A complete inventory of Internet-facing devices (hosts) is essential for information system security. Internet-facing hosts are entry points that are typically the most attacked hosts on an organization’s network. An inventory of these hosts and their associated Internet Protocol addresses provides visibility into and control over an organization’s information systems.
During fiscal year 2015, the U.S. Postal Service’s USPS.com website – an Internet-facing host – had an average of 3 million daily visits from customers, resulting in more than 50 million transactions that generated over $1 billion in revenue. In addition, over 493,000 Postal Service employees use web-based (Internet-facing) hosts for Human Resources transactions such as enrolling in direct deposit or changing retirement contributions or tax withholdings. Accordingly, it is critical for the Postal Service to be aware of and monitor its Internet-facing hosts and restrict visibility to reduce the risk of unauthorized access to data and disruption of critical operations.
Our objective was to identify Internet-facing hosts connected to the Postal Service network and determine if a complete inventory exists.
What the OIG Found
The Postal Service does not have a complete inventory of Internet-facing hosts. While management has a process to identify the host name and Internet Protocol address, the process does not capture other key data elements such as system owner, operating system, and location. The lack of a complete inventory prevents an organization from maintaining visibility and control over its Internet-facing hosts.
In addition, management does not update firewall rules when configuration changes are made to Internet-facing hosts. Specifically, we identified [redacted] of [redacted] firewall rules ( [redacted] percent) that allowed unnecessary traffic to Internet-facing hosts.
We further identified firewall rules that allow [redacted] of [redacted] hosts ( [redacted] percent) to respond to potentially inappropriate communication requests. [redacted]
These issues occurred because instead of scanning the entire network to identify Internet-facing hosts, management relied on scans of known Internet-facing hosts used to support their vulnerability assessment process. In addition, cybersecurity managers did not document all data elements because the information is contained in many non-integrated systems.
Finally, management does not have an effective process for updating firewall rules when configuration changes are made and services are no longer required on a host.
Obsolete firewall rules that allow inappropriate traffic to Internet-facing hosts weaken the Postal Service’s security posture by allowing outsiders to discover entry points into the network. This significantly hinders the Postal Service’s ability to detect and recover from security incidents and increases the risk of unauthorized access to data and disruption of critical operations.
What the OIG Recommended
We recommended management update procedures to require a complete centralized inventory of Internet-facing hosts be documented and maintained; develop a report that allows managers to review the inventory of Internet-facing hosts; and review and enhance standard operating procedures to include an escalation process to resolve any data gaps in the Internet-facing host inventory. We also recommended management complete enumeration scans of the entire network on a regular basis; review and enhance procedures for updating firewall rules to reflect configuration changes made to Internet-facing hosts; and review firewall rules to determine if the services and traffic to Internet-facing hosts are appropriate.