10-21-2014 Penetration Test of the Food and Drug Administration's Computer Network

Summary

We conducted an external penetration test of the Food and Drug Administration's (FDA) network and information systems. Although we did not obtain unauthorized access to the FDA network, we identified the following issues: Web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not performed on all external servers, error messages revealed sensitive system information, and demonstration programs revealed sensitive information. These could have led to (1) the unauthorized disclosure or modification of FDA data or (2) FDA mission critical systems being made unavailable. We recommended that FDA implement necessary corrective actions to address the specific cybersecurity vulnerabilities that we identified during this audit.