The U.S. Postal Service Office of Inspector General’s Information Technology Security Risk Model identified the Capital District as being among the five most at-risk districts for multiple quarters during fiscal years (FY) 2013 and 2014. Security events during those periods included instances of malicious software which can affect the confidentiality, integrity, and availability of sensitive data and potentially compromise critical mail processing applications. During FY 2013, the Capital District processed about 2 billion mailpieces and generated about $470.9 million in revenue. The district had about 6,600 employees working in 260 facilities during that time.
Our objective was to review security controls in the Postal Service’ s Capital District to determine whether the infrastructure adequately protects Postal Service data. To accomplish our objective, we performed enumeration to evaluate the environment residing within the Curseen-Morris Processing and Distribution Center (P&DC), Southern Maryland P&DC, Suburban Maryland P&DC, and Capital Metro Area Office
What The OIG Found
Security controls in the Capital District did not adequately protect Postal Service infrastructure and data from unauthorized access or corruption. Of the 1,254 systems active on the network, we tested 33 and detected a combined total of 417 vulnerabilities, such as missing security updates or system configuration deficiencies. Of the 417 vulnerabilities, 79 were considered critical and high-risk for which patches were available for at least 1 year. We further identified four active, and two shared user accounts. These vulnerabilities expose the infrastructure to unauthorized remote access by potential attackers who may discover network weaknesses, retrieve information, corrupt data, and reconfigure settings.
The Capital District also permits access to devices using unsecure communications, which further threatens network security. Finally, we identified weaknesses in asset management and accountability that could allow an unauthorized device to remain on the network undetected. These vulnerabilities occurred because administrators improperly configured systems, did not install the latest patch updates, and did not employ uniform processes to manage information system assets.
What The OIG Recommended
We recommended management evaluate, test, and install critical patches and correct configuration settings on the identified databases and operating systems. We also recommended management disallow software that permits unsecure communications, discontinue the use of shared user accounts, and uniformly manage assets. Additionally, we recommended management remove the from databases.