U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Document
Document

We have completed our fiscal year (FY) 2023 Federal Information Security Modernization Act of 2014 (FISMA) penetration test and vulnerability assessment.  The objective of this evaluation was to test and verify the technical implementation of a limited set of security controls on judgmentally selected U.S. Department of Housing and Urban Development (HUD) information systems and applications.

HUD demonstrated successes in securely configuring networks and systems.  The local area network (LAN) configurations in the Regional Office we tested ensured that our security testing tools could not operate properly, which prevents unauthorized use of security tools on network-connected devices.  We also found that HUD improved its ability to detect active threats.  HUD’s security information and event management solution detected one of our simulated malicious activities.  Lastly, HUD made progress at addressing known vulnerabilities, as they mitigated a structured query language injection vulnerability on one of the web applications we tested.

Our testing did identify potential security weaknesses within one of the tested systems. 

  • We exploited an authentication bypass vulnerability, reducing the effectiveness of HUD's least privilege, non-repudiation, and session auditing controls. 
  • Using a nonprivileged account, we discovered a plain text password file from 2003.  This password file was not current, but a lack of encryption allowed us to learn password trends of users. 
  • We accessed privileged information on a HUD system without a privileged account.  
  • We discovered that a select number of HUD usernames can be associated with an employee’s identity, leading to a higher risk of additional attacks.
  • We discovered some systems used unsupported or end-of-life operating systems.  

While we discovered strengths in some of HUD’s security posture, this evaluation revealed security weaknesses in one of the systems we tested which HUD should continue to improve.  This report issues recommendations that address the specific weaknesses we discovered.  We also offer opportunities for improvement, which will not be formally tracked as recommendations, to help guide HUD in technical system improvements.  Continued collaboration between OCIO and program offices will help address weaknesses and improve HUD’s overall security posture.   

The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Recommendation Status Date Issued Summary
2023-OE-0001a-01 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2023-OE-0001a-02 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2023-OE-0001a-03 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2023-OE-0001a-04 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2023-OE-0001a-05 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2023-OE-0001a-06 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.