We have completed our fiscal year (FY) 2023 Federal Information Security Modernization Act of 2014 (FISMA) penetration test and vulnerability assessment.  The objective of this evaluation was to test and verify the technical implementation of a limited set of security controls on judgmentally selected U.S. Department of Housing and Urban Development (HUD) information systems and applications.

HUD demonstrated successes in securely configuring networks and systems.  The local area network (LAN) configurations in the Regional Office we tested ensured that our security testing tools could not operate properly, which prevents unauthorized use of security tools on network-connected devices.  We also found that HUD improved its ability to detect active threats.  HUD’s security information and event management solution detected one of our simulated malicious activities.  Lastly, HUD made progress at addressing known vulnerabilities, as they mitigated a structured query language injection vulnerability on one of the web applications we tested.

Our testing did identify potential security weaknesses within one of the tested systems. 

• We exploited an authentication bypass vulnerability, reducing the effectiveness of HUD's least privilege, non-repudiation, and session auditing controls. 
• Using a nonprivileged account, we discovered a plain text password file from 2003.  This password file was not current, but a lack of encryption allowed us to learn password trends of users. 
• We accessed privileged information on a HUD system without a privileged account.  
• We discovered that a select number of HUD usernames can be associated with an employee’s identity, leading to a higher risk of additional attacks.
• We discovered some systems used unsupported or end-of-life operating systems.  

While we discovered strengths in some of HUD’s security posture, this evaluation revealed security weaknesses in one of the systems we tested which HUD should continue to improve.  This report issues recommendations that address the specific weaknesses we discovered.  We also offer opportunities for improvement, which will not be formally tracked as recommendations, to help guide HUD in technical system improvements.  Continued collaboration between OCIO and program offices will help address weaknesses and improve HUD’s overall security posture.   

The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.