14 DAY TRIAL // An audit carried out by the US Government Accountability Office (GAO) shows that EINSTEIN, a nationwide firewall run by the US Department of Homeland Security (DHS), only detects 6% of today's most common security vulnerabilities.
The report claims that, in a series of tests from last year, EINSTEIN, which is officially known as the National Cybersecurity Protection System (NCPS), only detected 29 out of 489 vulnerabilities revealed via CVE reports published in 2014 (page 20 of the report).
The vulnerabilities affected five applications, commonly found on US government computers, such as Adobe Flash, Adobe Acrobat, Oracle Java, Microsoft Office, and Internet Explorer.
"One reason that the signatures did not cover all identified vulnerabilities is that the current tool DHS uses to manage and track the status of intrusion detection signatures deployed within NCPS does not have the ability to capture CVE information," the GAO audit explains.
The problem relies on the fact that EINSTEIN was not designed with a continuous integration system that automatically syncs newly reported CVEs from the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD).
Outdated signatures database puts US government network at risk
EINSTEIN, which works by providing intrusion detection signatures to 228 intrusion detection sensors placed in strategic locations across the US government network, runs on a severely outdated database.
What this means is that cyber-espionage groups have a high chance of penetrating US government systems if using recently discovered zero-days.
DHS officials say that EINSTEIN works on a database of 9,000 intrusion detection signatures, but that only around 2,300 are currently deployed to its nodes.
The audit recommends that US-CERT (United States Computer Emergency Readiness Team), an organization within the DHS’ National Protection and Programs Directorate, should update the tool used to manage EINSTEIN's vulnerability database to include publicly available, open-source information provided by NIST's NVD.
Furthermore, US-CERT should also consider using vulnerability information available via the DHS Continuous Diagnostics and Mitigation program, to bolster its real-time intrusion detection system. This is important because, currently, EINSTEIN can only monitor email traffic, but not Web traffic.
Additionally, the Office of Cybersecurity and Communications will be required to develop metrics that clearly measure the effectiveness of NCPS’ efforts so that situations like these, when EINSTEIN's signatures database reaches an outdated state, can be detected and prevented.
According to US tech news site NextGov, DHS invested around $6 billion in building and running EINSTEIN.