CIO.gov Running Outdated and Insecure Version of WordPress

In the recent past we have mentioned that the websites of the White House, Department of Homeland Security, and FEMA are failing to take the basic security step of keeping the software powering their websites up to date. It then should not come as too much surprise to see this:

CIO.gov is Running WordPress 3.4.2

CIO.gov is the website of the U.S. Chief Information Officer and the Federal CIO Council and on the website it is described as “serving as a central resource for information on Federal IT”and “identifying best practices”.

Since the website is running WordPress 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January.

With the US government’s and CIO Council’s claimed focus on cybersecurity it is troubling that they are failing to do something so basic. It also begs the questions about one of the CIO Council’s areas of cybersecurity focus, “Continuous Monitoring“:

Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.

In today’s environment of widespread cyber-intrusions, advanced persistent threats, and insider threats, it is essential for agencies to have real-time accurate knowledge of their enterprise IT overall security posture. Agencies need to constantly know and remain aware of their enterprise security status so that responses to external and internal threats can be made swiftly.

If continuous monitoring is being used for their own website it isn’t working. If it isn’t being used, you have wonder why it is one of their focuses when they haven’t even started using it themselves.