Note: This testimony is also
available in Adobe
Acrobat format. You can obtain
the free Adobe Reader here.
Mr.
Chairman and Members of the Committee:
I
am pleased to be here today to discuss our analysis
of the information security controls over unclassified
systems of the Department of Commerce (Commerce). Dramatic
increases in computer interconnectivity, especially
in the use of the Internet, are revolutionizing the
way our government, our nation, and much of the world
communicate and conduct business, bringing vast amounts
of information and myriad resources and activities literally
at our fingertips. However, along with the enormous
benefits it brings, this widespread interconnectivity
poses significant risks to our computer systems, and
more important, to the critical operations and infrastructures
they support.
As
with other organizations, Commerce relies extensively
on computerized systems and electronic data to support
its mission. Moreover, Commerce generates and disseminates
some of the nation's most important economic information
that is of paramount interest to U.S. businesses, policymakers,
and researchers. Accordingly, the security of its systems
and data is essential to avoiding disruption in critical
operations, data tampering, fraud, and inappropriate
disclosure of sensitive information. Further, there
has be a dramatic rise in the number and sophistication
of cyberattacks on federal information systems. My testimony
today specifically focuses on the effectiveness of Commerce's
(1) logical access controls and other information system
controls over its computerized data,
(2) incident detection and response capabilities,and (3) information security
management program and related procedures. We
reviewed Commerce's information security controls and
currently have a draft report at Commerce for comment.
At
the seven Commerce organizations we reviewed,
significant and pervasive computer security weaknesses
exist that place sensitive Commerce systems
at serious risk. Using readily available software and
common techniques, we demonstrated the ability to penetrate
sensitive Commerce systems from both inside Commerce
and remotely, such as through the Internet. Individuals,
both within and outside Commerce, could gain unauthorized
access to these systems and read, copy, modify, and
delete sensitive economic, financial, personnel, and
confidential business data. Moreover, intruders could
disrupt the operations of systems that are critical
to the mission of the department. Additionally, unauthorized
access to sensitive systems may not be detected in time
to prevent or minimize damage. The underlying cause
for the numerous weaknesses we identified was the lack
of an effective program to manage information security.
We
identified vulnerabilities in four key areas in the
bureaus we reviewed:
·
First, controls intended
to protect information systems and critical data from
unauthorized access are ineffectively implemented, leaving
sensitive systems highly susceptible to intrusions or
disruptions. Specifically,
-
Systems were either not
configured to require passwords-including powerful systems
administrator accounts-or, if passwords were required,
they were relatively easy to guess, such as the word
"password" or commonly known default passwords supplied
by vendors. Further, (1) a significant number of passwords
never expired, (2) individuals had unlimited attempts
to guess passwords, and (3) unencrypted passwords, including
those having powerful system administrator functions,
could be widely viewed. Commerce bureaus also granted
excessive system administration privileges to employees
who did not require them, including 20 individuals who
had powerful system privileges that should be used only
in exceptional circumstances, such as recovery from
a power failure.
-
The configuration of Commerce
operating systems exposed excessive amounts of system
information to anyone, without the need for authentication,
allowing potential attackers to collect systems information
that could be used to circumvent security controls and
gain unauthorized access. In addition, Commerce did
not properly configure operating systems to ensure that
they would be available to support bureau missions or
prevent the corruption of important data. For example,
in a large computer system affecting several bureaus,
thousands of important programs had not been assigned
unique names, which could result in unintended programs
being inadvertently run, potentially corrupting data
or disrupting system operations. In this same system,
because critical parts of the operating system were
shared by the test and production systems, changes in
either system could corrupt or shut down the other system.
Additionally, unnecessary and poorly configured system
functions existed on important computer systems in all
bureaus we reviewed, allowing us to gain access from
the Internet.
-
None of the Commerce bureaus
reviewed had effective external and internal network
security controls. Our testing demonstrated that individuals,
both within and outside Commerce, could compromise external
and internal security controls to gain extensive unauthorized
access to the department's networks and systems. We
obtained such access as a result of weakly configured
external control devices, poorly controlled dial-up
modems, and ineffective internal network controls.
·
Second, we found other control
weaknesses, including inadequate
(1) segregation of computer duties of the staff to mitigate
the risk of errors or fraud, (2) control of software
changes to ensure that only authorized and fully tested software is placed in operation,
and
(3) development of comprehensive and completed recovery
plans to ensure the continuity of service in the event
of a service disruption.
·
Third, Commerce is not adequately
(1) preventing intrusions before they occur, (2) detecting
intrusions as they occur, (3) responding to successful
intrusions, or (4) reporting intrusions to staff and
management. Thus, there is little assurance that unauthorized
attempts to access sensitive information will be identified
and appropriate actions taken in time to prevent or
minimize damage. For example, Commerce has not instituted
key measures to prevent incidents, such as acquiring
software updates to correct known vulnerabilities. During
our testing we discovered 20 systems with known vulnerabilities
for which patches were available but not installed.
As a result of ineffective detection capabilities, the
tested bureaus were generally unable to detect our extensive
intrusion activities (only two of the bureaus had installed
intrusion detection systems). Also, only one of the
bureaus has established incident response procedures;
in two instances when our activity was detected, Commerce
employees who detected our testing inappropriately responded
by launching attacks against our systems. Moreover,
these two incidents were never reported to the bureaus'
security officer.
·
Fourth, and most important,
Commerce does not have an effective departmentwide information
security management program to ensure that sensitive
data and critical operations are adequately addressed
and that appropriate security controls are in place
to protect them. Key issues include
-
Lack
of a strong centralized management function to oversee
and coordinate departmentwide security-related activities.
At the time of our review, Commerce's CIO,
who had broad responsibility for information security
throughout the department, said that he believed that
he did not have sufficient resources or the authority
to implement this program. This lack of a centralized
approach to managing security is particularly risky
considering the widespread interconnectivity of Commerce's
systems.
-
Widespread
lack of risk assessment. Commerce is doing
little to understand and manage risks to its systems.
For example, as of March 2001, of the bureaus' 94 sensitive
systems we reviewed, 91 did not have documented risk
assessments, 87 had no security plans, and none were
authorized[6]
for processing by Commerce management.
Consequently, most of the bureaus' systems are being
operated without considering the risks associated with
their immediate environment. Moreover, several bureau
officials acknowledged that they had not considered
how vulnerabilities in systems that interconnected with
theirs could undermine the security of their own systems.
-
Significantly
outdated and incomplete information security policies.
Commerce's information security policy, developed
in 1993 and partially revised in 1995, does not reflect
current federal requirements for managing computer security
on a continuing basis, developing security plans, authorizing
processing, providing security awareness training, or
performing system reviews. Moreover, Commerce has not
updated its policy to reflect the risks of Internet
use and has no policies establishing baseline security
requirements for all systems. For example, there is
no policy specifying required attributes for passwords,
such as minimum length and the inclusion of special
characters.
-
Inadequately
promoted security awareness and training.
Although each of the seven bureaus reviewed have informal
programs in place, none have documented computer security
training procedures that meet federal requirements for
ensuring that security risks and responsibilities are
understood by all managers, users, and system administrators.
-
Lack
of an ongoing program to test and evaluate security
controls. No oversight reviews of the Commerce
bureaus' systems have been performed by the staff of
Commerce's information security program. Furthermore,
the bureaus we reviewed do not monitor the effectiveness
of their information security. Only one of the bureaus
has performed isolated tests of its systems.
The
lack of an effective information security program is
exacerbated by Commerce's highly interconnected computing
environment in which the vulnerabilities of individual
systems affect the security of systems in the entire
department. A compromise in a single poorly secured
system can undermine the security of the multiple systems
that connect to it.
In
the last 2 years, the Commerce CIO introduced several
initiatives to improve the security posture of the department,
including a summary evaluation of information security
based on bureau self-assessments and related follow-up.
Also, in June 2001, after our fieldwork was completed,
the Secretary of Commerce approved a high-level Commerce
information technology (IT) restructuring plan. The
acting CIO stated that Commerce is developing a more
detailedrestructuring implementationplan plan. Regardless
of its particular approach, we have made recommendations
that Commerce needs to implement in order to address
the weaknesses in its information security controls.
In
the rest of my statement today, I will discuss in more
detail the results of our review of Commerce's information
security controls; these results are included in our
draft report, which also contains more detailed recommendations.
Information
security is an important consideration for any organization
that depends on information systems to carry out its
mission. The dramatic expansion in computer interconnectivity
and the exponential increase in the use of the Internet
are changing the way our government, the nation, and
much of the world communicate and conduct business.
However, risks are significant, and they are growing.
The number of computer security incidents reported to
the CERT Coordination Centerâ
(CERT/CC)
rose from 9,859 in 1999 to 21,756 in 2000. For the first
6 months of 2001, the number reported was 15,476.
As
the number of individuals with computer skills has increased,
more intrusion or "hacking" tools have become readily
available and relatively easy to use. A potential hacker
can literally download tools from the Internet and "point
and click" to start a hack. According to a recent
National Institute of Standards and Technology (NIST) publication,
hackers post 30 to 40 new tools to hacking sites on
the Internet every month. The successful cyber attacks
against such well-known U.S. e-commerce Internet sites
as eBay, Amazon.com, and CNN.com by a 15-year old "script
kiddie"
in February 2000 illustrate the risks. Without proper
safeguards, these developments make it easier for individuals
and groups with malicious intentions to gain unauthorized
access to systems and use their access to obtain sensitive
information, commit fraud, disrupt operations, or launch
attacks against other organizations' sites.
|
Federal
Systems Are At Risk
|
Government
officials are increasingly concerned about federal computer
systems, which process, store, and transmit enormous
amounts of sensitive data and are indispensable to many
federal operations. The federal government's systems
are riddled with weaknesses that continue to put critical
operations at risk. Since October 1998, the Federal
Computer Incident Response Center's (FedCIRC)
records have shown an increasing trend in the number
of attacks targeting government systems. In 1998 FedCIRC
documented 376 incidents affecting 2,732 federal civilian systems and 86 military systems. In
2000, the number of attacks rose to 586 incidents affecting
575,568 federal systems and 148 of their military counterparts.
Moreover, according to FedCIRC, these numbers reflect
only reported incidents, which it estimates do not include
as many as 80 percent of actual security incidents.
According to FedCIRC, 155 of the incidents reported
in 2000, which occurred at 32 agencies, resulted in
what is known as a "root compromise."
For at least five of the root compromises, government
officials were able to verify that access to sensitive
information had been obtained.
How
well federal agencies are addressing these risks is
a topic of increasing interest in the executive and
legislative branches. In January 2000, President Clinton
issued a National
Plan for Information Systems Protection
and designated computer security and critical infrastructure
protection a priority management objective in his fiscal
year 2001 budget. The new administration, federal agencies,
and private industry have collaboratively begun to prepare
a new version of the national plan that will outline
an integrated approach to computer security and critical
infrastructure protection.
The
Congress, too, is increasingly interested in computer
security, as evidenced by important hearings held during
1999, 2000, and 2001 on ways to strengthen information
security practices throughout the federal government
and on progress at specific agencies in addressing known
vulnerabilities. Furthermore, in October 2000, the Congress
included government information security reform provisions
in the fiscal year 2001 National Defense Authorization
Act. These provisions seek to ensure proper management
and security for federal information systems by calling
for agencies to adopt risk management practices that
are consistent with those summarized in our 1998 Executive
Guide.
The provisions also require annual agency program reviews
and Inspector General (IG) evaluations that must be
reported to the Office of Management and Budget (OMB)
as part of the budget process.
The
federal CIO Council and others have also initiated several
projects that are intended to promote and support security
improvements to federal information systems. Over the
past year, the CIO Council, working with NIST, OMB,
and us, developed the Federal Information Technology
Security Assessment Framework.
The framework provides agencies with a self-assessment
methodology to determine the current status of their
security programs and to establish targets for improvement.
OMB has instructed agencies to use the framework to
fulfill their annual assessment and reporting obligations.
Since
1996, our analyses of information security at major
federal agencies have shown that systems are not being
adequately protected. Our previous reports, and those
of agency IGs, describe persistent computer security
weaknesses that place a variety of critical federal
operations at risk of inappropriate disclosures, fraud,
and disruption.
This body of audit evidence has led us, since 1997,
to designate computer security as a governmentwide high-risk
area.
Our
most recent summary analysis of federal information
systems found that significant computer security weaknesses
had been identified in 24 of the largest federal agencies,
including Commerce.
During December 2000 and January 2001, Commerce's IG
also reported significant computer security weaknesses
in several of the department's bureaus and, in February
2001, reported information security as a material weakness
affecting the department's ability to produce accurate
data for financial statements.
The report stated that there were weaknesses in several
areas, including entitywide security management, access
controls, software change controls, segregation of duties,
and service continuity planning. Moreover, a recent
IG assessment of the department's information security
program found fundamental weaknesses in the areas of
policy and oversight.
Also, the IG designated information security as one
of the top ten management challenges for the department.
Commerce's
missions are among the most diverse of the federal government's
cabinet departments, covering a wide range of responsibilities
that include observing and managing natural resources
and the environment; promoting commerce, regional development,
and scientific research; and collecting, analyzing,
and disseminating statistical information. Commerce
employs about 40,000 people in fourteen operating bureaus
with numerous offices in the U.S. and overseas, each
pursuing disparate programs and activities.
|
Commerce
Missions
Are Diverse
|
IT
is a critical tool for Commerce to support these missions.
The department spends significant resources-reportedly
over $1.5 billion in fiscal year 2000-on IT systems
and services. As a percentage of total agency expenditures
on IT, Commerce ranks among the top agencies in the
federal government, with 17 percent of its $9-billion
fiscal year 2000 budget reported as spent on IT.
A
primary mission of Commerce is to promote job creation
and improved living standards for all Americans by furthering
U.S. economic growth, and the seven bureaus we reviewed
support this mission through a wide array of programs
and services. Commerce uses IT to generate and disseminate
some of the nation's most important economic information.
The International Trade Administration (ITA) promotes
the export of U.S. goods and services-which amounted
to approximately $1.1 trillion in fiscal year 2000.
Millions of American jobs depend on exports, and with
96 percent of the world's consumers living outside U.S.
borders, international trade is increasingly important
to supporting this mission. The Economics and Statistics
Administration (ESA) develops, prepares, analyzes, and
disseminates important indicators of the U.S. that present
basic information on such key issues as economic growth,
regional development, and the U.S. role in the world
economy. This information is of paramount interest to
researchers, business, and policymakers.
The
Bureau of Export Administration (BXA), whose efforts
supported sales of approximately $4.2 billion in fiscal
year 1999, assists in stimulating the growth of U.S.
exports while protecting national security interests
by helping to stop the proliferation of weapons of mass
destruction. Sensitive data such as that relating to
national security, nuclear proliferation, missile technology,
and chemical and biological warfare reside in this bureau's
systems.
Commerce's
ability to fulfill its mission depends on the confidentiality,
integrity, and availability of this sensitive information.
For example, export data residing in the BXA systems
reflect technologies that have both civil and military
applications; the misuse, modification, or deletion
of these data could threaten our national security or
public safety and affect foreign policy. Much of these
data are also business proprietary. If it were compromised,
the business could not only lose its market share, but
dangerous technologies might end up in the hands of
renegade nations who threaten our national security
or that of other nations.
|
Commerce's
IT
Infrastructure Is
Decentralized
|
Commerce's
IT infrastructure is decentralized. Although the Commerce
IT Review Board approves major acquisitions, most bureaus
have their own IT budgets and act independently to acquire,
develop, operate, and maintain their own infrastructure.
For example, Commerce has 14 different data centers,
diverse hardware platforms and software environments,
and 20 independently managed e-mail systems. The bureaus
also develop and control their own individual networks
to serve their specific needs. These networks vary greatly
in size and complexity. For example, one bureau has
as many as 155 local area networks and 3,000 users spread
over 50 states and 80 countries. Some of these networks
are owned, operated, and managed by individual programs
within the same bureau.
Because
Commerce does not have a single, departmentwide common
network infrastructure to facilitate data communications
across the department, the bureaus have established
their own access paths to the Internet, which they rely
on to communicate with one another. In April 2001, the
department awarded a contract for a $4 million project
to consolidate the individual bureaus' local area networks
within its headquarters building onto a common network
infrastructure. However, until this project is completed,
each of the bureaus is expected to continue to configure,
operate, and maintain its own unique networks.
|
Improvements
to
Information Security
Have Been Initiated
|
Recognizing
the importance of its data and operations, in September
1993 Commerce established departmentwide information
security policies that defined and assigned a full set
of security responsibilities, ranging from the department
level down to individual system owners and users within
the bureaus. Since 1998, the Commerce CIO position has
been responsible for developing and implementing the
department's information security program. An information
security manager, under the direction of the CIO's Office
of Information Policy, Planning, and Review, is tasked
with carrying out the responsibilities of the program.
The CIO's responsibilities for the security of classified
systems has been delegated to the Office of Security.
In
the last 2 years, the CIO introduced several initiatives
that are essential to improving the security posture
of the department. After a 1999 contracted evaluation
of the bureaus' security plans determined that 43 percent
of Commerce's most critical assets did not have current
information system security plans, the CIO issued a
memorandum calling for the bureaus to prepare security
plans that comply with federal regulations. Also, in
May 2000, the Office of the CIO performed a summary
evaluation of the status of all the bureaus' information
security based on the bureaus' own self-assessments.
The results determined that overall information security
program compliance was minimal, that no formal information
security awareness and training programs were provided
by the bureaus, and that incident response capabilities
were either absent or informal. The Commerce IG indicated
that subsequent meetings between the Office of the CIO
and the bureaus led to improvements. The Office of the
CIO plans to conduct another evaluation this year and,
based on a comparison with last year's results, measure
the bureaus' success in strengthening their security
postures.
Finally,
for the past year, the CIO attempted to restructure
the department's IT management to increase his span
of control over information security within the bureaus
by enforcing his oversight authority and involvement
in budgeting for IT resources. However, this initiative
was not approved before the CIO's resignation in 2001.
In June 2001, after our fieldwork was completed, the
Secretary of Commerce approved a high-level Commerce
IT restructuring plan. The acting CIO stated that a
task force is developing a more detailed implementation
plan.
|
Logical
Access Controls Were Inadequate
|
A
basic
management objective for any organization
is the protection of its information systems and critical
data from unauthorized access. Organizations accomplish
this objective by establishing controls that limit access
to only authorized users, effectively configuring their
operating systems, and securely implementing networks.
However, our tests identified weaknesses in each of
these control areas in all of the Commerce bureaus we
reviewed. We demonstrated that individuals, both external
and internal to Commerce, could compromise security
controls to gain extensive unauthorized access to Commerce
networks and systems. These weaknesses place the bureaus'
information systems at risk of unauthorized access,
which could lead to the improper
disclosure, modification, or deletion
of sensitive information and
the disruption of critical operations. As previously
noted, because of the sensitivity of specific
weaknesses, we plan to issue a report designated for
"Limited Official Use," which describes in
more detail each of the computer security weaknesses
identified and offers specific recommendations for correcting
them.
|
System
Access
Controls Were Weak
|
Effective
system access controls provide mechanisms that require
users to identify themselves and authenticate
their identity, limit the use of system administrator
capabilities to authorized individuals, and protect
sensitive system and data files. As with many organizations,
passwords are Commerce's primary means of authenticating
user identity. Because system administrator capabilities
provide the ability to read, modify, or delete any data
or files on the system and modify the operating system
to create access paths into the system, such capabilities
should be limited to the minimum access levels necessary
for systems personnel to perform their duties. Also,
information can be protected by using controls that
limit an individual's ability to read, modify, or delete
information stored in sensitive system files.
User
ID and Password Management
Controls Were Not Effective
One
of the primary methods to prevent unauthorized access
to information system resources is through effective
management of user IDs and passwords. To accomplish
this objective, organizations should establish controls
that include requirements to ensure that well-chosen
passwords are required for user authentication, passwords
are changed periodically, the number of invalid password
attempts is limited to preclude password guessing, and
the confidentiality of passwords is maintained and protected.
All
Commerce bureaus reviewed were not effectively managing
user IDs and passwords to sufficiently reduce the risk
that intruders
could gain unauthorized access to its information
systems to (1) change system access and other rules,
(2) potentially read,
modify, and delete or redirect network traffic, and
(3) read, modify, and delete sensitive information.
Specifically, systems
were either not configured to require passwords or,
if passwords were required, they were relatively easy
to guess. For example,
·
powerful system administrator
accounts did not require passwords, allowing anyone
who could connect to certain systems through the network
to log on as a system administrator without having to
use a password,
·
systems allowed users to
change their passwords to a blank password, completely
circumventing the password control function,
·
passwords were easily guessed
words, such as "password,"
·
passwords were the same
as the user's ID, and
·
commonly known default passwords
set by vendors when systems were originally shipped
had never been changed.
Although
frequent password changes reduce the risk of continued
unauthorized use of a compromised password, systems
in four of the bureaus reviewed had a significant number
of passwords that never required changing or did not
have to be changed for 273 years. Also, systems in six
of the seven bureaus did not limit the number of times
an individual could try to log on to a user ID. Unlimited
attempts allow intruders to keep trying passwords until
a correct password is discovered.
Further,
all Commerce bureaus reviewed did not adequately protect
the passwords of their system users through measures
such as encryption, as illustrated by the following
examples:
·
User
passwords were stored in readable text files that could
be viewed by all users on one bureau's systems.
·
Files that store user passwords
were not protected from being copied by intruders, who
could then take the copied password files and decrypt
user passwords. The decrypted passwords could then be
used to gain unauthorized access to systems by intruders
masquerading as legitimate users.
·
Over 150 users of one system
could read the unencrypted password of a powerful system
administrator's account.
Control
of System Administration
Functions Was Not Adequate
System
administrators perform important functions in support
of the operations of computer systems. These functions
include defining security controls, granting users access
privileges, changing operating system configurations,
and monitoring system activity. In order to perform
these functions, system administrators have powerful
privileges that enable them to manipulate operating
system and security controls. Privileges to perform
these system administration functions should be granted
only to employees who require such privileges to perform
their responsibilities and who are specifically trained
to understand and exercise those privileges. Moreover,
the level of privilege granted to employees should not
exceed the level required for them to perform their
assigned duties. Finally, systems should provide accountability
for the actions of system administrators on the systems.
However,
Commerce bureaus granted the use of excessive system
administration privileges to employees who did not require
such privileges
to perform their responsibilities and
who were not trained to exercise them. For example,
a very powerful system administration privilege that
should be used only in exceptional circumstances, such
as recovery from a power failure, was granted to 20
individuals.
These 20 individuals had the ability to access all of
the information stored on the system, change important
system configurations that could affect the system's
reliability, and run any program on the computer. Further,
Commerce management also acknowledged that not all staff
with access to this administrative privilege had been
adequately trained.
On
other important systems in all seven bureaus, system
administrators were sharing user IDs
and passwords so that systems could not provide an audit
trail of access by system administrators, thereby limiting
accountability. By not effectively controlling the number
of staff who exercise system administrator privileges,
restricting the level of such privileges granted to
those required to perform assigned duties, or ensuring
that only well-trained staff have these privileges,
Commerce is increasing the
risk that unauthorized activity could occur and the
security of sensitive information be compromised.
Access
to Critical Systems
and Sensitive Data Files
Was Not Adequately Restricted
Access
privileges to individual critical systems and sensitive
data files should be restricted to authorized users.
Not only does this restriction protect files that may
contain sensitive information from unauthorized access,
but it also provides another layer of protection against
intruders who may have successfully penetrated one system
from significantly extending their unauthorized access
and activities to other systems. Examples of access
privileges
are the capabilities to read, modify,
or delete a file. Privileges can be granted to individual
users, to groups of users, or to everyone who accesses
the system.
Six
of the seven bureaus' systems were not
configured to appropriately restrict access to sensitive
system and/or data files. For example, critical system
files could be modified by all users to allow them to
bypass security controls. Also, excessive access privileges
to sensitive data files such as export license applications
were granted. Systems configured with excessive
file access privileges are extremely vulnerable
to compromise because such configurations could enable
an intruder to read, modify, or delete sensitive system
and data files, or to disrupt the availability and integrity
of the system.
|
Operating
Systems
Were Ineffectively
Secured
|
Operating
system controls are essential to ensure that the computer
systems and security controls function as intended.
Operating systems are relied on by all the software
and hardware in a computer system. Additionally, all
users depend on the proper operation of the operating
system to provide a consistent and reliable processing
environment, which is essential to the availability
and reliability of the information stored and processed
by the system.
Operating
system controls should limit the extent of information
that systems provide to facilitate system interconnectivity.
Operating systems should be configured to help ensure
that systems are available and that information stored
and processed is not corrupted. Controls should also
limit the functions
of the computer system to prevent insecure system configurations
or the existence of functions not needed to support
the operations of the system. If functions are not properly
controlled, they can be used by intruders to circumvent
security controls.
Excessive
System
Information Was Exposed
To
facilitate interconnectivity between computer systems,
operating systems are configured to provide descriptive
and technical information, such as version numbers and
system names, to other computer systems and individuals
when connections are being established. At the same
time, however, systems should be configured to limit
the amount of information that is made available to
other systems and unidentified individuals because this
information can be misused by potential intruders to
learn the characteristics and vulnerabilities of that
system to assist in intrusions.
Systems
in all bureaus reviewed were not configured to control
excessive system information from exposure to potential
attackers. The configuration of Commerce systems provided
excessive amounts of information to anyone, including
external users, without the need for authentication.
Our testing demonstrated that potential attackers could
collect information about systems, such as computer
names, types of operating systems, functions, version
numbers, user information, and other information that
could be useful to circumvent security controls and
gain unauthorized access.
Operating
Systems Were
Poorly Configured
The
proper configuration of operating systems is important
to ensuring the reliable operation of computers and
the continuous availability and integrity
of
critical information. Operating systems should be configured
so that the security controls throughout the system
function effectively and the system can be depended
on to support the organization's mission.
Commerce
bureaus did not properly configure operating systems
to ensure that systems would be available to support
bureau missions or prevent the corruption of the information
relied on by management and the public. For example,
in a large computer system affecting several bureaus,
there were thousands of important programs that had
not been assigned unique names. In some instances, as
many as six different programs all shared the same name,
many of which were different versions of the same program.
Although typically the complexity of such a system may
require the installation of some programs that are identically
named and authorized programs must be able to bypass
security in order to operate, there were an excessive
number of such programs installed on this system, many
of which were capable of bypassing security controls.
Because
these different programs are identically named, unintended
programs could be inadvertently run, potentially resulting
in the corruption of data or disruption of system operations.
Also, because these powerful programs are duplicated,
there is an increased likelihood that they could be
misused to bypass security controls.
In
this same system, critical parts of the operating system
were shared by the test and production systems used
to process U.S. export information. Because critical
parts were shared, as changes are made in the test system,
these changes could also affect the production system.
Consequently, changes could be made in the test system
that would cause the production system to stop operating
normally and shut down. Changes in the test system could
also cause important Commerce data in the production
system to become corrupted. Commerce management acknowledged
that the isolation between these two systems needed
to be strengthened to mitigate these risks.
Systems
Had Unnecessary and
Poorly Configured Functions
Operating
system functions should be limited to support only the
capabilities needed by each specific computer system.
Moreover, these functions should be appropriately configured.
Unnecessary operating system functions can be used to
gain unauthorized access to a system and target that
system for a denial-of-service attack.
Poorly configured operating system functions can allow
individuals to bypass security controls and access sensitive
information without requiring proper identification
and authentication.
Unnecessary
and poorly configured system functions existed on important
computer systems in all the bureaus we reviewed.
For example, unnecessary functions allowed us to gain
access to a system from the Internet. Through such access
and other identified weaknesses, we were able to gain
system administration privileges on that
system and subsequently gain access to other systems
within other Commerce bureaus.
Also, poorly configured functions would
have allowed users to bypass security controls and gain
unrestricted access to all programs and data.
|
Network
Security
Was Ineffective
|
Networks
are a series of interconnected information technology
devices and software that allow groups of individuals
to share data, printers, communications systems, electronic
mail, and other resources. They provide the entry point
for access to electronic information assets and provide
users with access to the information technologies they
need to satisfy the organization's mission. Controls
should restrict access to networks from sources external
to the network. Controls should also limit the use of
systems from sources internal to the network to authorized
users for authorized purposes.
External
threats include individuals outside an organization
attempting to gain unauthorized access to an organization's
networks using the Internet, other networks, or dial-up
modems. Another form of external threat is flooding
a network with large volumes of access requests so that
the network is unable to respond to legitimate requests,
one type of denial-of-service attack. External threats
can be countered by implementing security controls on
the perimeters of the network, such as firewalls,
that limit user access and data interchange between
systems and users within the organization's network
and systems and users outside the network, especially
on the Internet. An example of perimeter defenses is
only allowing pre-approved computer systems from outside
the network to exchange certain types of data with computer
systems inside the network. External network controls
should guard the perimeter of the network from connections
with other systems and access by individuals who are
not authorized to connect with and use the network.
Internal
threats come from sources that are within an organization's
networks, such as a disgruntled employee with access
privileges who attempts to perform unauthorized activities.
Also, an intruder who has successfully penetrated a
network's perimeter defenses becomes an internal threat
when the intruder attempts to compromise other parts
of an organization's network security as a result of
gaining access to one system within the network. For
example, at Commerce, users of one bureau who have no
business need to access export license information on
another bureau's network should not have had network
connections to that system.
External
network security controls should prevent unauthorized
access from outside threats, but if those controls fail,
internal network security controls should also prevent
the intruder from gaining unauthorized access to other
computer systems within the network.
None
of the Commerce bureaus reviewed had effective external
and internal network security controls. Individuals,
both within and outside Commerce, could compromise external
and internal security controls to gain extensive unauthorized
access to Commerce networks and systems. Bureaus employed
a series of external
control
devices, such as firewalls, in some, but not all, of
the access paths to their networks. However, these controls
did not effectively prevent unauthorized access to Commerce
networks from the Internet or through poorly controlled
dial-up modems that bypass external controls. For example,
four
bureaus had not configured their firewalls to adequately
protect their information systems from intruders on
the Internet. Also, six dial-up modems were installed
so that anyone could connect to their network without
having to use a password, thereby circumventing the
security controls provided by existing firewalls.
Our
testing demonstrated that, once access was gained by
an unauthorized user on the Internet or through a dial-up
modem to one bureau's networks, that intruder could
circumvent ineffective internal network controls to
gain unauthorized access to other networks within Commerce.
Such weak internal network controls could allow an unauthorized
intruder or authorized user on one bureau's network
to change the configuration of other bureaus' network
controls so that the user could observe network traffic,
including passwords and sensitive information that Commerce
transmits in readable clear text, and disrupt network
operations.
The
external and internal security controls of the different
Commerce
bureau
networks did not provide a consistent level of security
in part because bureaus independently configured and
operated their networks as their own individual networks.
For example, four of the bureaus we reviewed had their
own independently controlled access points to the Internet.
Because
the different bureaus'
networks
are actually logically interconnected and perform as
one large interconnected network, the ineffective network
security
controls
of one bureau jeopardize the security of other bureaus'
networks. Weaknesses in the external and internal network
controls of the individual bureaus heighten the ri