt the incident investigation.
“Following the incident, the Bureau did not conduct a lessons-learned session to identify improvement opportunities,” the OIG wrote. “We also found that the Bureau was operating servers that were no longer supported by the vendor.”
The OIG made recommendations for the Director of the Census Bureau and the Bureau’s CIO, including:
- Implementing procedures to notify relevant system personnel when critical vulnerabilities are publicly released;
- Reviewing and updating vulnerability scanning lists to ensure all network-addressable IT assets are identified for vulnerability scanning, and document all exceptions as part of the process;
- Ensuring all network-addressable IT assets acre scanned using credentials when feasible;
- Reviewing automated alert capabilities of the Bureau’s security information and event management tool to ensure similar attacks can be identified in the future;
- Ensuring incident responders comply with departmental and Bureau requirements to report confirmed computer security incidents to the Enterprise Security Operations Center (ESOC) within one hour;
- Incorporating periodic reviews of the Bureau’s system log aggregation configurations to ensure all network-addressable IT assets are correctly configured;
- Updating Bureau incident response policies to include a timeframe prescribing when to conduct a review of lessons learned; and
- Establishing a plan with milestones that will prioritize decommissioning of end-of-life products.
OIG also made an additional recommendation for the Deputy Secretary of Commerce to ensure that Commerce’s CIO develops ESOC procedures to handle alerts from outside entities to ensure information is conveyed to department operating units in a timely manner.
“On July 12, 2021, and July 19, 2021, we received the Bureau’s and Department’s responses, respectively, to the draft report’s findings and recommendations,” OIG wrote. “In response to our draft report, the Bureau and Department concurred with all nine recommendations and described both completed and planned actions to address each recommendation.”