Results of Technical Network Vulnerability Assessment: EPA s Region 1



Similar documents
Results of Technical Network Vulnerability Assessment: EPA s Region 6

How To Write A Network Vulnerability Assessment For The Environment Protection Agency

Results of Technical Network Vulnerability Assessment: EPA s Andrew W. Breidenbach Environmental Research Center

Controls Over EPA s Compass Financial System Need to Be Improved

EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment

Briefing Report: Improvements Needed in EPA s Information Security Program

Improved Security Planning Needed for the Customer Technology Solutions Project

Close-Out of Complaint on Metropolitan Water Reclamation District of Greater Chicago Incurring Inappropriate Expenses on Recovery Act Projects

EPA Needs to Improve Its. Information Technology. Audit Follow-Up Processes

Project Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability Management Program

EPA Can Better Assure Continued Operations at National Computer Center Through Complete and Up-to-Date Documentation for Contingency Planning

EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents

Information Security Series: Security Practices. Integrated Contract Management System

EPA Needs to Strengthen Its Privacy Program Management Controls

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes

EPA Should Improve Policies and Procedures to Ensure Effective DCAA Audit Report Resolution

Congressionally Requested Inquiry Into EPA s Handling of Freedom of Information Act Requests

U.S. Chemical Safety and Hazard Investigation Board Should Determine the Cost Effectiveness of Performing Improper Payment Recovery Audits

EPA Needs to Strengthen Financial Database Security Oversight and Monitor Compliance

Fiscal Year 2007 Federal Information Security Management Act Report

Congressionally Requested Inquiry Into the EPA s Use of Private and Alias Accounts

Improved Management Practices Needed to Increase Use of Exchange Network

U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL

Public May Be Making Indoor Mold Cleanup Decisions Based on EPA Tool Developed Only for Research Applications

EPA Can Improve Managing of Working Capital Fund Overhead Costs

EPA Needs to Improve the Recognition and Administration of Cloud Services for the Office of Water s Permit Management Oversight System

Department of Homeland Security Office of Inspector General

CSB Needs Better Security Controls to Protect Critical Data Stored on Its Regional Servers

EPA s Financial Oversight of Superfund State Contracts Needs Improvement

EPA Has Improved Its Response to Freedom of Information Act Requests But Further Improvement Is Needed

Time and Attendance Fraud Not Identified for Employees on Extended Absence, But Matters of Concern Brought to EPA s Attention

EPA Should Improve Its Contractor Performance Evaluation Process for Contractors Receiving Recovery Act Funds

April 10, Notification of Audit of EPA s Fiscal Year 2013 Financial Statements

Improvements Needed in EPA s Network Security Monitoring Program

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Improved Contract Administration Needed for the Customer Technology Solutions Contract

EPA Needs to Improve Continuity of Operations Planning

Improvements Needed in EPA s Smartcard Program to Ensure Consistent Physical Access Procedures and Cost Reasonableness

EPA s Final Water Security Research and Technical Support Action Plan May Be Strengthened Through Access to Vulnerability Assessments

INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK

How To Check If Nasa Can Protect Itself From Hackers

Improved Data Integrity Needed for the Integrated Contracts Management System

Security Concerns with Federal Emergency Management Agency's egrants Grant Management System

Review of U.S. Coast Guard's FY 2014 Drug Control Performance Summary Report

PROCUREMENT. Actions Needed to Enhance Training and Certification Requirements for Contracting Officer Representatives OIG-12-3

Office of Inspector General

OFFICE OF INSPECTOR GENERAL

Office of Inspector General

Office of Inspector General

Gwinnett County, Georgia, Generally Accounted for and Expended FEMA Public Assistance Grant Funds According to Federal Requirements

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Department of Homeland Security

The United States Secret Service Has Adequate Oversight and Management of its Acquisitions (Revised)

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

AUDIT OF SBA S SYSTEM AUDIT REPORT NUMBER 4-42 SEPTEMBER 10, 2004

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

Federal Information Security Management Act: Fiscal Year 2014 Evaluation

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of Inspector General

The U.S. Coast Guard Travel to Obtain Health Care Program Needs Improved Policies and Better Oversight

Department of Homeland Security

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Department of Homeland Security Office of Inspector General

TSA audit - How Well Does It Measure Network Security?

The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material Weakness. August 2004

Monitoring of Government Travel Card Transactions

Semiannual Report to Congress. Office of Inspector General

Management of Detail Assignments Follow-Up

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Department of Homeland Security Office of Inspector General. Review of U.S. Coast Guard Enterprise Architecture Implementation Process

AUDIT OF NASA S EFFORTS TO CONTINUOUSLY MONITOR CRITICAL INFORMATION TECHNOLOGY SECURITY CONTROLS

Department of Homeland Security

SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE

The City of Atlanta, Georgia, Effectively Managed FEMA Public Assistance Grant Funds Awarded for Severe Storms and Flooding in September 2009

AUDIT REPORT REPORT NUMBER Information Technology Professional Services Oracle Software March 25, 2014

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Office of Inspector General

Department of Homeland Security

FEMA Should Recover $312,117 of $1.6 Million Grant Funds Awarded to the Pueblo of Jemez, New Mexico

Department of Homeland Security

March 17, 2015 OIG-15-43

Information Technology

EPA s Computer Security Self-Assessment Process Needs Improvement

INFORMATION SECURITY. Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2

Department of Homeland Security

ASSESSMENT REPORT GPO WORKERS COMPENSATION PROGRAM. September 30, 2009

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL 400 MARYLAND AVENUE, S.W. WASHINGTON, DC

Funding Invoices to Expedite the Closure of Contracts Before Transitioning to a New DoD Payment System (D )

The Environmental Careers Organization Reported Outlays for Five EPA Cooperative Agreements

PRIVACY IMPACT ASSESSMENT

Department of Homeland Security Office of Inspector General

Audit of EPA s Fiscal Years 2015 and 2014 Consolidated Financial Statements

Hardware Inventory Management Greater Boston District

Transcription:

U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Results of Technical Network Vulnerability Assessment: EPA s Region 1 Report No. 12-P-0518 June 5, 2012 Scan this mobile code to learn more about the EPA OIG.

Report Contributors: Rudolph M. Brevard Warren Brooks Scott Sammons Kyle Denning Hotline To report fraud, waste, or abuse, contact us through one of the following methods: e-mail: OIG_Hotline@epa.gov write: EPA Inspector General Hotline phone: fax: 1-888-546-8740 202-566-2599 1200 Pennsylvania Avenue NW Mailcode 2431T online: http://www.epa.gov/oig/hotline.htm Washington, DC 20460

U.S. Environmental Protection Agency Office of Inspector General At a Glance 12-P-0518 June 5, 2012 Why We Did This Review We sought to assess the security configurations of the U.S. Environmental Protection Agency s (EPA s) Region 1 wireless network infrastructure. We also sought to conduct network vulnerability testing of the Region 1 Local Area Network to identify resources that contained commonly known high-risk and mediumrisk vulnerabilities. Background We conducted this audit as part of the annual review of EPA s information security program as required by the Federal Information Security Management Act. We conducted network vulnerability testing in February 2012 to identify any commonly known network vulnerabilities and to present the results to the appropriate EPA officials, who can then promptly remediate or document planned actions to resolve the weaknesses. For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.gov/oig/reports/2012/ 20120605-12-P-0518.pdf Results of Technical Network Vulnerability Assessment: EPA s Region 1 What We Found Our vulnerability assessments of Region 1 s wireless network infrastructure found no security weaknesses. However, our vulnerability testing of networked resources located at the Region 1 facility identified Internet Protocol addresses with potentially 18 high-risk and 166 medium-risk vulnerabilities. Regional and headquarter offices manage resources located in Region 1 that contain these weaknesses. The Office of Inspector General (OIG) met with EPA information security personnel from the respective offices to discuss the findings. EPA information security personnel acknowledged the existence of the identified security weaknesses and began immediate remediation of some of these issues. If not resolved, these vulnerabilities could expose EPA s assets to unauthorized access and potentially harm the Agency s network. What We Recommend We recommend that the Senior Information Officials within Region 1 and the Office of Environmental Information: Provide the OIG a status update for all identified high-risk and mediumrisk vulnerability findings within 30 days of this report. Create plans of action and milestones in the Agency s Automated Security Self-Evaluation and Remediation Tracking system for all vulnerabilities according to Agency procedures within 30 days of this report. Perform a technical vulnerability assessment test of assigned network resources within 60 days to confirm completion of remediation activities. The detailed testing results have already been provided to Agency representatives. Due to the sensitive nature of the report s technical findings, the technical details will not be made available to the public. Planned Agency Corrective Actions Region 1 remediated all high-risk vulnerabilities discovered by our vulnerability testing of networked resources. Additionally, Region 1 acknowledged the existence of the additional vulnerabilities that we identified and began mitigation activities related to these risks.

UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 THE INSPECTOR GENERAL June 5, 2012 MEMORANDUM SUBJECT: Results of Technical Network Vulnerability Assessment: EPA s Region 1 Report No. 12-P-0518 FROM: TO: Arthur A. Elkins, Jr. Fred Weeks Acting Senior Information Official Region 1 Renee Wynn Principal Deputy Assistant Administrator and Senior Information Official Office of Environmental Information This is our final report on the above subject audit conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). The site assessment was conducted in conjunction with our annual audit of EPA s information security program as required by the Federal Information Security Management Act. This report provides the summary of our security testing of networked resources located at EPA s Region 1 office. Our test disclosed that network resources at the Region 1 office contained potentially 18 high-risk and 166 medium-risk vulnerabilities. Upon analysis of the testing results, we found that both regional and headquarters offices are responsible for managing the resources located in Region 1 that contain these weaknesses. We provided your office representatives with the technical results during our site visit in order to facilitate immediate remediation actions. All 18 high-risk vulnerabilities were remediated before the issuance of this report. We performed this audit work from February through May 2012 at EPA s Region 1 offices in Boston, Massachusetts. We performed this audit in accordance with generally accepted government auditing standards. These standards require that we plan and perform the audit to obtain sufficient and appropriate evidence to provide a reasonable basis for our findings and conclusions based on the audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions. 12-P-0518 1

We conducted testing to identify the existence of commonly known vulnerabilities using a commercially available network vulnerability assessment tool recognized by the National Institute of Standards and Technology. We interviewed EPA personnel responsible for managing the network resources located in Region 1. We reviewed relevant EPA policies to obtain an understanding of the Agency s Automated Security Self-Evaluation and Remediation Tracking (ASSERT) system used for recording identified weaknesses. We tested the Internet Protocol addresses associated with network resources located in the Region 1 office. We used the risk ratings provided by the vulnerability software to determine the level of harm a vulnerability could cause to a networked resource and accepted the results from the software tool as the level of risk to EPA s network. Upon follow-up with your office representatives, they acknowledged the existence of the vulnerabilities and stated that some mitigation activities had already begun related to these risks. We also conducted testing of Region 1 s wireless infrastructure to identify any possible configuration weaknesses using a commercially available wireless scanning tool. Specifically, we tested to identify whether any unauthorized wireless devices existed on the region s network. We also tested to determine whether the wireless encryption protocols being used on the region s wireless local area network were sufficient to secure it. We found no weaknesses during either of these tests. Recommendations We recommend that the Senior Information Officials within Region 1 and the Office of Environmental Information: 1. Provide the OIG a status update for all identified high-risk and medium-risk vulnerability findings. 2. Create plans of action and milestones in the Agency s Automated Security Self- Evaluation and Remediation Tracking system for all vulnerabilities according to Agency procedures. 3. Perform a technical vulnerability assessment test of assigned network resources within 60 days to confirm completion of remediation activities. Action Required Please provide written responses to this report within 30 calendar days. You should include a corrective actions plan for agreed-upon actions, including milestone dates. Due to the sensitive nature of the report s technical findings, the technical details are not included in this report and will not be made available to the public. The OIG plans to post on the OIG s public website the corrective action plans that you provide to us that do not contain sensitive information. Therefore, we request that you provide the response to recommendation 1 in a separate document, and we will not make that response available to the public if it contains sensitive information. 12-P-0518 2

Your responses should be provided as Adobe PDF files that comply with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. Except for your response to recommendation 1, which will not be posted if it contains sensitive information, your responses should not contain data that you do not want to be released to the public; if those responses contain such data, you should identify the data for redaction or removal. If you or your staff have any questions regarding this report, please contact Patricia H. Hill, Assistant Inspector General for Mission Systems, at (202) 566-0894 or hill.patricia@epa.gov; or Rudolph M. Brevard, Product Line Director, Information Resources Management Assessments, at (202) 566-0893 or brevard.rudy@epa.gov. 12-P-0518 3

Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS POTENTIAL MONETARY BENEFITS (in $000s) Rec. No. Page No. Subject Status 1 Action Official Planned Completion Date Claimed Amount Agreed-To Amount 1 2 Provide the OIG a status update for all identified high-risk and medium-risk vulnerability findings. U Senior Information Officials, Region 1 and the Office of Environmental Information 2 2 Create plans of action and milestones in the Agency s Automated Security Self-Evaluation and Remediation Tracking system for all vulnerabilities according to Agency procedures. U Senior Information Officials, Region 1 and the Office of Environmental Information 3 2 Perform a technical vulnerability assessment test of assigned network resources within 60 days to confirm completion of remediation activities. U Senior Information Officials, Region 1 and the Office of Environmental Information 1 O = recommendation is open with agreed-to corrective actions pending C = recommendation is closed with all agreed-to actions completed U = recommendation is unresolved with resolution efforts in progress 12-P-0518 4

Appendix A Distribution Office of the Administrator Assistant Administrator for Environmental Information and Chief Information Officer Regional Administrator, Region 1 Principal Deputy Assistant Administrator for Environmental Information and Senior Information Official Acting Senior Information Official, Region 1 Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for External Affairs and Environmental Education Senior Agency Information Security Officer Audit Follow-Up Coordinator, Office of Environmental Information Audit Follow-Up Coordinator, Region 1 12-P-0518 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information