Some units within the U.S. Energy Department lack adequate security controls and practices to mitigate risks posed by peripheral devices, such as USBs, printers, scanners and external hard drives, according to an inspector general report.
In an evaluation of removable devices at four Office of Science locations within the Energy Department, the inspector general found security weaknesses in access controls and configuration settings to protect against employees copying sensitive data to one of the devices or a device spreading malware to the wider network. The four locations were not named in the report.
“Without adequate controls, connected devices could be used to introduce viruses or malware to the network, inadvertently expose sensitive information, be subject to loss or theft, or allow unauthorized access to networks or data,” according to the IG report.
The Department of Energy did not immediately respond to Information Security Media Group’s request for comment.