July 17, 2015 This report presents the results of our audit of U.S. Postal Service Cybersecurity Functions (Project Number 15TG008IT000).
This was a self-initiated audit to determine whether the structure, operations, and resourcing of the Postal Service’s cybersecurity functions align with best practices to support the enterprise. See Appendix A for additional information about this audit.
Cybersecurity is the body of processes, practices, and technology designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. Within the Postal Service Chief Information Office (CIO), the Corporate Information Security Office (CISO) leads the defense and protection of the cybersecurity environment. At the time of our review, a manager of Corporate Information Security directed multiple teams, including the Computer Incident Response Team (CIRT). Within Information Technology (IT) Telecommunication Services, the Perimeter Security team provides support by managing several external vendors that provide
primary Internet connectivity and monitor the Postal Service infrastructure’s external cyber entry points.
In November 2014, the Postal Service disclosed a cyber intrusion had occurred. The Postal Service notified personnel that the personally identifiable information of over 800,000 current and former employees, 485,000 workers’ compensation records, and the customer inquiry records of about 2.9 million customers had been compromised. The Postal Service worked closely with federal agencies, as well as private sector specialists, to investigate and remediate the cyber intrusion.
The Postal Service’s infrastructure prior to the intrusion was designed to respond to cybersecurity threats with a defense concentrated on keeping individuals out of the network. This type of defense was commonly used before advanced persistent threats1 were widely recognized and is currently considered ineffective when used on its own. Instead, to have effective cybersecurity, organizations need to incorporate multiple layers of prevention, detection, and response while maintaining resilient systems that enable the organization to operate while under attack and rapidly recover essential functions.2
The U.S. Postal Service Office of Inspector General (OIG) found multiple indications of a weak cybersecurity culture.
These include inadequate security awareness training, inadequate risk acceptance and accountability, operating systems and software the vendor no longer supports,5 and a lack of collaboration on cybersecurity functions within the organization.nAs a result, employees were unprepared to recognize and respond to advanced cybersecurity risks
History of Poor Collaboration
There have been instances where the various groups responsible for cybersecurity services or functions have not effectively collaborated on cybersecurity issues identified within OIG reports:
■■ Engineering Systems has not coordinated effectively with the CISO to complete impact assessments and document information security requirements for its systems.14
■■ An internal web server was inadvertently available to the public through the Internet because engineers and system administrators had insufficient information about the network, application, and server configurations.15
■■ Managers delayed notifying the CIRT for 12 days following a breach of USPS.com data in 2011.16
By establishing and promoting an effective cybersecurity culture throughout the organization, the Postal Service has an opportunity to prevent cybersecurity weaknesses from occurring in the future and better prepare its employees to identify and address cybersecurity risks. Management has taken actions in response to the specific recommendations within the reports, which did not specifically identify a lack of collaboration.
Cybersecurity Staffing and Resourcing
Staffing and resources have not been sufficient to support tasks beyond basic operations and comply with legal and industry requirements. This lack of support exists because funding for cybersecurity functions at the Postal Service was below industry practices and also fragmented across multiple areas and funding codes. As a result, management has been unable to take proactive measures to prevent or remediate threats to the network.
Limited Cybersecurity Staffing
■■ Postal Service cybersecurity staffing is significantly below industry levels. There are 53 full-time equivalent (FTE) security positions17 for 373,000 network users – or one FTE for every 7,038 users – compared to the most common industry ratio of one FTE position for every 500 to 999 users. Figure 3 compares Postal Service FTEs to the estimated number of FTEs for the same number of end users in each comparable industry.
1
Conclusion
Postal Service leadership had not fostered a culture of effective cybersecurity across the enterprise. Staffing and resources for cybersecurity functions focused heavily on complying with specific legal and industry requirements, leaving limited resources for systems that are not subject to these requirements. In addition, management had not integrated cybersecurity risks into a comprehensive cybersecurity strategy. While it has worked with business and industry experts to initiate significant positive action since the cyber intrusion of November 2014, the Postal Service could attain more effective cybersecurity operations by continuing efforts to re-align its structure, operations, and resources to better address operational risks and protect business operations
Postal OIG= Rubber Stamp! case closed!
Here’s my audit and I give it out of the goodness of my heart: postal management fails at everything. Everything. They barely see that we get our checks on time, which is good, but retirement benefits ran late for a couple years because they didn’t have enough workers and enough brains to process new retirement claims.
They tried to shut down Saturday delivery and still want to reduce standards. Well, when it comes to managers, how low can you go with standards? This is a limbo game that has to be measured in centimeters.
They tried to outsource jobs through commercial outlets. They allowed the horrible cyber crime and let it go for 11 months before reporting it.
They do nothing to stop incompetent abusive managers from berating and threatening employees they don’t like. They discriminate all over the place. They lie to the public, Congress and we employees.
So, with this “review” by an equally incompetent OIG showing how ass backwards and ill prepared the Service is with computer security, it’s just another cog in a very fucked up machine. There are good people in craft, some in supervision and postmaster positions – we must be fair about that. But once you break out of a local facility it’s a different world of dog eat dog, favoritism and sabotage of those around you who are in the way of your advancement.
That’s because at this level staff and management have no contact with the real world of customers, do not understand all the variables that craft employees face, especially letter carriers who are “expected” to do what a worthless computer tool (DOIS) thinks they ought to do. Mail is misrecorded, parcels don’t get counted, and if they’re on a morning report I seriously doubt management enters them, CCA’s are bullied into running, going without breaks or lunches and carrying usually a route and a half every day without a break, and any emphasis on accuracy or knowing how to properly forward and return undeliverable mail is gone.
I returned from annual leave to the same old story: full vacant mailboxes even with bright cards marking them VACANT, no orders put on pink cards and mail that is supposed to be forwarded is left at the old address. Customers return mail for various reasons and the CCA shoves it all into CFS or any slot they feel like, without endorsing them or bothering to check for COA’s. This is what management is telling them to do because they want fast, and don’t care about fuck-ups.
Some agency higher up than the OIG needs to get in there and clean house.