Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The Office of Justice Programs' Enterprise Network System

Report No. 03-01
October 2002
Office of the Inspector General

FINDINGS

Our review disclosed that security controls need improvement to fully protect the ENS from unauthorized use, loss, or modification. Specifically, vulnerabilities were identified in the following areas: life cycle controls; system security planning; personnel security; security awareness, training, and education; contingency planning; identification and authentication; and logical access controls. These vulnerabilities occurred because the OJP management did not enforce or formalize agency-wide and Department-level policies and procedures to fully secure the system.

  1. Management Controls. Management controls are techniques and concerns that are normally addressed by management in the organization's computer security program. In general, they focus on the management of the computer security program and the risk within the organization.
Management Controls Vulnerabilities
Noted
Risk Management  
Review of Security Controls  
Life Cycle X
Authorize Processing
(Certification and Accreditation)		  
System Security Plan X

Our testing confirmed that management controls were adequate in the areas of risk management, review of security controls, and authorize processing. However, we found vulnerabilities in the following management control areas:

  1. Life Cycle. Security is an important part of the system life cycle, and security is best managed if planned for the entire system life cycle. There are many models for the system life cycle, but most contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.

Issue: Service Request

Condition:

We found that the only service request (SR) change submitted during the FY was moved into production without appropriate approval from the Configuration Management manager. In addition, the OJP staff does not follow the OJP's configuration management policies on approval signatures.

Cause:

The OJP staff does not consider this signature a priority and does not enforce the requirement because other signatures (such as a requester's supervisor's signature and completion signature) are required and obtained before changes are moved into production.

Criteria:

The "OJP System Configuration Management Guide," dated November 12, 1999, requires the Configuration Management manager's approval for software changes.

Risk:

Without the appropriate approval signatures, code may enter the production environment without proper management review. This increases the risk that code may malfunction or cause damage to the OJP systems or information in the production environment.

  1. System Security Plan. A system security plan provides an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. The plan delineates responsibilities and expected behavior of all individuals who access the system.

Issue: Outdated Documentation

Condition:

The ENS system security plan, operating procedure guides, the organizational chart, and system configuration management guides have not been updated since December 15, 2000, to reflect current conditions at the OJP for FY 2002. The OJP policies, procedures, and guides refer to the Information Resource Management Division (IRMD) rather than the newly formed Office of the Chief Information Officer.

Cause:

The re-organizational change from the IRMD to the Office of the Chief Information Officer has not been incorporated in the OJP's official documents.

Criteria:

NIST Special Publication (SP) 800-18, "Guide for Developing Security Plans for Information Technology Systems," Section 3.2.2 - Responsible Organization, requires that the OJP "list the federal organizational sub-component responsible for the system."

NIST SP 800-18, Section 3.2.4 - Assignment of Security Responsibility, states: "an individual must be assigned responsibility in writing to ensure that the application or general support system has adequate security."

Risk:

Outdated documentation could lead to confusion as to the current status and responsibilities of key individuals at the OJP.

  1. Operational Controls. Operational controls address security controls that are implemented and executed by people. These controls are put in place to improve the security of a particular system. They often require technical or specialized expertise and rely upon management activities as well as technical controls.
Operational Controls Vulnerabilities
Noted
Personnel Security X
Physical and Environmental Protection  
Production, Input/Output Controls  
Contingency Planning X
Hardware and Systems Software Maintenance  
Data Integrity  
Documentation  
Security Awareness, Training, and Education X
Incident Response Capability  

Our testing confirmed that operational controls were adequate within the areas of physical and environmental protection; production, input/output controls; hardware and systems software maintenance; data integrity; documentation; and incident response capability. However, our testing identified vulnerabilities within other critical areas of operational controls. The specific details of the identified vulnerabilities are listed below.

  1. Personnel Security. Personnel security involves the use of computer systems by human users, designers, implementers, and managers. A broad range of security issues relates to how these individuals interact with computers and the access and authorities they need to do their jobs.

Issue: Policy and Procedures

Condition:

Documentation to support compliance with the OJP remote user authorization policies and procedures does not exist. Specifically, we noted the following weaknesses:

Cause:

The policies and procedures within the OJP Security Operating Procedures Guide (SOPG) have not been enforced. Specifically, methods unrelated to policy are used by the OJP management to expedite their user authentication. For example, e-mail or verbal confirmation have been used rather than methods compliant with the policies set forth by the OJP SOPG.

Criteria:

"Office of Justice Programs, Security Operating Procedures Guide (SOPG)," Section 3.1.1 - User Account Authorization, requires the following:

Risk:

Without effective enforcement of user authentication policies and procedures, the authorization process may be circumvented, resulting in an individual obtaining remote access without proper authorization or justification.

  1. Contingency Planning. Contingency planning ensures continued operations by minimizing the risk of events that could disrupt normal operations and having an approach in place to respond to those events should they occur.

Issue: Backup and Service Continuity

Condition:

The following weaknesses were identified to the OJP's backup and service continuity procedures:

Cause:

The Oracle contractors are not following the OJP procedure to ship backup tapes to the off-site facility either weekly or bi-weekly. The Office of the Chief Information Officer has not recognized the need to provide server availability goals for the contractors responsible for maintaining server availability. In addition, the contractors do not monitor server availability on a long-term basis, since they do not have formal guidelines from the OJP on the acceptable level of downtime.

Criteria:

OJP's Automated Information System Security Plan for the Enterprise Network System, dated December 15, 2000, Section 4.4 - Contingency Planning, requires that at the end of the week, all incremental tapes and the full (weekly) backup tape be stored off-site.

Risk:

Backup tapes of critical Oracle data may be lost in the event that a disaster occurs at the OJP facility. In the event that the OJP loses its on-site data from the Oracle servers, the OJP would not be able to replace valuable information.

Because server availability is not monitored adequately, the contractors and the OJP staff might not recognize a long-term degradation in server performance levels in time to effectively address the problem.

Issue: Contingency Plan

Condition:

Cause:

According to OJP management, the Office of the Chief Information Officer has not had the resources (staff and budget) to update the contingency plan since FY 2000. The Office of the Chief Information Officer does not see the benefit in distributing the existing plan due to its length. Thus, staff were not trained on the current contingency plan. Additionally, the contingency plan does not establish specific timelines because the developers of the plan wanted to keep the plan vague. Finally, the Office of the Chief Information Officer believes that occasional accidents, such as server outages or inclement weather problems, serve as the test of the contingency plan. The Office of the Chief Information Officer does not perform additional tests of the contingency plan.

Criteria:

OMB Circular A-130, Appendix III, Security of Federal Automated Information Systems, states: "Agency plans should assure that there is an ability to recover and provide service sufficient to meet the minimal needs of users of the system."

NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, Section 3.6.5 - Test and Revise Plan, requires that an organization test and revise the contingency plan. Additionally, NIST requires that the organization update the plan since it will become outdated as time passes and as the resources used to support critical functions change.

DOJ Order 2640.2D, Information Technology Security, Chapter 1, Section 9, Contingency Planning/Business Resumption Planning requires components test contingency/business resumption plans annually or as soon as possible after a significant change to the environment that would alter the in-place assessed risk.

NIST SP 800-12, Section 11 - Preparing for Contingencies and Disasters states: "Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization."

NIST SP 800-14, Section 3.6.2 - Identify Resources, states: "Time Frame Needed. In addition, an organization should identify the time frames in which each resource is used and the effect on the mission or business of the continued unavailability of the resource."

Risk:

During an extended outage and/or disaster, information system processing functions and vital business operations may be damaged and unable to function. Without a comprehensive business continuity plan, the OJP could face potentially critical financial data losses in the event of a disaster. Testing is one of the most important functions in maintaining a viable disaster recovery plan. It is through testing that weaknesses in the plan are uncovered and can be corrected. Testing should be performed to ensure that critical information for continued operations is not lost due to a failure to fully identify information technology recovery needs during a disaster.

  1. Security Awareness, Training, and Education. People are a crucial factor in ensuring the security of computer systems and valuable information resources. Security awareness, training, and education enhance security by improving awareness of the need to protect system resources. Additionally, training develops skills and knowledge so computer users can perform their jobs more securely.

Issue: Emergency Procedures

Condition:

From interviews with the OJP management and staff regarding the OJP's emergency procedures, we noted the following:

Cause:

The Office of Administration considers the bi-annual fire drills adequate training on emergency procedures. Key individuals are trained monitors for each floor and are responsible for ensuring that everyone is evacuated in the event of an emergency. According to the OJP management, the Emergency Operations and Occupation Plan are not distributed because the document is too large.

Criteria:

OMB Circular A-130, states that management should plan for how they will perform their mission and/or recover from the loss of existing application support, whether the loss is due to the inability of the application to function or a general support system failure.

NIST SP 800-12, Section 11 - Preparing for Contingencies and Disasters states: "Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization."

Risk:

Without proper training employees may not be adequately prepared to respond appropriately in the event of an emergency.

  1. Technical Controls. Technical controls focus on security controls that the computer system executes and depend upon the proper functioning of the system to be effective. Technical controls require significant operational considerations and should be consistent with the management of security within the organization.
Technical Controls Vulnerabilities
Noted
Identification and Authentication X*
Logical Access Controls X*
Audit Trails  
X* Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined as one where extremely grave circumstances can occur by allowing a remote or local attacker to violate the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information.

During our review of the ENS, KPMG was performing an audit of the ENS security controls in support of the FY 2002 financial statement audit. KPMG assessed the technical controls using commercial-off-the-shelf and proprietary software to conduct network scanning on the ENS. The technical vulnerabilities reported in this report are KPMG's results relied upon by PwC.

As a result of testing ENS's technical controls, we confirmed that controls were adequate in the areas of audit trails. Test results identified high vulnerabilities within critical areas of ENS's technical controls as listed below.

  1. Identification and Authentication. Identification and authentication are technical measures that prevent unauthorized people or processes from entering an IT system. Identification, most commonly used for access control, is the means by which users claim their identities to a system. Authentication is the verification that a person's claimed identity is valid and is usually implemented through the use of passwords.

A password is a unique string of characters that must be provided before a logon or access is authorized to a computer system. Passwords are security measures used to restrict logons to user accounts and access to computer systems and resources. The OJP password controls tested via network security penetration testing were found to be inadequate.

Issue: Authentication Controls

Condition:

User authentication controls are not in compliance with policies and procedures set forth by the OJP password management guidelines. Specifically, we noted the following instances of weak or non-existent passwords in place on key business database servers, operating system accounts, and network devices:

Cause:

Ineffective communication of the OJP policies and procedures to administrative staff has created a situation where password security controls are not enforced. Specifically, we noted numerous instances where administrators were not aware of the password guidance provided by the OJP Computer Security Program.

Criteria:

Department of Justice - Office of Justice Programs: Computer System Password Policy, Section 3, requires that passwords will be used on all automated information systems to protect systems and system level accounts, individual accounts, and sensitive information processed or stored by the systems.

DOJ Order 2640.2D, "Information Technology Security" Chapter 2, Section 18, requires that Department IT systems that use passwords as the means for authentication shall implement at least the following minimum features:

Furthermore, DOJ Order 2640.2D, Chapter 2, Section 18, states Department IT systems shall: "disable system default passwords as soon as possible after system installation and before the system becomes operational."

Risk:

Poor password security parameters subject critical ENS information to potential unauthorized accessed and prevent the ENS system administrators from detecting unauthorized access on a system. Easily guessed passwords obtained during a brute force attack may compromise the identification and authentication integrity of the ENS servers.

  1. Logical Access Controls. Logical access controls are the system-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.

Issue: Network Devices

Condition:

The OJP did not enforce technical controls to achieve optimal workstation security resulting in the use of unauthorized network devices within the OJP facility. Specifically, we found:

Cause:

Controls to enforce workstation security, as specified in the OJP SOPG, have not been effectively communicated to OJP system users. For example, the Dynamic Host Configuration Protocol (DHCP) server responds to DHCP client requests; however, an unattended workstation with an active drop can be used by any user and computer recognized by the network servers.

Criteria:

"Department of Justice - Office of Justice Programs: Enterprise Security Network Security Operating Procedures Guide (SOPG)," Section 4.7.4 - Workstation Area Security, requires the following:

DOJ Order 2640.2D, "Information Technology Security," Chapter 2, Section 20 - Warning Banner, requires "all Department IT systems implement a system banner that provides warnings: to employees that accessing the system constitutes consent to system monitoring for law enforcement and other purposes; and to unauthorized users that their use of the system may subject them to criminal prosecution and/or criminal or civil penalties."

Risk:

Inadequate workstation area security may allow an unauthorized user to use an unattended workstation to gain access to network resources by allowing the unauthorized user to view sensitive data that was not properly secured using a screen saver. In addition, unauthorized full network access may be gained by connecting a computer directly to an active network drop.

Issue: Denial of Service

Condition:

We used an automated vulnerability scanner, NESSUS, to detect possible exploitable weaknesses associated with the OJP's public web servers. We noted that one web server is vulnerable to a possible "denial-of-service" (DOS) attack, and one web server discloses various parts of its directory structure. A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include, attempts to "flood" a network, thereby preventing legitimate network traffic, and attempts to disrupt connections between two machines, thereby preventing access to a service.

Cause:

The identified web servers have not been updated to address the latest vulnerabilities.

Criteria:

OMB Circular A-130, Appendix III, "Security of Federal Automated Information Resources," states: "in every general support system, a number of technical, operational, and management controls are used to prevent and detect harm. Such controls include individual accountability, "least privilege," and separation of duties.

Individual accountability consists of holding someone responsible for his/her actions. In a general support system, accountability is normally accomplished by identifying and authenticating users of the system and subsequently tracing actions on the system to the user who initiated them. Least privilege is the practice of restricting a user's access (to data files, to processing capability, or to peripherals) or type of access (read, write, execute, delete) to the minimum necessary to perform his job."

Risk:

The current vulnerabilities allow an attacker to perform DOS attacks that could potentially shut down the ENS web server. Additionally, by requesting the "robot.txt" file, the attacker can ascertain the directory structure on the web server and modify information.