Audit: USPTO’s mismanagement of active directory poses ‘significant’ cyber risk
The U.S. Patent and Trademark Office “inadequately managed” its active directory and “poorly protected” critical IT assets hosting it — putting its mission at “significant” cyber risk, according to a recent audit.
USPTO’s active directory maintains a domain from which to manage all network resources: users, workstations, servers, printers, databases, and system configuration. As a result, the directory holds sensitive information like credentials and network topographies “making it a prime target for cyberattacks,” reads the audit conducted by the Department of Commerce Office of Inspector General.
A breach could lead to intellectual property theft, jeopardizing USPTO’s mission of examining patent and trademark applications in a timely fashion to foster innovation and economic competitiveness.
DOC found an “inadequate” configuration of USPTO’s active directory allowed “excessive” access permissions, credentials were not securely stored, weak passwords were used, and multi-factor authentication was not enforced.
Additionally, vulnerability scanning practices failed to identify and remediate some vulnerabilities, authorized ports and services lacked a baseline, and critical vulnerabilities were not patched fast enough, per the audit.
“USPTO immediately began to take action during our audit to remediate some of these security deficiencies,” reads the audit. “However, we remain concerned with USPTO’s commitment to prioritizing improvement of its security posture.”
That’s because DOC flagged the same security deficiencies with critical IT assets two years ago.
The audit recommends the undersecretary of commerce for intellectual property and the director of USPTO have the chief information officer reevaluate the active directory’s configuration and reorganize user groups based on job functions — removing unneeded privileges.
Other recommendations include eliminating weak credential encryption, strengthening passwords, ensuring personal identity verification cards are compatible with future systems, verifying vulnerability scanners are regularly updated, and establishing an authorized open port baseline.
USPTO concurred with the audit’s recommendations, but an action plan is required of the agency within 60 days of the report’s publishing.
In its response, the agency said it reduced a sizable container of administrator accounts by more than 55 percent with a new vetting process introduced in January.
Legacy USPTO applications are incapable of supporting strong encryption, so the agency established a watch list for such accounts. USPTO has also updated its cyber scanning process.
