Middle Georgia State University Information Technical Graduate School

Department of Homeland Security Information Assurance

and Cybersecurity potential flaws
A survey based on Evaluation of DHS’ Information Security Program for FY 2017

Zachary Standridge
 Findings
After reviewing this article and report I have decided that the most important aspects which

need to be addressed are the maintenance of the network/hardware and lack of a proper

leadership matrix. There are other aspects which are included within the official report

which are a high priority as well but with proper changes, they would be immediately

alleviated after my proposed changes are taken into effect.

When looking at maintenance issues, having out of company/agency standard machines

still working within the network is an absolutely impossible legacy means of doing things

for proper security to be ensured for the country. This issue includes out of standard

machine and software working within the network, a complete lack of security patches

after being notified that they have been found lacking, a use of Microsoft server products

whose security updates from the company have been discontinued, and last but definitely

not least, a companywide dependency upon the Program Managers for checking on the

software licensing compliances every period but may not complete the check within the

time period due to a new agency policy of swapping around of personnel from one

department to another and a massive understaffing.

The second issue which was found to be very large and looming is a lack of sound and

steady leadership/employee workplace standards. With the current political climate having

a swapping of leadership such as The Head of DHS, John Kelly being in office for 190

days, Mrs. Duke 128 days, Mrs. Neilsen 1 year and a half, with a new head being

appointed on the 12th of this month. The Chief Informational Officer of Homeland Security

Mr. Staropoli resigning after just 3 months at the same time that Jeff Eisensmith the chief

technical officer retires. This would not be an issue except for that the department has a

policy of each leader is responsible for making sure that policies are followed but since
they are not in office long enough for the calendar time span to come around, the clock is

reset, thus leading to a shortcoming in upkeep to the security policies. Adding onto the

issue with a revolving door policy to the leadership, some protocols from the former DHS

CIO have created issues. Mr. Eisensmith installed a system called the Information security

continuous monitoring (ISCM) which is a bottom to top informational flow system with the

approval for updates coming from the higher leadership. In discovery, it was found that the

main Security Operations Center is currently being staffed by a contracted company which

runs the center in the name of DHS, not Homeland Security staff themselves. The

contractors are responsible for all security decisions. In 2008, this contracted was awarded

to Verizon Telecommunications. The third aspect to leadership which was discovered to

be lacking is that before he left, Staropoli made some department-wide decisions which

have not been rolled back or changed, according to the information available at this time.

He wanted to streamline the department-wide IT staff by moving them all into one floor of

one building, “A trader floor”, mentality. This short staffing and abrupt additions to each

person’s workload while training them on the new responsibilities is a hole which could

allow security holes which would otherwise be seen by a trained employee. Staropoli also

on top of making some serious organizational errors, created his own potential flaws within

the department by not taking the time to properly vet applications for sake of having them

sent out to employees for cloud safety on the belief that it was a waste of time to ensure

their safety.

What can happen

With a lack of set in stone maintenance routines and a serious disregard for keeping the

network or machines within proper department-wide standards, there are a couple of

things that the attacker would do. If I were the attacker and found an out of a standard

server, I would try to gain access to a UCCP account. Most of the time these accounts are

generalized for access across different regions. If I could get the password, I would then

create my own account with system admin rights, edit the password file so that no one

else could use it, go on LinkedIn and find someone that works for DHS in the IT department

and name it after them using the naming scheme where just by looking through the user

accounts it would blend in, then start monitoring traffic and selling it to the highest bidder.

Having access to the department network with admin rights could be useful for sending

out my own data to the clients. I would send out falsified credential emails with information

that could lead to an actual physical world penetration with the attacker being welcomed

in by security, from within the network also I could use the exploited server as a home

base to launch attacks on other servers. Since there are documented unpatched servers

and more importantly servers which are not being serviced by Microsoft anymore, this

would/should bring in more attacks. “IF” I were to take one over, the very first thing after

creating my own account, deleting the logs, and covering my tracks would be to fix the

hole that I came in, in the first place if possible. Having someone else in the system making

noise when since this is such an important department could lead to my own exploits being

seen.

Having a rotating door when it comes to executive leadership and an exploited server with

access to personnel files could be used to create a physical security breach. Everyone is

constantly seeing new management coming and going so seeing a new face would not be
out of the ordinary. In politics, being associated with cybersecurity is the new hot addition

in the resume while not actually bringing anything to the table. This has its own problems

because they make the decisions which are going to lead to problems such as Staropoli

rushing new cloud-based applications before proper testing for security. Having a

commercial entity contracted out to run the hub of our nation’s cybersecurity operations

center can lead to problems. When a company accepts a contract, they are allowed to

make changes to procedures, have access to past data, and control over database

policies. Verizon has been shown to not update their hardware as expected. This was

shown to not just be a what could happen but what will happen since in 2019 they did not

update a FIOS server controlling login credentials. When a server such as these lose

integrity, they can open up a wide variety of issues. When within a company’s firewall,

installing backdoors within various machines would be easily done.

Recommendations

When dealing with governmental agencies, redundancy should be the word which

everyone knows and subscribes to. My proposal for fixing all of the non-leadership issues

would be utilizing the Information Security Oversight Office (ISOO) as a means of

monitoring the policies which should be enforced but aren’t. The ISOO is already

responsible for the government classification system The report noted many times that

there are many security holes from systems not being kept within standards due to a wide

range of reasons. Having the ISOO monitor the departments which work within the

CONUS would allow for a check for the employees who may or not even be there in the

future due to more cutbacks. Since contractors are an accepted method of staffing the
control center, I propose a yearly red team audit of cybersecurity within the DHS. This

would bring in new ideas and methodologies for future security policies to be molded after.

While having contractors working in a site is not a necessarily bad business process, it

can and has led to some rather unpleasant outcomes, my proposal for this issue is that

instead of using civilians, use the already vetted and ambitious members of the military as

support staff. There is a huge surplus of underworked IT staff from each branch of the

military that can take up the slack in the control center with DHS civilian management. This

wouldn’t be a joint venture but act as a training easement from the military life into a

governmental service job.