This is a computer translation of the original webpage. It is provided for general information only and should not be regarded as complete nor accurate. Close Disclaimer
Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

Https

The site is secure.
The https:// that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Summary Report for Fiscal Year 2016 OIG Penetration Testing of Four HHS Operating Division Networks

12-07-2017 | Audit (A-18-17-08500) | Complete Report | | Report in Brief

We conducted a series of OIG audits at four HHS Operating Divisions (OPDIVs) using network and web application penetration testing to determine how well HHS systems are protected when subject to cyberattacks.

Our objectives were to determine whether security controls are effective in preventing certain cyberattacks, the likely level of sophistication an attacker needs to compromise systems or data, and HHS OPDIVs' ability to detect attacks and respond appropriately.

During fiscal year 2016, we conducted tests at four HHS OPDIVs. We contracted with Defense Point Security (DPS) to provide knowledgeable subject matter experts to conduct the penetration testing on behalf of OIG. We closely oversaw the work performed by DPS, and testing was performed in accordance with agreed-upon Rules of Engagement between OIG and the OPDIVs.

On the basis of the systems we tested, we determined that security controls across the four HHS OPDIVs needed improvement to more effectively detect and prevent certain cyberattacks. End of
Translation Click to Translate text after this point During testing, we identified configuration management and access control vulnerabilities.

We shared with senior-level information technology personnel the common root causes for the vulnerabilities we identified across the OPDIVs we tested. We provided actionable information regarding HHS's cybersecurity posture, information on common vulnerabilities across OPDIVs, recommendations and strategies to mitigate exploited weaknesses, key indicators to better identify signs of attack or compromise, and lessons learned during testing.

We would like to thank HHS and its OPDIVs for the cooperation we received throughout the penetration testing.

We provided to HHS a restricted rollup report of the four OPDIVs. The report included six observations, and HHS was asked to respond with proposed corrective actions.

In written comments on our draft summary report, HHS in general concurred with all six of our observations in the draft report. The four HHS OPDIVs that were part of the penetration testing generally concurred with our summary findings and conveyed that the vulnerabilities identified were corrected or were in the process of being corrected. We did not validate the OPDIVs' corrective actions.

Filed under: General Departmental