The U.S. Postal Service currently uses the [redacted] system to collect and analyze data on information technology (IT) security events, including malicious software referred to as malware. Each quarter, the U.S. Postal Service Office of Inspector General (OIG) analyzes [redacted] system data as part of our IT Security Risk Model. In Quarter (Q) 4, fiscal year (FY) 2015, the [redacted] system reported a [redacted] portion of security events as malware. However, these events were actually normal, expected behavior incorrectly labeled as malicious. Normal activity incorrectly labeled as malicious is referred to as false positives.
Best practices for effective security controls include implementing processes that filter false positives from IT security event reporting. This enables security analysts to focus on legitimate and critical alerts.
Our objective was to determine if the Postal Service properly configured its security information management system to exclude data that result in false positives.
What the OIG Found
We determined that Postal Service IT security managers identified certain security events as false positives; however, they did not exclude them from [redacted] system data. In Q4, FY 2015, the [redacted] system reported about [redacted] malware events. We identified 10 programs that made up about 98 percent of these malware events.
IT security management stated they were aware that all but one of these programs were false positives based on earlier research, but did not remove them due to other priorities, such as implementing new tools and processes. As a result, false positives will continue to be reported as malware events in the [redacted] system.
What the OIG Recommended
We recommended the Postal Service establish procedures to regularly identify and manage false positives found in malware event reporting tools and incorporate these practices into the redesign of incident management and monitoring processes.