The U.S. Postal Service Ofce of Inspector General’s
Information Technology Security Risk Model identied the
Capital District as being among the ve most at-risk districts
for multiple quarters during scal years (FY) 2013 and 2014.
Security events during those periods included instances of
malicious software which can affect the condentiality, integrity,
and availability of sensitive data and potentially compromise
critical mail processing applications.
During FY 2013, the Capital District processed about 2 billion
mailpieces and generated about $470.9 million in revenue.
The district had about 6,600 employees working in 260 facilities
during that time.
Our objective was to review system security controls in the
Capital District to determine whether proper security exists to
protect U.S. Postal Service infrastructure and data.
What The OIG Found
Security controls in the Capital District did not adequately
protect Postal Service infrastructure and data from unauthorized
access or corruption. Of the 1,254 systems active on the
network, we tested 33 and detected a combined total of
417 vulnerabilities, such as missing security updates or
system conguration deciencies. Of the 417 vulnerabilities,
79 were considered critical and high-risk for which patches
were available for at least 1 year. We further identied four
and two shared user accounts. These vulnerabilities expose
the infrastructure to unauthorized remote access by potential
attackers who may discover network weaknesses, retrieve
information, corrupt data, and recongure settings.
The Capital District also permits access to devices using
unsecure communications, which further threatens
network security. Finally, we identied weaknesses in
asset management and accountability that could allow an
unauthorized device to remain on the network undetected.
These vulnerabilities occurred because administrators
improperly congured systems, did not install the latest patch
updates, and did not employ uniform processes to manage
information system assets.
What The OIG Recommended
We recommended management evaluate, test, and
install critical patches and correct conguration settings on
the identied databases and operating systems. We also
recommended management disallow software that permits
unsecure communications, discontinue the use of shared
user accounts, and uniformly manage assets. Additionally,
we recommended management remove the
These vulnerabilities expose the
infrastructure to unauthorized
remote access by potential
attackers who may discover
network weaknesses, retrieve
information, corrupt data, and
Capital District Vulnerability Assessment
Report Number IT-AR-15-001