FINDINGS AND RECOMMENDATIONS
I. SYSTEM SOFTWARE CONTROLS
DEA's system software controls were not adequate because computer default settings and audit trails were not implemented effectively to protect DEA's sensitive computer resources and to detect unauthorized access.
Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, requires agencies to ensure an adequate level of security for all automated information systems so that systems operate effectively and accurately and contain appropriate safeguards. To accomplish this, system software controls can help to prevent unauthorized access to a system's sensitive data and can be used to control computer access and to provide an effective mechanism for protecting computer resources.
DEA uses the Office Automation system to process and store the sensitive investigative information it collects. This information includes investigative data such as the names of drug violators and informants, intelligence on drug trafficking organizations, and details on ongoing operations to counter illegal drug smuggling. The Office Automation system is a microcomputer-based network that provides most domestic DEA locations with a standardized network of computers for data processing. The network consists of workstations and personal computers linked to a file server. The file servers are, in turn, linked to a large scale computer that serves as the nucleus of the network and stores the network's operating system and application programs.
We performed technical tests on 48 file servers at 26 sites (See Appendix II) to determine whether system software controls were adequate for default settings and audit trails. Emphasis has been placed on those actions that the DEA must take to enhance system software controls in order to control computer access and to provide an effective mechanism for protecting computer resources.
Default Settings
The local area network operating system software contains defensive barriers, referred to as security features, to prevent abuse from both intruders and legitimate users. The default settings for certain security features are initially set by the vendor and can be changed to meet an organization's specific security requirements.
When an unauthorized user has access to system directories and files, the person can attempt to compromise the system by stealing information or causing damage. Protecting access to system directories and files is a critical step in preventing such actions. When directories are created, a directory password, a protection level, and a file password can be set. Our review of directory passwords, protection levels, and file passwords for 48 file servers at 26 sites disclosed the following:
• A directory password can be assigned using the "SysDirectoryPassword" parameter which provides password protection for the directory. The password can be specified up to 12 characters in length or a default setting with no password assigned can be defined. Our review disclosed that for all 48 file servers, the directory password was either set to one of two passwords. Both passwords were only three characters long, were not unique, and were easy to guess.
• As an additional control, a protection level can be set for all files that are stored in the directory. The vendor recommends a protection level of "5" because it allows read access but does not allow modification without a password. Our review disclosed that 12 of the 48 file servers tested had a protection level of "15" requiring no password to read or modify the file. The remaining file servers utilized protection levels supporting password protection.
• When the protection level selected requires a password to gain access to the file, the password is set using the "ProtectSysDirectory" parameter. Our review disclosed that a value of "YES" was not assigned to 8 of the 48 file servers. When the setting is "YES," users are prevented from changing or adding files without a password. The remaining file servers used a default setting of "NO" requiring no password and thus, provided no protection from changing or adding files.
Recommendations
We recommend the Administrator, DEA:
1. Assign unique passwords for the "SysDirectoryPassword" parameter.
2. Require an appropriate protection level to read or modify files.
3. Assign a value of "YES" to prevent users from changing or adding files without a password for the "ProtectSysDirectory" parameter.
The above recommendations are closed. See Appendices III and IV for resolution activity.
• The "ClusterTimeOut" parameter controls the amount of time that can elapse before a cluster workstation terminates an attempt to communicate with the file server. If communication does not take place during the specified interval, the cluster workstation returns an error message. A cluster is defined as a group of computers connected together for sharing disks, printers, and other system resources. A single computer within the cluster functions as a file server, which controls certain resources for the entire cluster. If there is no "ClusterTimeOut" setting, there is more opportunity for an unauthorized user to access sensitive data from an unattended workstation still logged into a legitimate user's work session.
We found one file server had a setting of "10" seconds while 29 file servers had the setting of "30" seconds which is the default setting. The remaining 18 file servers did not have a time specified and the field was blank.
Recommendation
We recommend the Administrator, DEA:
4. Set the "ClusterTimeOut" parameter to an appropriate setting.
The above recommendation is closed. See Appendices III and IV for resolution activity.
• The "ScreenTimeOut" parameter defines the number of minutes, from 1 to 100, to elapse before the screen is shut off when a computer is not being used. The Department's response dated June 2, 1993, to a General Accounting Office (GAO) report issued August 1992, "DEA Is Not Adequately Protecting Sensitive Drug Enforcement Data," (hereafter referred to as the GAO audit report) stated DEA's Office of Security Programs had established requirements to blank the screen of an inactive personal computer in order to preclude individuals without a need-to-know from viewing a screen should they enter an area where a computer was being used.
Our review found, for 3 of 48 file servers, no time frame was defined and the screen never shuts off. The remaining 45 file servers had settings varying from 5 minutes to 10 minutes.
Recommendation
We recommend the Administrator, DEA:
5. Set the "ScreenTimeOut" parameter to 5 minutes.
The above recommendation is closed. See Appendices III and IV for resolution activity.
• The "DiskLogThreshold" setting controls the number of attempts to gain access to the system that are acceptable before an error message is logged. The default setting is "0." When an unauthorized user has access to the system files, the person can attempt to compromise the system by stealing information and causing serious damage. Our review disclosed 24 file servers with a setting of "1" and 6 used the default setting of "0." The remaining 18 file servers did not have the number of retries specified and the field was blank, which would allow an unauthorized user to continue to attempt access to the system without logging the attempts.
Recommendation
We recommend the Administrator, DEA:
6. Set the "DiskLogThreshold" setting to "3" to provide additional security for DEA's sensitive information.
The above recommendation is closed. See Appendices III and IV for resolution activity.
• The "MaxConcurrentTerm" parameter defines the number of computers that are in a cluster. Our review disclosed that 42 of 48 file servers did not have a number specified and the field was blank. A blank field could allow DEA to assign as many computers to a cluster as they wanted. When many computers are defined to a cluster, a system manager's task of monitoring these computers could be difficult. Five file servers had a default setting of "15," and one file server located at DEA Headquarters had a setting of "30." DEA personnel, responsible for the maintenance of the local area network, stated that the Department had agreed a maximum of 32 workstations could be connected.
Recommendation
We recommend the Administrator, DEA:
7. Set the "MaxConcurrentTerm" parameter to an appropriate level.
The above recommendation is closed. See Appendices III and IV for resolution activity.
Audit Trails
DOJ Order 2640.2C, Telecommunications and Automated Information Systems Security, requires that an audit trail be maintained for all computer systems except systems operated by a single user such as standalone personal computers. The audit trail should provide information such as: (1) the identity of each person having access to the system or attempting to access the system, (2) time and date of the access, (3) what activity occurred, and (4) time and date of logoff.
The GAO audit report noted that in many cases computers used by DEA personnel to process and store sensitive data had no audit trails for preventing and detecting unauthorized access. At that time, DEA had begun testing various microcomputer security software products that, according to DEA officials, would provide basic security safeguards such as audit trails.
Our review disclosed that none of the 48 file servers had an audit trail capability. According to DEA personnel, the technology of the operating system does not support such a capability. We discussed this area with DEA personnel who stated that a memorandum dated December 9, 1993, was sent to the Department of Justice Security Officer requesting a waiver of the audit trail requirement because the cost to modify the operating system would be prohibitive. The memorandum stated that DEA had taken steps to ensure that sensitive information processed on the operating system was not compromised. These steps included ensuring that passwords are assigned and changed every 6 months and that all local area network terminals are located within DEA controlled space which is locked and alarmed when not occupied, and access during business hours is strictly controlled.
Based upon this memorandum, the Department's Security Officer granted a waiver on January 12, 1994. This waiver, however, was contingent upon the full implementation of the security measures outlined in DEA's December 9, 1993, memorandum and progress toward the procurement and implementation of replacement systems that comply with DOJ Order 2640.2C. Our review, however, disclosed the security measures, as discussed in this audit report, were not fully implemented nor were replacement systems in place.
DEA personnel stated the Office Automation system functions as a standalone system which does not allow users the capability to access sensitive DEA computer applications from remote sites by using a modem linked to the network. As a result, DEA's computer systems are protected from external intrusions. However, the GAO report noted eight instances in which individuals, both DEA and non-DEA personnel, obtained sensitive information, such as the Narcotics and Dangerous Drug Information System (NADDIS) investigation records. These individuals then used the information improperly for personal reasons or disclosed it to unauthorized individuals outside the agency.
Although the Office Automation System involves a closed architecture and is inherently proprietary, we do not believe that this eliminates many of the open system concerns.
Recommendation
We recommend the Administrator, DEA:
8. Notify the Department's Security Officer regarding an alternative course of action, if an audit trail capability cannot be implemented for the file servers.
The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.
#####