Insider hacking and the Coast Guard

Is the United States Coast Guard, a key San Diego player in the battle against drug smuggling and human trafficking from Mexico, setting itself up for computer attacks mounted by its own most trusted employees?

So concludes a March 27 audit of the service's gaping information system vulnerabilities by the Inspector General's office of the Department of Homeland Security.

With billions of dollars tied up in illicit border traffic, it is well known among the feds that substantial bribes can be had from major smugglers for politicos and law-enforcement types with the ability to penetrate data networks.

"Trusted insiders could be given elevated access to mission-critical assets, including personnel, facilities, information, equipment, networks, or systems. Potential threats can include damage to the United States through espionage, terrorism, and unauthorized disclosure of national security information," says the audit document.

"Trusted insiders may also be aware of weaknesses in organizational policies and procedures, as well as physical and technical vulnerabilities in computer networks and information systems."

According to the audit, "In the wrong hands, insiders use this knowledge to facilitate malicious attacks on their own or collude with external attackers to carry out such attacks."

The situation has grown worrisome enough, the report says, that a formal charter was signed in February 2012 to set up the "Coast Guard Insider Threat Working Group to serve as a focal point for addressing insider threat issues."

As a result, some security holes, discovered during a review at Coast Guard headquarters in Washington DC and the air station at Ronald Reagan National Airport, have been plugged, but serious problems remain, the investigation found.

"Our technical testing demonstrated that unauthorized removable media devices can be connected to [Coast Guard computer] assets and used to remove simulated sensitive information," the auditors said. "Using login accounts supplied by USCG, we were able to transfer simulated sensitive information to and from [computer] assets using unauthorized removable media devices at multiple [Coast Guard] locations."

In addition, the audit showed "that simulated sensitive information could be sent from a USCG issued email account to an external personal email account. The failure to prevent the unauthorized removal or transfer of sensitive information through email provides a malicious insider the opportunity to carry out such an attack, making it difficult for an organization to protect itself."

The auditors added that they had "found external hard drives that were unattended and not properly locked and secured."

"When external hard drives are not properly secured, the risk of unauthorized access or theft from insiders increases." Besides that, wireless routers and laptops were found to be lying loose around the offices, according to the report.

Detection of possible on-staff miscreants has also been neglected, the document says, with a serious time lag in conducting "insider threat based security awareness training."

The Coast Guard's Counterintelligence Service is taking until September 30 of this year to finish the job, the audit notes.

"Until such training is fully implemented, USCG employees may not be aware of or have the knowledge to recognize insider threat behavior, or the appropriate process to report potential insider threats or actual attacks."