The U.S. Department of Housing and Urban Development (HUD) Office of Inspector General (OIG) conducted penetration testing concurrently with our fiscal year 2024 Federal Information Security Modernization Act of 2014 (FISMA) evaluation. The objective of the penetration testing evaluation was to test the technical implementation of a limited set of security controls for a selection of HUD information systems and applications: the Office of Housing’s Federal Housing Administration Catalyst system, the Office of the Chief Financial Officer’s Line of Credit Control System (LOCCS), the Office of Community Planning and Development’s Disaster Recovery Grant Reporting (DRGR) system, and the Office of Public and Indian Housing’s National Standards for the Physical Inspection of Real Estate (NSPIRE) system.
Our assessment identified nine significant weaknesses related to data protection and website security, underscoring the need to strengthen technical security controls. To address these findings, we provide 13 new recommendations, which will be formally tracked by our office, and 7 opportunities for improvement. These recommendations are designed to enhance HUD’s IT security posture by preventing unauthorized data access, ensuring the integrity and confidentiality of sensitive information, and protecting against web-based threats.
OIG has determined that this report contains sensitive information and is therefore not appropriate for public disclosure.
Recommendations
Chief Information Officer
-
Status2024-OE-0002a-01OpenClosed
HUD OCIO should block access to commonly used cloud storage URLs that are not associated with a verified business need.
-
Status2024-OE-0002a-02OpenClosed
HUD OCIO should mitigate the risk of data exfiltration and block the use of external storage devices, such as optical drives, cell phones, and tablets, that have not been formally approved for use based on a verified business need.
-
Status2024-OE-0002a-03OpenClosed
HUD OCIO should enhance data loss prevention configurations and continue efforts to implement user and entity behavior analytics solutions. Both solutions should be appropriately configured to effectively identify and prevent the exfiltration of sensitive data, including PII, while addressing the limitations of pattern-based detection methods.
-
Status2024-OE-0002a-04OpenClosed
HUD OCIO should conduct an assessment, including tests of existing controls, to identify gaps in network traffic monitoring coverage and develop plans to address these gaps.
-
Status2024-OE-0002a-05OpenClosed
HUD OCIO should conduct an assessment to evaluate the potential for data exfiltration from non-GFE devices and implement appropriate controls to address the identified risks. Such controls could include blocking the use of non-GFE devices, limiting data access for sensitive fields during remote access, prohibiting the download of sensitive data to non-GFE devices, requiring the use of virtual desktop infrastructure with non-GFE devices, and implementing network access control to validate the security posture of non-GFE devices.
-
Status2024-OE-0002a-06OpenClosed
HUD OCIO, in coordination with CPD, should implement and enforce a whitelist of trusted sites for resource sharing in DRGR
-
Status2024-OE-0002a-07OpenClosed
HUD OCIO, in coordination with the Office of Housing, CPD, and OCFO, should configure FHA Catalyst, DRGR, and LOCCS web servers to ensure that all HTTP request headers are properly validated and processed to address the risk of CSD.
-
Status2024-OE-0002a-08OpenClosed
HUD OCIO, in coordination with CPD, OCFO, and PIH, should configure DRGR, LOCCS, and NSPIRE content security policies to ensure that only necessary web server resources are accessible by clients.
-
Status2024-OE-0002a-09OpenClosed
HUD OCIO, in coordination with OCFO, should update the LOCCS web server software to a newer version of ColdFusion or to a similar web application hosting platform that receives regular updates and security patches.
-
Status2024-OE-0002a-10OpenClosed
HUD OCIO, in coordination with OCFO, should ensure that the LOCCS testing and production environments appropriately limit access to client bank account information, ensuring that individual users have only the minimum level of access necessary to perform their duties. This measure should include masking all or part of bank account numbers when appropriate.
-
Status2024-OE-0002a-11OpenClosed
HUD OCIO, in coordination with the Office of Housing, should ensure that sensitive information in the Parameter Store is stored securely with encryption; for example, by using the “SecureString” format, which encrypts the data using the AWS Key Management Service. Additionally, authenticators in the Parameter Store should be rotated in accordance with Federal requirements and applicable HUD policy.
-
Status2024-OE-0002a-12OpenClosed
HUD OCIO, in coordination with the Office of Housing, should ensure that private keys are appropriately stored and managed; for example, by using the Amazon Web Services Key Management Service, configured for compliance with FIPS 140-2.
-
Status2024-OE-0002a-13OpenClosed
HUD OCIO, in coordination with the Office of Housing, should ensure that only necessary and current FHA Catalyst pages are accessible to users.