The National Oceanic and Atmospheric Administration (NOAA) inadequately managed three active directories, increasing the risk of cyberattacks and jeopardizing NOAA’s ability to accomplish its mission.
The U.S. Department of Commerce’s Office of Inspector General (OIG) found that these active directories had inadequate account management and utilized vulnerable end-of-life (EOL) operating systems. Active directories are critical components of NOAA IT infrastructure, and due to the nature of their role, active directories hold sensitive information, such as users’ credentials and network topologies, making them prime targets for cyberattacks. Auditors investigated the National Environmental Satellite Data and Information Service, the National Weather Service, and the National Marine Fisheries Service.
The audit noted that all three active directories faced improper account management, including account passwords not set to expire and zero uniform password requirements for service accounts.
“Account management is a critical facet of an organization’s security posture because a single account can potentially act as a gateway to IT resources and increase the risk for cyberattacks,” the audit noted.
Additionally, on all three directories, OIG found accounts having excessive privileges. One of the primary active directory roles is managing access privileges. According to the National Institute of Standards and Technology, access privileges given must be relevant to areas required by users’ roles and responsibilities.
The audit also discovered 739 computers utilizing vulnerable EOL operating systems. EOL operating systems often have critical security flaws, so the Commerce Department requires that bureaus manage and fund replacements for EOL hardware and software.
The audit laid out five recommendations for NOAA to address these vulnerabilities within their directories:
- Establish processes and procedures to periodically review all active directory accounts to ensure consistent adherence to the principle of least privilege per Department policy.
- Determine the feasibility of requiring all NOAA line offices to use specialized active directory security tool(s) to conduct periodic reviews.
- Establish procedures to periodically review active directories and ensure compliance with account management requirements as stated in the Department’s policy and following industry best practices. If feasible, utilize specialized active directory security tool(s) to conduct periodic reviews.
- Establish policies or procedures to require compensating controls for service accounts that cannot have regular password changes.
- Establish decommission plans with milestones to prioritize and expedite upgrading or retiring computers with EOL operating systems.
NOAA concurred with all five recommendations and submitted actions they have taken, or will take, to address them.