Audit Reports

-A A +A
skip-to-content

The Maritime Administration’s Information Technology Infrastructure Is at Risk for Compromise

Self-Initiated
Project ID: 
FI2019057
What We Looked At
The Maritime Administration’s (MARAD) programs promote waterborne transportation and integration with other transportation modes and the viability of the U.S. Merchant Marine. MARAD works in many areas, including ship building and shipping, vessel and port operations, national security, and transportation safety. The Agency has 12 information systems and 1 local area network. MARAD also uses a number of web applications, some of which contain sensitive data and personally identifiable information (PII). We conducted this audit because of the importance of MARAD’s programs to the Nation’s transportation system and the sensitive nature of some of the Agency’s information. Accordingly, our objective for this self-initiated audit was to determine whether MARAD’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data.
 
What We Found
We gained unauthorized access to MARAD’s network but MARAD did not detect our access or our placement of hacking tools on the network, in part because it did not have an alert system configured to do this, which the National Institute of Standards and Technology (NIST) recommends. We also gained access to records containing PII. While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted. Had malicious attackers obtained these records, they could have used them to steal citizens’ identities and MARAD could have lost $103 million in credit monitoring fees. Furthermore, inadequate security awareness training may contribute to some Agency personnel’s susceptibility to social engineering. These weaknesses, individually and together, put MARAD’s network and data at risk for unauthorized access and compromise.
 
Recommendations
We made several recommendations to help MARAD improve the security of information technology infrastructure.
 
Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY. 

Recommendations

Open

Closed

No. 1 to MARAD

Change the password for the compromised server management device account to a strong password that meets DOT's Cybersecurity Compendium requirements and NIST guidelines.

No. 2 to MARAD

Configure alerts on server management devices to notify staff of unusual activity and when the system reboots.

No. 3 to MARAD

Change the password for the compromised MARAD service account.

No. 4 to MARAD

In coordination with DOT CIO develop and implement a training program for administrators to adequately protect passwords that includes the DOT Policy requirement to not record passwords in electronic form.

No. 5 to MARAD

Encrypt PII data on personal and network drives in accordance with DOT Chief Information Officer Departmental Privacy Risk Management Policy.

Sensitive
No. 6 to MARAD

Sensitive information redacted

No. 7 to MARAD

Develop a plan and address identified high and medium vulnerabilities on any remaining legacy websites and verify that new websites are being assessed for vulnerabilities.

No. 8 to MARAD

In coordination with DOT CIO develop and implement a training program for MARAD personnel who provided credentials during the phishing test on security awareness, with a focus on phishing attacks.

No. 9 to OST

Update the departmental annual security awareness training to include information on encryption using approved technological methods.

No. 10 to OST

Change the passwords for OST's compromised social media accounts.

No. 11 to OST

Change the passwords for MARAD's compromised social media accounts managed by OST.

No. 12 to OST

Change the temporary passwords for the executives and staff that joined the Department during the change in the Presidential Administration.

No. 13 to OST

Encrypt PII data on personal and network drives in accordance with DOT Chief Information Officer Departmental Privacy Risk Management Policy.

No. 14 to OST

Examine service account permissions and remove unnecessary rights using the principle of least privilege so that service accounts have access to intended resources.

No. 15 to OST

Develop a plan and address identified critical and high vulnerabilities on MARAD workstations managed by OST that are older than June 19, 2017 (1 year prior to the ending of our scanning period).

No. 16 to OST

Update fiscal year 2019 Department of Transportation Security Awareness Training to include spear phishing and phishing examples and scenarios.

Sensitive
No. 17 to OST

Sensitive information redacted

Sensitive
No. 18 to OST

Sensitive information redacted

Sensitive
No. 19 to OST

Sensitive information redacted