Select Computer Security Controls of the
Office of Community Oriented Policing Services
Network Computer System
Report No. 00-26
Office of the Inspector General
Presidential Directive Decision 63, "Critical Infrastructure Protection," dated May 22, 1998, sets a goal of reliable, interconnected, and secure information system infrastructures by the year 2003 and requires the Federal Government to serve as a model to the rest of the country for attaining infrastructure protection. For Fiscal Year (FY) 1998, the Attorney General reported computer security to the President as a material weakness for various Department components, and in June 1999 declared computer security a top priority for the Department of Justice.
In order to test and report on the extent of computer security vulnerabilities at Department components, the Office of the Inspector General is performing a series of computer security reviews. This report focuses on the Office of Community Oriented Policing Services (COPS). The primary activity of the COPS Office is awarding grants directly to law enforcement agencies across the United States and its territories. The COPS Office uses a network computer system to manage the approval and administration of grant requests.
Our objective was to determine whether adequate computer security controls were in place to protect the COPS network from unauthorized use, loss, or modification. For our review of the COPS network, we used commercial-off-the-shelf software to conduct security tests on the primary domain controller server, the computer that authenticates logon requests for the COPS network. We reviewed all 404 user accounts that existed at the time of our fieldwork. We reviewed the areas of password management, logon management, account integrity management, system auditing management, and remote access service management. We identified both favorable and unfavorable outcomes in the areas reviewed.
We identified favorable security control outcomes such as the use of unique passwords and the use of the "Account Lockout" option, denying access to users or intruders after three unsuccessful logon attempts. We identified unfavorable security control outcomes as detailed below. Our review of the COPS network disclosed that computer security controls were not adequate to protect the COPS network operating system from unauthorized use, loss, or modification. Specifically, our review disclosed the following security vulnerabilities:
The above vulnerabilities as well as the non-vulnerable areas found are detailed in the Findings and Recommendations section of the report. Our objective, scope, and methodology are contained in Appendix I. We provided our test results to the COPS Network Administration Division immediately at the conclusion of our on-site test work in order for management to plan and take corrective actions.