Failure To Adequately Protect Sensitive Data on Thousands of U.S. Department of the Interior Laptop Computers

As part of our “Evaluation of the Cyber Security of the Department of the Interior’s Mission-Critical Information Technology Systems” (No. ISD-IN-MOA-0004-2014), we evaluated selected information technology (IT) security controls to determine whether the controls were implemented correctly, operating as intended, and producing the desired outcome of protecting U.S. Department of the Interior (Department) computer systems and data. We found that nearly 15,000 encrypted laptop computers did not use pre-boot authentication, potentially exposing any sensitive data stored on them to unauthorized access through direct memory access attacks if the laptops were lost or stolen. 

 

Moreover, the extent of the potential IT security breach is not limited to sensitive data on a lost or stolen laptop. For example, a cyber attacker in control of one of the thousands of laptops could potentially use data stored on it, such as cached usernames and passwords, to gain unauthorized access to the Department’s computer networks and systems. Once inside the Department’s computer network, the cyber attacker could potentially disrupt bureau operations and steal sensitive data. Thus, the Department’s ineffective implementation of full-disk encryption could not only result in the loss of sensitive data on a compromised laptop, but also could be used to breach bureau networks and systems, potentially resulting in severe adverse effects on Department IT assets, operations, and individuals. This control deficiency occurred because bureau officials changed the default setting on the Department’s encryption software from pre- to post-boot authentication without conducting a valid risk assessment. 

 

In August 2015, we provided a briefing to the Department’s Office of the Chief Information Officer and the Bureau Assistant Directors of Information Resources to introduce this finding and request additional information regarding the extent and possible impact. The briefing included detailed information regarding the processes and tools we used to successfully decrypt sample hardware provided by the Department. The Department reported that 14,426 of 40,695 (35 percent) laptops across all bureaus and offices were not configured to require pre-boot authentication. Over the last 3 years, the Department has documented 64 incidents in which laptop drives were lost or stolen without pre-boot authentication enforcement. As of November 16, 2015, the Department has reduced the number of misconfigured laptops to 11,593.

 

We recommended that the Department’s Chief Information Officer mandate the use of pre-boot authentication on all laptops and implement a monitoring and enforcement program that mitigates noncompliant systems.