PENETRATION TEST OF THE FOOD COMPUTER NETWORK

Transcription

1 Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE FOOD AND DRUG ADMINISTRATION'S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office fpublic Affairs at Public.A(fairs@ig. hhs.gv. Thmas M. Salmn Assistant Inspectr General fr Audit Services Octber 2014 A

2 Office finspectr General The missin fthe Office flnspectr General (OIG), as mandated by Public Law , as amended, is t prtect the integrity f the Department fhealth and Human Services (HHS) prgrams, as well as the health and welfare fbeneficiaries served by thse prgrams. This statutry missin is carried ut thrugh a natinwide netwrk f audits, investigatins, and inspectins cnducted by the fllwing perating cmpnents: Office faudit Services The Office f Audit Services (OAS) prvides auditing services fr HHS, either by cnducting audits with its wn audit resurces r by verseeing audit wrk dne by thers. Audits examine the perfrmance fhhs prgrams and/r its grantees and cntractrs in carrying ut their respective respnsibilities and are intended t prvide independent assessments fhhs prgrams and peratins. These assessments help reduce waste, abuse, and mismanagement and prmte ecnmy and efficiency thrughut HHS. Office fevaluatin andinspectins The Office f Evaluatin and Inspectins (OEI) cnducts natinal evaluatins t prvide HHS, Cngress, and the public with timely, useful, and reliable infrmatin n significant issues. These evaluatins fcus n preventing fraud, waste, r abuse and prmting ecnmy, efficiency, and effectiveness f departmental prgrams. T prmte impact, OEI reprts als present practical recmmendatins fr imprving prgram peratins. Office finvestigatins The Office f Investigatins (OI) cnducts criminal, civil, and administrative investigatins f fraud and miscnduct related t HHS prgrams, peratins, and beneficiaries. With investigatrs wrking in all 50 States and the District f Clumbia, OI utilizes its resurces by actively crdinating with the Department f Justice and ther Federal, State, and lcal law enfrcement authrities. The investigative effrts foi ften lead t criminal cnvictins, administrative sanctins, and/r civil mnetary penalties. Office fcunsel t the Inspectr General The Office f Cunsel t the Inspectr General (OCIG) prvides general legal services t OIG, rendering advice and pinins n HHS prgrams and peratins and prviding all legal supprt fr OIG's internal peratins. OCIG represents OIG in all civil and administrative fraud and abuse cases invlving HHS prgrams, including False Claims Act, prgram exclusin, and civil mnetary penalty cases. In cnnectin with these cases, OCIG als negtiates and mnitrs crprate integrity agreements. OCIG renders advisry pinins, issues cmpliance prgram guidance, publishes fraud alerts, and prvides ther guidance t the health care industry cncerning the anti-kickback statute and ther OIG enfrcement authrities.

3 The Fd and Drug Administratin needed t address cyber vulnerabilities n its cmputer netwrk that culd ptentially have led t a data breach. INTRODUCTION This reprt prvides an verview f the results f ur penetratin test f the Fd and Drug Administratin s (FDA) cmputer netwrk. It des nt include specific details f the vulnerabilities that we identified because f the sensitive nature f the infrmatin. We prvided mre detailed infrmatin and recmmendatins t FDA s that it culd address the issues we identified. WHY WE DID THIS REVIEW Cmputer hackers are increasingly cmprmising Gvernment systems, publishing sensitive data, and using stlen data t cmmit fraud. Threats t Federal agency Web applicatins are cntinually changing because f advances made by hackers, the release f new technlgy, and the deplyment f increasingly cmplex systems. Web sites that are nt prperly secured are vulnerable t unauthrized users wh culd cmprmise the cnfidentiality f sensitive infrmatin r negatively affect the peratins f Federal agencies. The bjective f this review was t determine whether the FDA s netwrk and external Web applicatins were vulnerable t cmprmise thrugh cyber attacks. BACKGROUND Penetratin tests identify methds f gaining access t a system by using tls and techniques that attackers use. The bjective f penetratin testing is t uncver ptential vulnerabilities in infrmatin technlgy (IT) prducts and infrmatin systems resulting frm implementatin errrs, cnfiguratin faults, r ther peratinal deplyment weaknesses r deficiencies. This audit is ne f a series f Office f Inspectr General (OIG) audits using penetratin testing n netwrks run by the U.S. Department f Health and Human Services (HHS) and its perating divisins. FDA is respnsible fr prtecting public health by assuring the safety, efficacy, and security f human and veterinary drugs, bilgical prducts, medical devices, ur natin s fd supply, csmetics, and prducts that emit radiatin. FDA is als respnsible fr advancing the public health by helping t speed innvatins that make medicines mre effective, safe, and affrdable and fr regulating the manufacturing, marketing, and distributin f tbacc prducts t prtect public health and reduce tbacc use by minrs. FDA s Office f Infrmatin Management manages the IT infrastructure and ensures that FDA has a rbust IT fundatin that enables interperability acrss FDA ffices and allws develpment f enterprisewide systems that are necessary t meet FDA s missin efficiently and effectively. FDA s IT budget fr fiscal year 2014 was $486 millin, which was apprximately 11 percent f the ttal FDA budget f $4.4 billin in fiscal year 2014, a significant investment. Penetratin Test f the FDA s Cmputer Netwrk (A ) 1

4 On Octber 15, 2013 (befre ur fieldwrk), a wide-scale cyber security breach invlving an FDA system ccurred that expsed sensitive infrmatin in 14,000 user accunts. HOW WE CONDUCTED THIS REVIEW We assessed the FDA netwrk s expsure t cyber attacks by perfrming a penetratin test f its netwrk and infrmatin systems. We cnducted the penetratin test frm Octber 21, 2013, thrugh Nvember 10, 2013, with the knwledge and permissin f FDA fficials. We requested that FDA s incident respnse staff nt be ntified f ur testing t assess the effectiveness f FDA s intrusin detectin and respnse cntrls. The Appendix cntains the details f ur audit scpe and methdlgy. FINDINGS Overall, FDA needed t address cyber vulnerabilities n its cmputer netwrk. Althugh we did nt btain unauthrized access t the FDA netwrk, we identified the fllwing issues: Web page input validatin was inadequate, external systems did nt enfrce accunt lckut prcedures, security assessments were nt perfrmed n all external servers, errr messages revealed sensitive system infrmatin, and demnstratin prgrams revealed sensitive infrmatin. These culd have led t: (1) the unauthrized disclsure r mdificatin f FDA data r (2) FDA missin-critical systems being made unavailable. INADEQUATE WEB PAGE INPUT VALIDATION Federal infrmatin systems shuld check the validity f infrmatin inputs t ensure that they are acceptable in terms f frmat and cntent. 1 Input validatin helps t ensure the accuracy f user-supplied data and t prevent input attacks, such as reflected crss-site scripting. 2 We identified FDA Web pages that did nt perfrm adequate input validatin n data entered by the user. Explitatin f this vulnerability culd result in malicius input being sent frm an attacker t FDA Web pages t hijack a user s Web brwser applicatin, install malicius prgrams, r redirect users t malicius Web pages. EXTERNAL SYSTEMS DID NOT ENFORCE ACCOUNT LOCKOUT Federal infrmatin systems are required t enfrce a defined limit f cnsecutive invalid lgn attempts by a user and autmatically lck the accunt fr a predetermined time perid r until the accunt is released by an administratr. 3 1 Natinal Institute f Standards and Technlgy (NIST) Special Publicatin (SP) Revisin 4, Security and Privacy Cntrls fr Federal Infrmatin Systems and Organizatins, Cntrl SI Reflected crss-site scripting ccurs when a dynamically generated Web page takes untrusted data and returns them t be rendered within the victim s brwser withut prper validatin and sanitizatin. 3 NIST SP Revisin 4, Cntrl AC-7. Penetratin Test f the FDA s Cmputer Netwrk (A ) 2

5 We identified FDA external systems that did nt enfrce accunt lckut after repeated failed lg-in attempts. An attacker culd repeatedly attempt, either manually r using autmated mechanisms, t gain access t an external system by entering a crrect lgin name and passwrd. If an attacker manages t authenticate t a system as an administrative user, he r she wuld gain cntrl f the system and its cntent. ASSESSMENTS WERE NOT PERFORMED ON ALL EXTERNAL SERVERS The HHS Office f the Chief Infrmatin Officer s Plicy fr Infrmatin Systems Security and Privacy Handbk (PISSP Handbk) requires HHS s perating divisins t assess the security cntrls in infrmatin systems annually t determine the extent t which the cntrls are implemented crrectly, perating as intended, and meeting the security requirements fr the system. Additinally, the PISSP Handbk requires that all Department systems, hsted applicatins, and netwrks underg peridic vulnerability scanning n less than annually. Althugh we were allwed t test the majrity f FDA s external Web applicatins, we did nt perfrm penetratin testing n seven external systems. FDA fficials cnsidered these systems t be missin critical and did nt want t accept the risk f having them g ffline. Hence, we culd nt verify whether security vulnerabilities existed within these systems and whether the vulnerabilities culd be explited t gain unauthrized access t FDA systems and data. We asked t review reprts fr any security testing perfrmed by FDA r a third-party rganizatin fr the seven external systems we did nt test; hwever, we determined that FDA had perfrmed a security assessment fr nly ne f thse seven systems. We reviewed the security assessment results, scpe, and methdlgy fr this system and determined that because the system was tested within a preprductin envirnment nly, the security assessr was nt able t validate FDA s claims that cntrls within the preprductin envirnment mirrred the prductin envirnment. 4 Therefre, there is a risk that vulnerabilities may exist within the prductin versin f the system. ERROR MESSAGES REVEALED SENSITIVE SYSTEM INFORMATION Applicatins frequently generate errr messages and display them t users. Many times these errr messages are quite useful t attackers because the messages reveal applicatin cde r infrmatin that helps attackers explit vulnerabilities. NIST requires Federal infrmatin systems t generate errr messages that prvide infrmatin necessary fr crrective actin withut revealing infrmatin that culd be explited by adversaries. 5 We identified FDA Web sites in which detailed errr messages revealed sensitive system infrmatin. An attacker culd use infrmatin btained frm detailed errr messages, such as 4 A review f FDA s cnfiguratin management cntrls fr develpment, test, and peratinal envirnments was utside the scpe f this audit. 5 NIST SP Revisin 4, Cntrl SI-11. Penetratin Test f the FDA s Cmputer Netwrk (A ) 3

6 sftware versin infrmatin, t launch specific attacks against FDA systems. Detailed errr messages can help attackers pinpint vulnerabilities t fcus their attacks. DEMONSTRATION PROGRAMS REVEALED SENSITIVE INFORMATION Federal infrmatin systems shuld be cnfigured t prvide essential capabilities and t determine what functins and services, sme f which are prvided by default, shuld be disabled r even eliminated. 6 Oftentimes, sftware may leave demnstratin prgrams r sample scripts available as part f a default installatin. We identified demnstratin prgrams that culd be run n FDA systems. The prgrams revealed sensitive internal system envirnment settings. Disclsure f such infrmatin culd help an attacker t launch specific attacks against the FDA systems. RECOMMENDATIONS We made seven recmmendatins t FDA t address the security vulnerabilities that we identified. In general, we recmmended that FDA fix the Web vulnerabilities identified, implement mre effective prcedures t prtect its cmputer systems frm cyber attacks, and peridically assess the security f all f its Internet-facing systems. This reprt summarizes ur recmmendatins because f the sensitive nature f the infrmatin. We prvided mre detailed recmmendatins t FDA. AUDITEE COMMENTS AND OFFICE OF INSPECTOR GENERAL RESPONSE In written cmments t ur draft reprt, FDA indicated that ur findings have been addressed by the system wner(s) and remediatin actins have been apprpriately applied. We have nt verified these actins because they tk place after ur audit perid. Implementatin f ur recmmendatins shuld further strengthen the infrmatin security f FDA s netwrk and external Web applicatins. The timely implementatin f ur recmmendatins is imprtant, and we plan t fllw up with FDA n these audit results and its remediatin actins. 6 NIST SP Revisin 4, Cntrl CM-7. Penetratin Test f the FDA s Cmputer Netwrk (A ) 4

7 APPENDIX: AUDIT SCOPE AND METHODOLOGY SCOPE We fcused ur audit n the FDA netwrk and Web sites in peratin during the perid Octber 21, 2013, thrugh Nvember 10, We did nt review FDA s verall internal cntrl structure. METHODOLOGY We prepared a Rules f Engagement dcument that utlined the general rules, lgistics, and expectatins fr the penetratin test, and FDA and OIG management signed it. We perfrmed the fllwing prcedures: cnducted infrmatin-gathering techniques t discver the fllwing fr FDA: netwrk address ranges, hst names, 9 hsts expsed t the Internet, applicatins running n expsed hsts, perating system and applicatin versin infrmatin, current patch levels f the hsts and applicatins residing n hsts, structure f the applicatins and supprting servers, and dmain name server recrds; cnducted vulnerability analysis techniques t discver pssible methds f attack; attempted t explit vulnerabilities identified in the vulnerability analysis t gain rt- r administratr-level access t the targeted systems r ther trusted-user accunt access; reviewed reprts n security assessments perfrmed by FDA r third-party rganizatins f FDA Internet-facing systems that we were nt authrized t assess during ur penetratin test; and discussed ur findings with FDA management. 9 A hst is any device cnnected t a cmputer netwrk. Penetratin Test f the FDA s Cmputer Netwrk (A ) 5

8 We cnducted this perfrmance audit in accrdance with generally accepted gvernment auditing standards. Thse standards require that we plan and perfrm the audit t btain sufficient, apprpriate evidence t prvide a reasnable basis fr ur findings and cnclusins based n ur audit bjectives. We believe that the evidence btained prvides a reasnable basis fr ur findings and cnclusins based n ur audit bjectives. Penetratin Test f the FDA s Cmputer Netwrk (A ) 6