Application security, Governance and risk management, Next generation technologies and secure development
OIG audit shows consumer applications are insufficiently protected
Dan Gunderman (dangun127) •
July 23, 2021
U.S. Customs and border protection have not always protected their mobile passport control applications, making personally identifiable information of travelers vulnerable to exploitation, according to a new report from the Department of Homeland Security. Office of the Inspector General.
See also: Live Webinar | Improve threat detection and response in the cloud using the MITER ATT & CK framework
CBP, which is responsible for protecting traveler data from cybersecurity threats, oversees six MPC applications, designed to speed up the inspection process for millions of CBP travelers. The OIG audit, conducted from March 2020 to April 2021, resulted in eight recommendations to improve safety hygiene.
CBP did not scan 91% of app updates released between 2016 and 2019, as needed to detect vulnerabilities, OIG found. Instead, CBP relied on updates from app developers, but the agency was not always made aware of the updates, according to the report.
In addition, CBP did not complete seven security and privacy application compliance reviews, as required by the MPC’s Privacy Impact Assessment, because it did not obtain the information. necessary, “had competing priorities and failed to ensure application developers create a process required to perform mandatory internal audits,” says the OIG.
The OIG also found that CBP did not implement specific hardware and software configuration settings on MPC servers to protect them from vulnerabilities, as required by Department of Homeland Security policy. CBP “mistakenly believed it could phase in the parameters,” the report said.
“Unless CBP addresses these cybersecurity vulnerabilities, MPC applications and servers will remain vulnerable, putting travelers’ PIIs at risk of exploitation,” the OIG concludes.
More than 10 million travelers used the apps between July 2017 and December 2019, according to the report.
The OIG recommended that CBP take eight steps to improve its cyber resilience:
- Analyze all applications before they are released and also analyze updated versions;
- Codify the scanning processes and define the roles and responsibilities necessary for their achievement; request specialists from the CBP Information and Technology Office to review all results of the application analysis;
- Perform required security and privacy compliance reviews, track reviews and centrally store documentation;
- Ensure that the offices receive all the necessary information from the developers to complete the “requirements traceability matrix” questionnaire;
- Develop an ability to review access logs, define the periodic review schedule and perform required reviews;
- Request the Executive Director of the Office of Privacy and Diversity to complete the required confidentiality assessment review;
- Develop a process for conducting and performing internal audits;
- Adhere to DHS policy and fully implement the Control Categories in the Defense Information Systems Agency Security Technical Implementation Guide for Servers supporting the MPC program.
CBP agreed with all eight recommendations.
CBP forms a monitoring team
In a June memorandum to the OIG, a senior CBP official said: “In support of our mission, CBP has engaged with non-government entities in the development of commercial mobile passport control applications based on to market to expedite travelers through the primary inspection process.
“Third-party developers have created, maintained and operated the MPC applications, which transmit personally identifiable information about travelers prior to their arrival at participating ports of entry. While the security of these applications is ultimately the responsibility of the vendors, CBP recognizes the need for dedicated oversight efforts to continue operations and ensure compliance with security policy and regulations. “
CBP says it will form an oversight team in fiscal 2022 that will monitor MPC applications to help keep travelers’ personal information safe.
DOD and DHS collaboration
The results of the travel app come a week after the release of another report suggesting that a greater level of cooperation is needed between the Department of Defense and the Department of Homeland Security to ensure that critical U.S. infrastructure are protected against cyber threats (see: DOD and DHS need more collaboration on cybersecurity issues).
This report recommends that DOD and DHS fulfill the obligations outlined in a previous memorandum, including details of responses to a variety of cyber threats affecting critical infrastructure.