Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002
The United States Marshals Service's Warrant Information Network
Report No. 03-03
November 2002
Office of the Inspector General
Our review disclosed that security controls need improvement to fully protect WIN and MNET from unauthorized use, loss, or modification. We found security vulnerabilities in all but one critical control area. Specifically, vulnerabilities were identified in the following areas: review of security controls; life cycle; authorize processing; system security plan; personnel security; physical and environmental protection; production and input/output controls; contingency planning; hardware and software maintenance; data integrity; documentation; security awareness, training and education; incident response capability; identification and authentication; logical access controls; and audit trails. The vulnerabilities identified in this report occurred because USMS management did not fully develop, enforce, or formalize agency-wide policy in accordance with current Department policies and procedures. Additionally, the Department did not enforce its security policies and procedures to ensure that WIN and MNET had been fully secured through its certification and accreditation process.
Management Controls |
VULNERABILITIES NOTED |
---|---|
Risk Management | |
Review of Security Controls | X* |
Life Cycle | X* |
Authorize Processing (Certification and Accreditation) |
X* |
System Security Plan | X* |
X* | Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined as one where extremely grave circumstances can occur when a remote or local attacker violates the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information. |
As a result of testing management controls, we confirmed that controls were adequate for WIN and MNET risk management. However, significant vulnerabilities were identified within the following management control areas:
Issue: Inappropriate Security Controls
Condition:
Independent reviews are only conducted once every three years. USMS does not conduct independent reviews when significant system changes or upgrades are implemented and completed. Additionally, weaknesses identified in prior reports, such as: "Independent Auditor's Report on Internal Control, Security Test & Evaluation Report," and "PricewaterhouseCoopers Penetration Testing Report" were still present at the time of our audit.
Cause:
USMS has ineffective procedures for identifying, tracking, and correcting weaknesses. Additionally, we found that USMS has an inadequate number of trained IT security personnel on its team to identify and correct weaknesses in a timely manner.
Criteria:
DOJ Order 2640.2D Chapter 1 Section 11(b), Configuration Management, states: "Components shall…Document and test all changes before modifying the accredited system and/or application so that new vulnerabilities are not introduced into the operational environment."
DOJ Order 2640.2D Chapter 1 Part 2, Section 7(e), Certification and Accreditation, states:
"The DAA shall:
Risk:
Without prompt management action to identify and correct weaknesses, WIN and MNET systems remain vulnerable.
Recommendation:
Issue: Inadequate Systems Development
Condition:
The USMS currently does not have a documented and approved system development life cycle (SDLC) for WIN and MNET systems.
Cause:
USMS management is not committed to providing adequate resources to establish a formal documented methodology that describes how USMS personnel should develop, implement, and maintain systems.
Criteria:
DOJ Order 2640.2D Chapter 1, Part 6, Information Technology Security Life Cycle, states: "Components shall develop and implement a risk-based security process to provide security throughout the life cycle of all systems supporting their operations and assets."
Risk:
The absence of a documented and approved SDLC can lead to numerous complications in the development process that can cause system failures, system vulnerabilities and increases in project cost. In addition, inadequate software testing and planning can allow the system to enter production with major system flaws while also causing the project to go over budget.
Recommendation:
Issue: Inadequate Documentation to Support Certification and Accreditation
Condition:
Several significant documents that support the certification and accreditation (C&A) of WIN and MNET systems are not complete. These documents include the systems' contingency plan, security test and evaluation (ST&E), and security plan. Therefore, the C&A requirements are not adequately fulfilled.
Cause:
According to USMS, there is an inadequate level of USMS resources (e.g., financial, human) to create these documents. As a result, the USMS individuals responsible for system accreditation are willing to accept high levels of risk.
Criteria:
DOJ Order 2640.D Chapter 1 Section 7, Certification and Accreditation, "Components shall ensure the certification and accreditation of all systems under their operational control.
(1) | Ensure a system security plan is prepared and maintained throughout the system life cycle. |
(2) | Ensure a risk analysis is performed to identify security risks, determine their magnitude, and identify areas needing safeguards. |
(3) | Ensure a system test and evaluation is conducted and the results of such tests are documented. |
(4) | Ensure Rules of Behavior and security procedures/guides are developed. |
(5) | Ensure a contingency plan is prepared and tested. |
(6) | Prepare the summary of compliance with the security requirements and the statement of residual risk. |
(7) | Prepare a security evaluation report on the status of the certification and recommend to the Designated Approving Authority (DAA) whether or not to accredit the system based on documented residual risks. |
(8) | Prepare the accreditation grant for the DAA's signature. |
(9) | Submit the certification and accreditation package for classified systems to the Security and Emergency Planning Staff, JMD, and for SBU systems to the Information Management and Security Office (IMSO), JMD, for independent verification and validation." |
Risk:
Allowing the system to be certified and accredited without adequate documentation of the risks of the system, system contingency plan, and security controls and with vulnerabilities present within the system increases the likelihood that the true security state of the system will be misconstrued and misrepresented.
Recommendation:
Issue: Inadequate System Security Plan
Condition:
We found the security plan for WIN and MNET systems to be inadequate. The previously approved security plan for MNET does not include the security plan for WIN. Additionally, the MNET security plan is outdated because the system's interim authority has expired and the security plan no longer meets the requirements set forth in that authority. Furthermore, USMS has no current strategic plan or similar document that discusses security plans at the component level.
Cause:
We found that USMS management is not committed to providing adequate resources to establish a formal security position that focuses on USMS security and is accountable for security plans. Additionally, the USMS security team has an inadequate number of trained security personnel to address corrective actions in a timely manner.
Criteria:
NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, requires that all security plans for major systems or general support systems contain a section describing "Planning for Security in the Life Cycle."
Further, the system is governed by a condition in the MNET Accreditation Statement that states: "Based on my authority and judgment, and weighing the residual risks against operational requirements, I [the Designated Approving Authority (USMS's CIO)] authorize the interim operation of the USMS MNET Headquarters for six months to provide an opportunity for satisfactory resolution of the issues delineated in the SSAA [System Security Authorization Agreement] Appendix H. When these issues have been satisfactorily resolved, the USMS MNET Headquarters will be granted a full accreditation."
Risk:
Failing to mitigate risks identified during a C&A process that resulted in "an interim approval to operate," could potentially require the system to be taken out of production.
Recommendation:
Operational Controls |
Vulnerabilities Noted |
---|---|
Personnel Security | X* |
Physical and Environmental Protection | X* |
Production, Input/Output Controls | X* |
Contingency Planning | X* |
Hardware and Systems Software Maintenance | X* |
Data Integrity | X* |
Documentation | X* |
Security Awareness, Training, and Education | X* |
Incident Response Capability | X* |
X* | Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined as one where extremely grave circumstances can occur by allowing a remote or local attacker to violate the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information. |
Our testing identified vulnerabilities within all nine critical areas of operational controls. The specific details of the identified vulnerabilities are listed below.
Issue: Inadequate Separation of Duties
Condition:
WIN system security administration responsibilities are not adequately separated to ensure least privilege and individual accountability. The same individual is responsible for WIN application development, system administration, and system security.
Cause:
According to the USMS, there is an inadequate number of trained IT security personnel on the USMS security team to assume IT security administration responsibilities.
Criteria:
DOJ Order 2640.2D Chapter 2, Section 18 (l)(a) and (c), states: "Department IT systems shall have assignment and segregation of system responsibilities defined and documented…At a minimum, there shall be a clearly defined role for a security administrator and a system administrator." Additionally, "Controls [compliant with Department access control policies] shall be in place to ensure that the user [and administrators] has access to only the resources required to accomplish their duties and no more."
Risk:
Assigning the same individual to be responsible for development, system administration, and security administration grants a single individual the ability to change critical resources without authorization or detection. Additionally, this condition could potentially allow practices inconsistent with management intentions, requirements, acceptable security standards, and for segregation of duties to be compromised; thus, creating unnecessary risk.
Recommendation:
Issue: Inadequate Physical and Environmental Controls
Condition:
We found that physical and environmental controls surrounding the USMS computer room and building are inadequate. Backup tape rotation procedures, emergency exit and re-entry procedures, and fire and flood related controls are also inadequate. In addition, visitor access is not documented.
Cause:
This occurred because USMS management was not enforcing proper physical security.
Criteria:
DOJ Order 2640.2D, states: "Department IT systems shall be physically protected commensurate with the highest classification or sensitivity of the information. Department IT systems shall be environmentally protected, and the means for providing this protection shall be documented. Facilities supporting large scale IT operations, such as enterprise servers and telecommunication facilities, require consideration of additional environmental and physical controls as determined by a risk analysis."
Risk:
Insufficient physical and environmental controls can lead directly to major security incidents, such as theft and/or destruction, or to damage from accidental, natural or terrorist causes.
Recommendation:
Issue: World-Writeable Files
Condition:
We found two UNIX servers had 45,136 world-writeable files and directories including two files that are critical to system operation. Files and directories that are world-writeable allow any user on the system the ability to modify or delete their contents.
Cause:
Many of the world-writeable files and directories appeared to exist due to improper configuration of WIN on the part of USMS management.
Criteria:
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states: "Enable the use of resources such as data and programs necessary to fulfill job responsibilities and no more."
Risk:
Improper configuration of home files directories could potentially allow a user to obtain the level of access of another identity on the server. If the compromise is business-critical, then this vulnerability is high-risk and could be exploited to gain privileged access on the server.
Recommendation:
Issue: User Parameter Settings
Condition:
We found 16 files on 2 UNIX servers that contained improperly set "umask" values and 27 files on 2 UNIX servers that had insecure "path" variables. The "umask" variable is used for default file-creation permissions. Unsafe "umask" settings allow users, other than the owner of the file, read and or write permissions to files. This increases the risk that unauthorized users view, delete, or modify sensitive or proprietary information.
Cause:
These conditions appear to exist due to the USMS's improper configuration of the "path" variables and "umask" values.
Criteria:
DOJ Order 2640.2D Chapter 2 Section 16 (a) and (f), Access Control, states that the system must: "Enable the use of resources such as data and programs necessary to fulfill job responsibilities and no more …Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."
Risk:
Insecure PATH variables increase the risk that users will be deceived by common system commands such as list files, which are executed instead of the system list files. For example, an unauthorized user could write a program that performs certain functions and call the program list files. When an authorized user invokes the list files command, the bogus list files program would be executed.
Recommendation:
Issue: Help Desk Policies and Procedures Do Not Exist
Condition:
A system help desk is designed to offer advice and respond to system security incidents in a timely manner, and assist users with the operation of the system and applications (including the re-setting of user passwords). At the time of our audit, USMS did not implement adequate security controls pertaining to its help desk operation. Specifically, we noted that USMS do not have documented procedures for help desk personnel to follow when assisting WIN and MNET users. Additionally, no controls exist to ensure that users' account passwords are properly reset when accounts are locked, or when users forget their passwords.
Cause:
According to USMS personnel, the shortage of personnel on the USMS IT security team has resulted in an inability to handle the associated responsibilities and daily tasks required to maintain a secure computing environment and help desk operations that are compliant with Department policy.
Criteria:
NIST SP 800.18, Section 5.MA.3, states: "...provide a synopsis of the procedures in place that support the operations of the application such as using questions like, 'Is there a help desk or group that offers advice and can respond to security incidents in a timely manner? Are there procedures in place documenting how to recognize, handle, and report incidents and/or problems...'"
Risk:
Without documented help desk policies and procedures, unauthorized individuals could potentially exploit the help desk by fraudulently presenting themselves as an authorized user, which could allow them to change passwords and obtain unauthorized access. Unauthorized individuals could potentially gain access to sensitive USMS data, allowing them to make personal gains based on the type of data.
Recommendation:
Issue: Media Controls
Condition:
No documented process has been established to ensure only authorized individuals can pick up, receive, or deliver input/output information and media. In addition, no formal process has been established to ensure adequate audit trails are maintained for inventory management of such media.
Cause:
According to USMS personnel there are inadequate numbers of trained security personnel on the USMS security team to handle the associated responsibilities.
Criteria:
USMS Manual Section 9.2-2, Limited Official Use Information, states: "Limited Official Use (LOU) information used by USMS must be maintained, distributed, secured and disposed of in a manner that will protect the information against unauthorized disclosure. This section sets forth the requirements for safeguarding unclassified but sensitive information."
DOJ Order 2640.2D Section 19, Accountability and Audit Trails, states: "…Maintain an audit trail of activity sufficient to reconstruct security relevant events."
Risk:
Without documented procedures for media security controls, unauthorized individuals could potentially obtain access to sensitive USMS data. This condition could potentially allow practices inconsistent with management intentions, requirements, and acceptable security standards.
Recommendation:
Issue: No Documented Contingency Plan Exists
Condition:
Contingency plans were not documented or tested for the MNET and WIN systems.
Cause:
According to USMS, there is a shortage of trained security personnel on the USMS security team resulting in the inability to develop a contingency plan.
Criteria:
Section 9.4-10 Contingency Planning, of the USMS Manual states, "Contingency planning is required to ensure continuity of ADP operations to the greatest degree possible of data processed or stored by the ADP systems. Contingency plans will be generated for each ADP facility and will be submitted to the Computer Systems Program Manager for review and approval upon generation. Approved contingency plans will be tested by personnel from each ADP facility at least once annually to ensure adequacy of scope and operation. Any deficiencies noted by the test will result in a revision to the contingency plan and resubmission to the Computer Systems Program Manager."
Risk:
Without a comprehensive, tested contingency plan, USMS management cannot be assured of the ability to restore critical systems in a timely fashion following a disaster or significant service interruption.
Recommendation:
Issue: Cisco Router Fault Tolerance is Inadequate
Condition:
We found fault tolerance controls are inadequate on the Cisco router. Backup configuration files are stored inadequately and the Cisco router does not take advantage of backup capabilities.
Cause:
According to USMS personnel, these conditions are due to lack of additional hardware for fault tolerance purposes.
Criteria:
DOJ Order 2640.2D Chapter 2, Security Program Management Contingency Planning/Business Resumption Planning, states: "Components shall plan for how they will perform their missions in the event their IT systems are unavailable and how they will recover these IT systems in the event of loss or failure."
Risk:
If the running configuration becomes corrupt, the router will boot with the startup configuration stored in its memory. It is essential that configuration is kept up-to-date.
Recommendation:
Issue: System Software
Condition:
The winsrv server contains a compiler, which does not support a business need.
Cause:
This condition appears to exist due to USMS not knowing the software was on the system.
Criteria::
USMS Security Policy and Procedures Manual - Volume IX Section 9.4-19, System Software, states: "Software which is not used for official USMS operations shall not be loaded onto USMS ADP systems and any such software already present on ADP systems upon receipt from a vendor or manufacturer shall be purged from the system upon receipt."
Risk:
Inappropriate use of software on the server might lead to potential risks including, but no limited to, service disruption and legal issues.
Recommendation:
Issue: Inadequate Data Integrity, Validation Controls, and Virus Detection Controls
Condition:
Although virus detection software is installed on MNET workstations, virus detection and elimination software are not installed on the application servers. Additionally, workstation virus detection software is not updated in a timely manner.
Cause:
A shortage of trained security personnel on the USMS security team resulted in the USMS not being able to install and update virus detection software for all of its systems.
Criteria::
DOJ Order 2640.2D, Chapter 3 Section 35, states: "All Department IT systems shall employ virus protection software. Anti-virus software shall:
Risk:
The lack of virus detection software leaves the system vulnerable to common types of virus and possibly corruption or disruption of system services.
Recommendation:
Issue: Warning Banner
Condition:
The winsrv server does not display a system-warning banner when users log onto the server.
Cause:
We concluded that USMS personnel were not aware that there was a requirement for a system-warning banner.
Criteria::
DOJ Order 2640.2D Chapter 2 Section 18, Password Management, states: "All Department IT systems shall implement a system banner that provides warnings: to employees that accessing the system constitutes consent to system monitoring for law enforcement and other purposes; and to unauthorized users that their use of the system may subject them to criminal prosecution and/or criminal or civil penalties." NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, Section 3.3.1, states: "The many different components of risk should be examined. This examination normally includes gathering data about the threatened area and synthesizing and analyzing the information to make it useful. The types of areas are...Vulnerability Analysis. A vulnerability is a condition or weakness in (or absence of) security procedures, technical controls, physical controls, or other controls that could be exploited by a threat."
Risk:
The winsrv server provides information to users before they are authenticated to the server. It is important to inform users of the sensitive nature of the resources they are using. In attempting to gain useful information for compromising the server, an unauthorized user could use this information. The USMS's ability to prosecute criminals may be undercut by its inability to prove they abused systems knowing they were to be used only for official purposes. It is also a good practice to proactively inform users they are subject to audit.
Recommendation:
Issue: Cisco Router Policies
Condition:
We found no documented policies for securing existing Cisco routers and implementing future routers.
Cause:
We concluded that USMS management has not placed a high priority on documenting router policies.
Criteria::
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states: "Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."
Risk:
Proper security policies and operating procedures for routers and supporting devices are essential for maintaining the networking environment
Recommendation:
Issue: No "Rules of Behavior" Document Has Been Approved
Condition:
No Rules of Behavior document has been approved by USMS to provide guidance on how to use USMS systems. In addition, users have not been given adequate training and education regarding rules of behavior.
Cause:
USMS developed a Rules of Behavior document that contains relevant information for users to follow while using USMS systems. However, USMS requires the General Counsel approval before distribution to users. Unfortunately, the General Counsel has failed to return or validate the proposed Rules of Behavior in a timely manner, preventing the distribution of this document.
Criteria::
DOJ Order 2640.2D, Chapter 1 Section 7, states: "For each classified and SBU system the Certification Official shall...Ensure Rules of Behavior and security procedures/guides are developed."
Risk:
The lack of a Rules of Behavior document could potentially have several negative effects. For example, users could choose an action that violates the Department's requirements inadvertently or out of ignorance. Also, USMS could potentially be unable to hold certain users accountable for their actions given the lack of express instructions describing appropriate activities.
Recommendation:
Issue: Formal Incident Response Procedures Have Not Been Established
Condition:
We found that USMS has no written incident response procedures.
Cause:
According to USMS personnel, there is a shortage of trained IT security personnel on the USMS security team, preventing USMS from establishing written incident response policies and procedures.
Criteria::
DOJ Order 2640.2D, Chapter 1 Section 5, states: "For SBU systems, security incidents that meet the criteria established by the Department of Justice Computer Emergency Response Team (DOJCERT) shall be reported by the component to DOJCERT within time frames established by DOJCERT."
Risk:
Without a clear definition of responsibilities for incident response, the likelihood that an incident will not be handled properly and in accordance with USMS and Department procedures is increased, which could increase the harm to the system or decrease the effectiveness of a response.
Recommendation:
We assessed the effectiveness of operational and technical controls on WIN and MNET systems by using commercial off-the-shelf and proprietary software to conduct penetration testing on the system. A penetration test is a security test in which evaluators attempt to access sensitive information on the system to determine whether appropriate security controls are in place.
Technical Controls |
VULNERABILITIES NOTED |
---|---|
Identification and Authentication | X* |
Logical Access Controls | X* |
Audit Trails | X* |
X* | Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined as one where extremely grave circumstances can occur by allowing a remote or local attacker to violate the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information. |
As a result of testing USMS technical controls, we confirmed that controls were not adequate.
Issue: User Account Management Is Improperly Configured
Condition:
Cause:
No formal process has been established by USMS to describe authorized users and their associated access privileges because USMS currently does not assign the responsibility of security (and/or user management) to a specific individual who has the resources and experience to properly secure this environment.
Criteria:
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states that the system must: "Enable the use of resources such as data and programs necessary to fulfill job responsibilities and no more."
DOJ Order 2640.2D, Identification And Authentication, states: "No later than February, 2003, secure privileged accounts by using authentication technology stronger than that which is based only on a UserID and password."
USMS Security Policy and Procedures Manual - Volume IX Section 9, ADP System User Access Authentication, states: "Each user will have a unique user identification and password."
Risk:
Providing access on the server to users without a business need significantly increases security risks. Additionally, duplicate user identifications increase the risk that unauthorized users will modify or delete files created by another user, and jeopardize accountability. Furthermore, duplicate root-equivalent accounts increase the risk that users have system access privileges that are not required for their job functions. Furthermore, unauthorized users who target root-equivalent accounts have multiple opportunities to gain root access.
Allowing users to log into the system directly as root from any host on the network increases the risk that an unauthorized user will gain privileged access to the system. If shared accounts are logged into directly, then accountability is lost. Allowing inactive accounts to remain on the system could potentially give unauthorized users a vehicle or target for gaining unauthorized access to sensitive system resources.
Recommendation:
Issue: Password Controls are inadequate
Condition:
In the USMS's "PwC Penetration Testing Vulnerability Report," dated June 19, 2000, it was disclosed that USMS's UNIX and Novell servers had weak passwords (UNIX Finding 1, UNIX Finding 5 and Novell Finding 1). At the time of our audit, we identified the following related weaknesses:
Cause:
Criteria::
DOJ Order 2640.2D, Chapter 2 Section 18(b)(1), Password Management, states: "Department IT systems that use passwords as the means for authentication shall implement…An eight-character password composed of at least three of the following: English uppercase, English lower case, numerics, special characters."
USMS Security Policy and Procedures Manual - Volume IX Section 9, ADP System User Access Authentication, states: "... each user will have a unique user identification and password." DOJ Order 2640.2D, Chapter 2 Section 18(b)(3) and (4), Password Management, states: "Limit password lifetime to a maximum of 90 days," and "Prevent the display of a clear text password."
Risk:
Inconsistent policies can lead to security weaknesses. In this case, the USMS policy permits weaker passwords than the Department's policy allows.
Easy-to-guess passwords increase the chances that an intruder can gain access to the system or represent him or herself as a valid user. This was proven by our ability to gain root access on one UNIX server using the default password of a UNIX account. Furthermore, having the same password for multiple accounts increases the chance that users can log in with a different account and thus masquerade their identity.
Account passwords that are not changed with a scheduled frequency increase the possibility of compromise and unauthorized use of the account by an intruder representing him or herself as a valid user.
The existence of reference files or scripts with unencrypted passwords increases the risk that unauthorized users will gain access to user accounts on the system.
Users without passwords increase the risk that unauthorized users will gain access to systems and access data and system configuration files.
Recommendation:
Issue: Accounts and Privileged Groups
Condition:
On the hq001 server, 2 out of 177 accounts are inappropriately assigned to privileged groups. Users listed in privileged groups have access to group files and directories owned by the privileged group. This increases the risk that sensitive system configuration files could be changed or deleted.
Cause:
This condition exists due to a misconfiguration on the part of USMS.
Criteria::
DOJ Order 2640.2D Chapter 2 Section 16,
Access Control, states: "Enable the use of resources such as data and programs necessary to fulfill job responsibilities and no more."
Risk:
Users listed in privileged groups have access to group files and directories owned by the privileged group. This increases the risk that sensitive system configuration files could be changed or deleted.
Recommendation:
Issue: Logical Access Controls
Condition:
The following risky services are found to be running on WIN and MNET systems:
The following Windows NT server configurations were set improperly in all Windows NT Primary Domain Controllers (PDC) servers accessed:
Similar conditions relating to rusers, telnet, Berkley r-services, vrfy and expn, finger, and other services were also noted in the following prior-year findings (USMS PwC Penetration Testing Vulnerability Report, dated June 2000, Finding numbers: 2, 4, 6, 7, 10, 12, 14, and 15.)
Cause:
Criteria::
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states: "Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."
Risk:
Recommendation:
Issue: Data Encryption
Condition: Encryption is not being used to protect WIN data that is sent across MNET.
Cause:
USMS does not require WIN data to be encrypted before transmission.
Criteria::
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states: "Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."
Federal Information Processing Standards Publication (FIPS PUB) 46-3, states: "Data that is considered sensitive by the responsible authority, data that has a high value, or data that represents high value should be cryptographically protected if it is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage."
Risk:
Sensitive information may be the target of sniffing attacks by unauthorized users. If transactions are occurring that contain highly confidential information, it may be vulnerable to sniffing if it is not encrypted. Hash algorithms will help mitigate against a loss of data integrity should the data be manipulated in transit.
Recommendation:
Issue: Cisco Router Access Controls Are Inadequate
Condition:
The following router access controls are inadequate on the Cisco router:
Cause:
We found that these conditions exist due to misconfiguration of the setting by USMS.
Criteria::
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states: "Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure," and "Disable inactive sessions so that authentication is required to re-establish the session after 20 minutes or less of inactivity. Screen saver or workstation lockouts that require users to re-enter their passwords, such as those available in Windows, are acceptable."
DOJ Order 2640.2D Chapter 2 Section 18, Password Management, states: "All Department IT systems shall implement a system banner that provides warnings: to employees that accessing the system constitutes consent to system monitoring for law enforcement and other purposes; and to unauthorized users that their use of the system may subject them to criminal prosecution and/or criminal or civil penalties."
Risk:
Allowing anyone on the network access to the login prompt increases the risk of unauthorized access to the router.
Timeout sessions provide additional security against consoles that are left unattended. If a user can gain access to a console left unattended, they can modify the router's configuration.
Recommendation:
Issue: Cisco Router Traffic Filtering
Condition:
Traffic filtering controls are inadequate on the Cisco router. The router does not have transmission control protocol (TCP) intercept mode activated, which is used to watch the activity of incoming connection requests to aid in the prevention of a denial of service attack. Additionally, activity not explicitly allowed is not being logged to an access list. The information obtained from the access list can be used to examine unwarranted attempts to access the network.
Cause:
These conditions exist because of USMS's misconfiguration of the TCP intercept mode.
Criteria::
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states: "Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."
USMS Security Policy and Procedures Manual - Volume IX Section 9, ADP System User Access Authentication, states: "Audit trails are required on all ADP systems processing Limited Official Use or classified information which may be accessed by more than one user and must be reviewed by the Computer Systems Security Officer or Assistant Computer Systems Security Officer at least on a weekly basis."
Risk:
If TCP intercept mode is not activated, WIN becomes susceptible to denial of service attacks, which can shut down the network.
If access lists are not used to monitor activity, unauthorized users may be able to gain access to the router.
Recommendation
Issue: Software Patches
Condition:
We found that the operating system software is not kept up-to-date with respect to security patches on the winsrv and hq001 servers. Current versions of the software patch contain processing and security enhancements. Additionally, the patch can correct bugs that have been identified by (or communicated to) the operating system vendor.
Cause:
This condition exists due to a lack of formal procedures for keeping up-to-date with security patches.
Criteria::
NIST SP 800-13 Section 5.10, Telecommunications Security Guidelines for Telecommunications Management Network, states: "All new software features and patches shall be tested first on a development system and approved by an appropriate testing organization, prior to installation on an operational system. Tests that modify live data shall not be performed. A risk analysis shall be conducted of proposed software changes to determine their impact on network element security. Any changes to security features or security defaults shall be documented and made available to the user before the software is distributed."
Risk: If the version of the operating system and the security patches are not current, there is an increased risk that an unauthorized user may be able to exploit system weaknesses.
Recommendation:
Issue: Windows NT Systems Improperly Configured.
Condition:
Windows NT systems' configuration were improperly set, as identified below:
ABSSERVER
HRD_PS7NT
COLOSSUS
JSD-APPS
HQ_NOTES
ABSSERVER
HRD_PS7NT
COLOSSUS
HQ_NOTES
HRD_PS7NT
JSD_APPS
ABSSERVER
HRD_PS7NT
COLOSSUS
JSD_APPS
HQ_NOTES
ABSSERVER
HRD_PS7NT
COLOSSUS
HQ_NOTES
Similar conditions were also noted in a prior year (June 2000) report, as identified below:
Cause:
All of the conditions noted above exist due to a lack of formal Windows NT security procedures.
Criteria::
DOJ Order 2640.2D Chapter 2 Section 16, Access Control, states: "Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."
Risk:
Recommendation:
Issue: Auditing, Logging, and Monitoring Are Not Sufficient.
Condition: System activities are not adequately logged and reviewed on a regular basis on winsrv and hq001 servers.
Cause:
This condition exists due to a lack of formal procedures for auditing.
Criteria:: USMS Security Policy and Procedures Manual - Volume IX Section 9, ADP System User Access Authentication, states: "Audit trails are required on all ADP systems processing limited official use or classified information which may be accessed by more than one user and must be reviewed by the Computer Systems Security Officer or Assistant Computer Systems Security Officer at least on a weekly basis."
Risk:
Insufficient logging will result in the lack of an audit trail in the event of an unauthorized access. Without good logging and monitoring, administrators are not often given early warnings for hardware and software errors or problems.
Recommendation:
CONCLUSION
We assessed management, operational, and technical controls at a high risk to the protection of the WIN and MNET systems from unauthorized use, loss, or modification. Specifically, we identified vulnerabilities in 16 of the 17 control areas and noted security findings in the following areas: review of security controls, life cycle, authorized processing, system security plan, personnel security, physical and environmental security, production and input/output controls, contingency planning, hardware and systems software maintenance, data integrity, documentation, security awareness, incident response capability, identification and authentication, logical access controls, and audit trails. Certification and accreditation to operate the WIN and MNET systems should be rescinded until these weaknesses are corrected.
We concluded that these vulnerabilities occurred because USMS management did not fully develop, enforce, or formalize agency-wide policies in accordance with current Department policies and procedures. Additionally, the Department did not enforce its security policies and procedures to ensure the WIN and MNET systems were protected from unauthorized use, loss, or modification through its certification and accreditation process. Furthermore, many of the vulnerabilities identified during this audit could have been prevented if USMS security management had followed-up on corrective actions for similar vulnerabilities identified in previous years.
Additionally, many of the causes stated in this report evidence a lack of commitment by USMS to implement timely corrective actions. This is illustrated by the inadequate number of individuals on the IT security team assigned to develop the documents required for WIN and MNET certification and accreditation.