Pursuit's Take
OIG determined that BEP did not establish sufficient protection for its network and systems and should enhance its security controls to protect against threats posed by malicious insiders. Specifically, during our social engineering exercise, we successfully persuaded 23 BEP users to give us access to their computers (100 percent of those attempted) using their accounts. While impersonating BEP contractors with unescorted access to the facility, every user whom we approached gave us full access to their computer without challenge.
OIG also identified significant deficiencies in BEP’s network and systems related to its patch management processes and system configurations. By taking advantage of these vulnerabilities, OIG was able to gain full access to the desktop, where OIG was able to create, edit, delete, and move files. OIG was also able to access files and databases on the server.
Read the full report