Fillable It Ar 15 001 (USPS Office of Inspector General)

Fill Online, Printable, Fillable, Blank It Ar 15 001 (USPS Office of Inspector General) Form

Use Fill to complete blank online USPS OFFICE OF INSPECTOR GENERAL (VA) pdf forms for free. Once completed you can sign your fillable form or send for signing. All forms are printable and downloadable.

It Ar 15 001 (USPS Office of Inspector General)

The It Ar 15 001 (USPS Office of Inspector General) form is 0 pages long and contains:

  • 0 signatures
  • 0 check-boxes
  • 0 other fields

Country of origin: US
File type: PDF

U.S.A. forms for USPS Office of Inspector General

BROWSE USPS OFFICE OF INSPECTOR GENERAL (VA) FORMS

Related forms
Fill has a huge library of thousands of forms all set up to be filled in easily and signed.
Fill in your chosen form
Sign the form using our drawing tool
Send to someone else to fill in and sign.
find another form
 
Cover
Audit Report
Report Number
IT-AR-15-001
Capital District
Vulnerability
Assessment
December 12, 2014
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Background
The U.S. Postal Service Ofce of Inspector General’s
Information Technology Security Risk Model identied the
Capital District as being among the ve most at-risk districts
for multiple quarters during scal years (FY) 2013 and 2014.
Security events during those periods included instances of
malicious software which can affect the condentiality, integrity,
and availability of sensitive data and potentially compromise
critical mail processing applications.
During FY 2013, the Capital District processed about 2 billion
mailpieces and generated about $470.9 million in revenue.
The district had about 6,600 employees working in 260 facilities
during that time.
Our objective was to review system security controls in the
Capital District to determine whether proper security exists to
protect U.S. Postal Service infrastructure and data.
What The OIG Found
Security controls in the Capital District did not adequately
protect Postal Service infrastructure and data from unauthorized
access or corruption. Of the 1,254 systems active on the
network, we tested 33 and detected a combined total of
417 vulnerabilities, such as missing security updates or
system conguration deciencies. Of the 417 vulnerabilities,
79 were considered critical and high-risk for which patches
were available for at least 1 year. We further identied four
active ,
and two shared user accounts. These vulnerabilities expose
the infrastructure to unauthorized remote access by potential
attackers who may discover network weaknesses, retrieve
information, corrupt data, and recongure settings.
The Capital District also permits access to devices using
unsecure communications, which further threatens
network security. Finally, we identied weaknesses in
asset management and accountability that could allow an
unauthorized device to remain on the network undetected.
These vulnerabilities occurred because administrators
improperly congured systems, did not install the latest patch
updates, and did not employ uniform processes to manage
information system assets.
What The OIG Recommended
We recommended management evaluate, test, and
install critical patches and correct conguration settings on
the identied databases and operating systems. We also
recommended management disallow software that permits
unsecure communications, discontinue the use of shared
user accounts, and uniformly manage assets. Additionally,
we recommended management remove the
from databases.
Highlights
These vulnerabilities expose the
infrastructure to unauthorized
remote access by potential
attackers who may discover
network weaknesses, retrieve
information, corrupt data, and
recongure settings.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
1
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Security controls in the Capital District did not adequately
protect Postal Service infrastructure and data from
unauthorized access or corruption.
The U.S. Postal Service OIG’s Information Technology Security
Risk Model identied the Capital District as being among the
ve most at-risk districts for multiple quarters during
FY 2013 and 2014.
Capital District
Vulnerability Assessment
UNLOCK
THE OIGS FINDINGS
Roll over the locks below
Conguration vulnerabilities can
allow unauthorized users to gain
access to data, services, and
sensitive information.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
2
The OIG identied
4
active ███████████████████████████████ and
2
shared user accounts.
Of the 417 vulnerabilities,
79
were considered CRITICAL and HIGH-RISK.
33 out of 1,254 active systems were tested revealing a combined total of VULNERABILITIES.
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Transmittal Letter
December 12, 2014
MEMORANDUM FOR:
JAMES P. COCHRANE
CHIEF INFORMATION OFFICER AND EXECUTIVE
VICE PRESIDENT
MICHAEL J. AMATO
VICE PRESIDENT, ENGINEERING SYSTEMS
JOHN T. EDGAR
VICE PRESIDENT, INFORMATION TECHNOLOGY
KRISTIN A. SEAVER
VICE PRESIDENT AREA OPERATIONS,
CAPITAL METRO AREA
FROM: Kimberly F. Benoit
Deputy Assistant Inspector General
for Technology, Investment and Cost
SUBJECT: Audit ReportCapital District Vulnerability Assessment
(Report Number IT-AR-15-001)
This report presents the results of our audit of the U.S. Postal Service’s Capital District
Vulnerability Assessment (Project Number 13WG012IT000).
We appreciate the cooperation and courtesies provided by your staff. If you have any
questions or need additional information, please contact Aron Alexander, director,
Information Technology, or me at 703-248-2100.
Attachment
cc: Corporate Audit and Response Management
E-Signed by Kimberly Benoit
VERIFY authenticity with eSign Desktop
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
3
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Table of Contents
Cover
Highlights ...................................................................................................... 1
Background ................................................................................................1
What The OIG Found .................................................................................1
What The OIG Recommended ..................................................................1
Transmittal Letter .......................................................................................... 3
Findings ........................................................................................................5
Introduction ................................................................................................5
Conclusion .................................................................................................5
Conguration Management ........................................................................6
Patch Management ....................................................................................7
Remote Access ..........................................................................................9
Asset Management and Accountability ....................................................10
Recommendations......................................................................................11
Management’s Comments ......................................................................12
Evaluation of Management’s Comments .................................................13
Appendices ................................................................................................. 14
Appendix A: Additional Information ..........................................................15
Background ...........................................................................................15
Objective, Scope, and Methodology ......................................................15
Prior Audit Coverage .............................................................................16
Appendix B: Conguration Management Vulnerabilities ..........................17
Appendix C: Patch Management Vulnerabilities ......................................19
Appendix D: Management’s Comments ..................................................20
Contact Information ....................................................................................27
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
4
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Introduction
This report presents the results of our self-initiated audit of the U.S. Postal Service’s Capital District Vulnerability Assessment
(Project Number 13WG012IT000). Our objective was to review system security controls in the Capital District to determine
whether proper security exists to protect Postal Service infrastructure and data. See Appendix A for additional information about
this audit.
The U.S. Postal Service Ofce of Inspector General (OIG) prepares a quarterly Information Technology (IT) Security Risk Model
to provide stakeholders with an overview of security in their respective areas of responsibility. The model is an evaluation of
data retrieved from the
1
identifying instances of security events
2
on information
systems at the district level. These security events could expose Postal Service information, data, programs, and equipment to
multiple exploits that could disrupt the operation of critical mail processing equipment (MPE).
The combined IT Security Risk Model, which included the scal year (FY) 2012, Quarter (Q) 4 and FY 2013 Q1 through Q3,
presented the Capital District as the most at-risk district with regard to the number of security events. Trend data from additional
quarters (FY 2013, Q4 and FY 2014, Q1) show the Capital District remained among the ve highest risk districts.
The Capital District processed about 2 billion pieces of mail and generated about $470.9 million in revenue during FY 2013.
The Capital District had about 6,600 employees in 260 facilities during that time.
Conclusion
Security controls surrounding the Capital District did not adequately protect Postal Service infrastructure and data against potential
unauthorized access or corruption. During enumeration,
3
we discovered 1,254 Internet Protocol (IP) addresses representing active
systems on the network in the Capital District. We evaluated 33 of the systems for patch vulnerabilities. Of these 33 systems,
29 were also evaluated for conguration management.
4
Using network security analyzers,
5
we scanned the systems and identied an aggregate of 417 critical and high-risk vulnerabilities
on 33
6
,
7
and
8
systems tested. In
addition, we determined management allowed ,
9
which is not secure. Finally, we identied
weaknesses in asset management and accountability.
1 The obtains security event data from antivirus solutions residing on computers at Postal Service district facilities. The data is used to prepare the risk models.
2 security events include adware, spyware, Trojans, viruses, and worms.
3 The method used to discover systems on a network.
4 We selected 35 systems for review based on our enumeration scan results and the IT Security Risk Model. Two systems were not scanned for patch vulnerabilities
because management could not identify the administrator or manager to grant access. The remaining 33 systems were tested with at least one of the security analyzers.
Scan results for conguration compliance were retrieved for only 29 of the systems because management would have had to alter system registry congurations in order
to provide us necessary access to complete the full scans.
5 Tools used to scan the network for security vulnerabilities. We used the following tools for this audit: .
6 The Postal Service uses to simplify, standardize, and efciently manage its IT environment. information systems are centrally managed and supported and only
approved standardized software packages are authorized.
7 systems are information systems that communicate with MPE, such as:
8
9
Findings
We found 33 systems with an
aggregate of 417 critical and
high-risk vulnerabilities.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
5
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
These vulnerabilities occurred because administrators did not install the latest patch updates, did not employ a uniform process
for managing information system assets, and improperly congured , and . The vulnerabilities
detected place the data, programs, and equipment used in the Capital District to process the mail at risk of discovery, alteration,
and corruption. Additionally, they could potentially lead to disruption of mail processing.
Conguration Management
We identied conguration vulnerabilities in 26 of the 29 and Linux and Windows systems we scanned.
These vulnerabilities included areas of non-compliance related to operating systems, intrusion protection, accounts, passwords,
and logging. Tables 1 and 2 summarize the results by compliance areas. See Appendix B for compliance detail.
Table 1. Linux Compliance
Linux Systems Scanned 3
Compliance Area Compliant Non-Compliant
0
3
0 3
0 3
0 3
Source: OIG and scanning tool results.
Table 2. Windows Compliance
Windows Systems Scanned 11 13 2
Compliance Area Compliant
Non-Compliant
Compliant
Non-Compliant
Compliant
Non-Compliant
11 0 5 8 0 2
11 0 4 9 0 2
3 8 0 13 0 2
Source: OIG and scanning tool results.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
6
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
In addition, we identied databases on two Biohazard Detection Systems (BDS) that contained
. Further, three district information systems staff shared an account and password to administer the systems.
These vulnerabilities occurred in the systems because management uses automated procedures during the logon process
that do not congure the correct audit logging settings. Management stated they are working to convert from the logon process
to a group policy object
10
that will contain the proper settings with a target completion date of October 1, 2015.
The conguration vulnerabilities occurred because the systems were duplicated from preset images that contained
inappropriate settings. Management is working on a solution that will update groups of systems to consistently comply with policy.
Management also stated the outdated systems would not run effectively with the software, and
In addition, contractors left the in the BDS databases, although the
accounts were not part of the requirements. After becoming aware of this vulnerability, management directed the contractor to
resolve it.
For the systems, the district Information Systems manager stated the were in place
when his temporary assignment began, and he was unaware of the conguration vulnerabilities.
Conguration vulnerabilities can allow unauthorized users to gain access to data, services, and sensitive information.
Unauthorized user access could result in loss of critical data, services, and user accountability, which could also impact the
operation of critical MPE. The absence of logs prevents the capture of historical information needed to investigate events related
to failed logon attempts, unauthorized conguration changes, and other system related events.
Patch Management
Administrators did not install the latest patch updates on 11 , 20 , and two systems. Specically, we identied
an aggregate of 417 critical and high-risk vulnerabilities on the systems we reviewed. We identied 241 patch updates that, if
correctly applied, would resolve these vulnerabilities.
10 An infrastructure that allows administrators to implement specic congurations for users and computers.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
7
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Table 3 summarizes the critical and high-risk vulnerabilities for which some missing patches
11
were available for more than
90 days. The oldest missing patch dated back to 2004.
Table 3. Missing Linux and Windows Patch Updates
Organization
Critical and High
Risk Patch
Vulnerabilities
Number of
Missing
Patch Updates
Number of Patch
Updates Available for
More Than 90 Days
106 80 54
12
247 131 50
13
64 30 4
14
Totals
15
417 241 108
Source: OIG and scanning tool results.
See Appendix C for detailed scan results.
We also identied two databases used for the that were deployed on
, with no critical patch updates. Further
, two databases on the BDS systems were
exposed to 184 high-risk vulnerabilities for which 22 patches were missing but available for more than 90 days, with some
available since 2011.
11 Some vulnerabilities may exist in multiple system types.
12 patch updates were available since 2006.
13 patch updates were available since 2004.
14 patch updates were available since 2004.
15 Some patch updates will resolve multiple vulnerabilities.
16 The continuously collects data from all MPE in a facility allowing managers to balance equipment and stafng to workloads improving productivity.
Critical and high-risk
vulnerabilities were found to have
missing patches available for
more than 90 days.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
8
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
For systems, management stated the vulnerabilities occurred because some patches had not been approved for
deployment,
17
and some missing patches were an oversight due to the unsupported Windows XP operating systems. During our
audit, IT management scanned the systems and recommended re-imaging of the 10 workstations and patch updates for the
server. The workstations were deactivated in Active Directory (AD)
18
until they are replaced or re-imaged.
These vulnerabilities occurred for the systems because database administrators believed the release
included the latest patches available. For the systems, the District Information Systems manager stated the
were in place when his temporary assignment began, and he did not know he was responsible for patching
these systems.
Systems without up to date patches prevent the resolution of known vulnerabilities and leave the Postal Service at risk of potential
unauthorized access or data corruption that could lead to unavailable resources or disruption of mail processing operations.
Remote Access
Management allowed remote access to network devices
19
using unsecure communications that weaken network security.
For example:
Three systems were congured to allow a user to remotely connect to a resource using the service.
In addition, two rewalls were
congured to allow
20
trafc to pass from one network to another network.
Two systems equipped with were inappropriately connected to the network, and were not documented in the
Asset Inventory Management System (AIMS)
21
or AD. These allow outsiders to perform unauthorized scans and
exploit security vulnerabilities.
Engineering management stated they occasionally need service for remote administration of network devices.
Management stated the vulnerabilities occurred because management was not aware of their responsibility for securing the
systems. During our audit, management disconnected the systems from the network and disconnected the .
Remote access conguration vulnerabilities may allow unauthorized users to bypass access controls, and could allow attackers to
gain network access to retrieve information, corrupt data, install malware, and change conguration settings. An unauthenticated
attacker could remotely execute code,
22
cause a denial of service,
23
gain unauthorized access to les or systems, modify critical
data, or delete backup information.
17 As of July 8, 2014.
18 AD enables centralized, secure management of an entire network, which might span a building, a city, or multiple locations throughout the world.
19 Network devices are workstations, servers, databases, routers, switches, and other systems communicating on the network.
20 allows a user to remotely connect to a resource using the protocol but transmits .
21 AIMS automates the collection of most IT assets like workstations, laptops, and servers. It allows users to interactively query the asset database using a variety of search
results to review, analyze, and maintain Postal Service networked and non-networked asset inventory.
22 Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically
located. An attacker can use vulnerabilities to execute malicious code and take complete control of an affected system with the privileges of the user running
the application.
23 Loss of network or computer services due to resource limitations or resource exhaustion, performance problems, or hardware/software failures.
Management allowed remote
access to network devices using
unsecure communications that
weaken network security.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
9
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Asset Management and Accountability
Management did not adequately protect the network infrastructure with a uniform asset management process. During our audit,
we asked the Postal Service IT and Engineering audit response coordinators (ARCs) for the names of system administrators and
managers who could give us appropriate access to network devices. We determined:
Management could not always correctly identify the administrators and managers assigned to network devices. In some
instances, the IT ARC contacted multiple employees before identifying the correct administrator. In addition, the Engineering
ARC provided three primary contacts from the IP Address Management
24
(IPAM) database; one of the three contacts was
retired and one was no longer the system administrator.
Management could not physically locate two systems identied during our scans. Seven days after our scans, management
was able to locate one system identied as an idle server, and it was subsequently removed from the network. However, the
other system was not physically located for more than 80 days.
25
These issues occurred because management did not employ uniform processes for associating administrators with specic
network devices and for physically locating systems on the network. When management cannot quickly locate network devices
and identify administrators, an attacker has more time to install malware, steal information, corrupt data, and disrupt operations.
Additionally, management may encounter problems resolving issues and recovering operations.
24 IPAM automatically discovers IP address infrastructure servers on the network and enables administrators to manage them from a central interface.
25 As of July 31, 2014.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
10
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
We recommend the vice president, Information Technology, direct the manager, Enterprise Access Infrastructure, to:
1. Evaluate, test, and install critical patches for the .
2. Congure servers and workstations to comply with information security policy for audit logs.
3. Disallow for the rewalls.
4. Remove or rename the from the databases on the Biohazard Detection Systems and change the
.
We recommend the vice president, Engineering Systems, direct the manager, Engineering Software Management, to:
5. Evaluate, test, and install critical patches for the database systems, Windows operating systems, and Linux operating
systems.
6. Congure systems connected to the intranet to comply with information security policy and conguration
standards, including intrusion prevention software, antivirus protection, password complexity, and audit logging requirements.
7. Disable on systems that are on the Postal Service intranet.
We recommend the vice president, area operations for Capital Metro Area, direct the district manager, Capital District, to:
8. Discontinue sharing credentials used to access the .
9. Congure and patch the in accordance with Postal Service policy on an ongoing basis.
We recommend the Chief Information Ofcer and executive vice president direct the vice president, Information Technology, to
coordinate with the vice president, Engineering Systems, to:
10. Develop a uniform process for information systems management to identify the location of all systems physically connected to
the network, and the administrators associated with each system.
We recommend management
evaluate, test, and install
critical patches and correct
conguration settings on
the identied databases and
operating systems.
Recommendations
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
11
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Management’s Comments
Management agreed with recommendations 1, 2, and 4 through 10, and partially agreed with recommendation 3.
Regarding recommendation 1, management created the patches to bring the systems into compliance. Solutions
Development and Support and Business Relationship Management will evaluate their applications and install the patches
by September 30, 2015.
Regarding recommendation 2, management stated these vulnerabilities occurred in the systems because an automated
procedure used during the logon process does not congure the audit logging settings. Management is working to convert to a
group policy object that will contain the proper settings. Management’s target implementation date is October 1, 2015.
Regarding recommendation 3, management agreed to review the Network Connectivity Review Board request to determine if the
access was approved and still appropriate, and will adjust rewall rules as needed. Management’s target implementation
date is March 31, 2015.
Regarding recommendation 4, management stated they removed the from the databases on the BDS and
changed the as of November 19, 2014. Management requested closure of this recommendation with the issuance of
the report.
Regarding recommendation 5, management will continue to evaluate, test and install the available critical patches where
applicable. An hardware upgrade is planned for FY 2015 that will enable the installation of the latest version and
patches. Management’s target implementation date for the hardware upgrade is September 30, 2015.
Regarding recommendation 6, management stated they will continue to evaluate information system congurations and
ensure the units remain congured according to the appropriate security standards. Management stated their evaluations are
continuously ongoing.
Regarding recommendation 7, management will evaluate the removal of on a case by case basis to ensure that systems
security is not put at risk and to conrm any removal does not adversely impact system maintenance or support efforts needed to
ensure availability. Management’s target implementation date is April 2015.
Regarding recommendations 8 and 9, management stated it has disconnected both systems from the routed network and
prohibited them from being attached in the future. The IT manager will visually ensure on a continuing basis that the equipment
remains disconnected. Management stated they disconnected the systems on July 24, 2014.
Regarding recommendation 10, the manager for IT will coordinate with Systems to develop a uniform process to
identify the location of all systems physically connected to the network, and the administrators associated with each system.
Management’s target implementation date is September 30, 2015.
See Appendix D for management’s comments, in their entirety.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
12
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Evaluation of Management’s Comments
The OIG considers management’s comments responsive to recommendations 1 through 5, 7, and 10 and corrective actions
should resolve the issues identied in the report.
Regarding recommendation 6, management stated Handbook AS-805-G Information Security for Mail Processing/Mail Handling
Equipment (March 2004) should be used for computer systems and networks that manage, monitor, and control mail processing
functions. We disagree with this interpretation for the systems we reviewed. We used Handbook AS-805, Information Security
(May 2014) because it applies to all information resources, organizations, and personnel. Specically, Section 11-2.2 states that
all equipment connected to the network must meet current Postal Service security hardening standards. Handbook AS-805-G,
which is a supplement of Handbook AS-805, addresses policies and requirements that apply to the mail processing/mail handling
equipment (MHE) private network environment that are not addressed in Handbook AS-805.
26
The systems and databases we
reviewed for this audit were connected to the Postal Service routable network. Therefore Handbook AS-805 applies to these
connected systems.
Regarding recommendations 8 and 9, we disagree that removing the system from the network will resolve the issues identied
in the report. Per Handbook AS-805, Section 1-2 states Information Security applies to all information resources, organizations,
and personnel. Therefore, removal of the systems from the network is not sufcient. The use of shared credentials should be
discontinued and the systems should be congured and patched in accordance with policy.
Management requested recommendation 4 to be closed with the issuance of this report. However, management will need to
provide the OIG with documentation showing the have been removed from the databases on the
BDS and the have been changed before the recommendation can be closed.
The OIG considers recommendations 3, 4, 7, and 9 signicant, and therefore requires OIG concurrence before closure.
Consequently, the OIG requests written conrmation when corrective actions are completed. These recommendations should not
be closed in the Postal Service’s follow-up tracking system until the OIG provides written conrmation that the recommendations
can be closed.
26 Section 1-2.1.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
13
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Appendices
Click on the appendix title
to the right to navigate to
the section content.
Appendix A: Additional Information ..........................................................15
Background ...........................................................................................15
Objective, Scope, and Methodology ......................................................15
Prior Audit Coverage .............................................................................16
Appendix B: Conguration Management Vulnerabilities ..........................17
Appendix C: Patch Management Vulnerabilities ......................................19
Appendix D: Management’s Comments ..................................................20
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
14
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Background
The Postal Service is organized in seven geographical areas that consist of 67 districts. The Capital District, within the
Capital Metro Area, delivers mail to more than 4 million residences, businesses, and Post Ofce boxes. During FY 2013, the
Capital District processed about 2 billion pieces of mail and reported $470.9 million in revenue. The Capital District had about
6,600 employees supported by four district information systems staff. As of the date of this report, the Capital District operated
260 facilities.
The IT infrastructure is segmented as a routable network
27
and a non-routable network.
28
The workstations are on the intranet
and used for administrative business, including browsing the Internet. Centralized management and control of systems
is conducted at the IT service center in . The non-routable network supports the MPE/MHE and is not intended for
Internet connections. District Information Systems managers provide local support for the systems and administer the
systems. Local support for MPE/MHE is the responsibility of Maintenance managers.
Objective, Scope, and Methodology
Our objective was to review security controls in the Postal Service’s Capital District to determine whether the infrastructure
adequately protects Postal Service data. To accomplish our objective, we performed enumeration to evaluate the environment
residing within the Curseen-Morris Processing and Distribution Center (P&DC), Southern Maryland P&DC, Suburban Maryland
P&DC, and Capital Metro Area Ofce.
We performed vulnerability scans between April and August of 2014, using:
Our scans were performed on the routable network only
. The scan results are presented in detail in Appendix B and Appendix C.
We performed analysis of the systems and reported them by system type: .
Table 4 identies the 35 systems we judgmentally selected for testing, listed by operating system. Of those 35, only 33 were
scanned for patch management because Postal Service management experienced difculties identifying the appropriate
administrators of the systems. In addition, only 29 systems were scanned for conguration compliance because management
would have had to change the system registry congurations in order to provide us access, which would have signicantly
weakened system security.
27 The Postal Service operates and maintains an intranet to conduct Postal Service business. An intranet is a network based on Internet technologies located within an
organization’s network perimeter.
28 Non-routable MPE and mail processing infrastructure devices that are only connected to MPE local area networks. Systems can only communicate within the network.
Appendix A:
Additional Information
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
15
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Table 4. In Scope Systems
Operating System HVAC
32
Grand Total
0 3 0 0 3
1 0 0 0 1
0 13 0 0 13
0 2 2 0 4
7 0 0 0 7
2 2 0 0 4
1 1 0 1 3
Grand Total 11 21 2 1 35
Percentage 31.4% 60.0% 5.7% 2.9% 100.0%
Source: OIG and scanning tool results.
32
The OIG provided management with the raw data from the scans and a list of 354 patch vulnerabilities with 208 missing patches.
We conducted this performance audit from August 2013 through December 2014. However, we suspended the project from
September 2013 to April 2014 due to higher priority audit work and to provide management time to correct issues identied during
our South Florida District Vulnerability Assessment issued in October, 2013.
The audit was performed in accordance with generally accepted government auditing standards and included such tests of internal
controls as we considered necessary under the circumstances. Those standards require that we plan and perform the audit to
obtain sufcient, appropriate evidence to provide a reasonable basis for our ndings and conclusions based on our audit objective.
We believe that the evidence obtained provides a reasonable basis for our ndings and conclusions based on our objective.
We assessed the reliability of operating system and database conguration data by performing electronic testing of the systems,
reviewing resultant data for false positives and other anomalies, and interviewing agency ofcials knowledgeable about the data.
We determined that the data were sufciently reliable for the purposes of this report.
Prior Audit Coverage
Report Title Report Number Final Report Date Monetary Impact
South Florida District
Vulnerability Assessment
IT-AR-14-001 10/22/2013 None
Patch Management Processes IT-AR-12-002 1/9/2012 None
32 Heating Ventilation Air Conditioning monitoring system.
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
16
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Table 5 summarizes the compliance areas the OIG reviewed to determine if Windows systems were compliant with Postal Service
conguration standards.
Table 5. Conguration Compliance – Windows
Windows Systems Scanned Compliant Non-Compliant Compliant Non-Compliant Compliant Non-Compliant
Compliance Check
33
11 0 2 0 13 0
11 0 0 2 12 1
11 0 0 2 5 8
11 0 1 1 12 0
11 0 0 2 10 3
11 0 0 2 6 7
11 0 2 0 13 0
9 0 0 2 12 0
11 0 2 0 13 0
5 6 0 2 10 3
4 7 0 2 6 7
3 8 0 2 4 9
11 0 2 0 13 0
3 8 0 2 2 11
3 8 0 2 10 3
3 8 0 2 11 2
3 8 0 2 2 11
3 8 0 2 11 2
Source: OIG scanning tool results.
33 Security Hardening Standards for
Appendix B:
Conguration Management
Vulnerabilities
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
17
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Table 6 summarizes the compliance areas that the OIG reviewed to determine if servers running the Linux operating system were
compliant with Postal Service conguration standards.
Table 6. Conguration Compliance – Linux
Linux Systems Scanned Compliant Non-Compliant
Compliance Check
34
0 3
0 3
0 3
0 3
0 3
0 3
3 0
0 3
0 3
0 3
0 3
0 3
0 3
3 0
3 0
0 3
3 0
3 0
Source: OIG and scanning tool results.
34 Server Hardening Standards for
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
18
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Table 7 summarizes the Windows and Linux operating systems critical and high-risk vulnerabilities we identied. We associated
the patch vulnerabilities by product
35
and impact categories.
36
All vulnerabilities had a missing patch that was available for more
than 90 days.
37
Table 7. Impact of Vulnerabilities Grouped by Product
Impact Category and Product Grand Total
Elevation of Privilege 20 2 0 22
10 0 0 10
10 2 0 12
Remote Code Execution 11 7 0 18
0 1 0 1
11 6 0 17
Undened
38
23 41 4 68
0 3 0 3
17 10 2 29
0 2 2 4
2 6 0 8
4 4 0 8
0 16 0 16
Grand Total 54 50 4 108
Source: OIG scanning tool results.
35 Product is the software suite or operating system identied in scan results from . The numbers associated with the product represent the missing patches
that have been released by the vendor within 90 days, as of June 15, 2014.
36 Impact categories group vulnerabilities based on the type of threat. The categories are from .
37 As of June 15, 2014.
38 The vulnerabilities categorized as “Undened” by may t into multiple categories of impact.
Appendix C:
Patch Management
Vulnerabilities
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
19
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Appendix D:
Management’s Comments
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
20
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
21
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
22
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
23
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
24
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
25
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
26
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Contact Information
Capital District Vulnerability Assessment
Report Number IT-AR-15-001
27
Contact us via our Hotline and FOIA forms, follow us on social
networks, or call our Hotline at 1-888-877-7644 to report fraud, waste
or abuse. Stay informed.
1735 North Lynn Street
Arlington, VA 22209-2020
(703) 248-2100
Print
Appendices
Recommendations
Findings
Table of Contents
Highlights
Download
Save PDF to desktop
Email
Email completed PDF
Send for Signing
Email for others to sign
Print
Print document
Choose a Field
Click on a field and
select the person that should complete it
Want to add a signature?
You can add a signature field
and assign it to someone else
to sign
Choose a Field
Click on a field and
select the person that should complete it

It Ar 15 001 (USPS Office of Inspector General)

This document is locked as it has been sent for signing.

You have successfully completed this document.

Other parties need to complete fields in the document. You will recieve an email notification when the document has been completed by all parties.

This document has been signed by all parties.

Completed 22 July 2020

Message

View Audit Log
Print With Audit Log
Duplicate Document