.vtffcD STA?. *. U.S. Environmental Protection Agency 12-P-0518 # QL\ Office of Inspector General June 5,2012 13SJ - ° At a Glance Why We Did This Review We sought to assess the security configurations of the U.S. Environmental Protection Agency's (EPA's) Region 1 wireless network infrastructure. We also sought to conduct network vulnerability testing of the Region 1 Local Area Network to identify resources that contained commonly known high-risk and medium- risk vulnerabilities. Background We conducted this audit as part of the annual review of EPA's information security program as required by the Federal Information Security Management Act. We conducted network vulnerability testing in February 2012 to identify any commonly known network vulnerabilities and to present the results to the appropriate EPA officials, who can then promptly remediate or document planned actions to resolve the weaknesses. For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.gov/oiq/reports/2012! 20120605-12-P-0518.pdf Results of Technical Network Vulnerability Assessment: EPA's Region 1 What We Found Our vulnerability assessments of Region l's wireless network infrastructure found no security weaknesses. However, our vulnerability testing of networked resources located at the Region 1 facility identified Internet Protocol addresses with potentially 18 high-risk and 166 medium-risk vulnerabilities. Regional and headquarter offices manage resources located in Region 1 that contain these weaknesses. The Office of Inspector General (OIG) met with EPA information security personnel from the respective offices to discuss the findings. EPA information security personnel acknowledged the existence of the identified security weaknesses and began immediate remediation of some of these issues. If not resolved, these vulnerabilities could expose EPA's assets to unauthorized access and potentially harm the Agency's network. What We Recommend We recommend that the Senior Information Officials within Region 1 and the Office of Environmental Information: • Provide the OIG a status update for all identified high-risk and medium- risk vulnerability findings within 30 days of this report. • Create plans of action and milestones in the Agency's Automated Security Self-Evaluation and Remediation Tracking system for all vulnerabilities according to Agency procedures within 30 days of this report. • Perform a technical vulnerability assessment test of assigned network resources within 60 days to confirm completion of remediation activities. The detailed testing results have already been provided to Agency representatives. Due to the sensitive nature of the report's technical findings, the technical details will not be made available to the public. Planned Agency Corrective Actions Region 1 remediated all high-risk vulnerabilities discovered by our vulnerability testing of networked resources. Additionally, Region 1 acknowledged the existence of the additional vulnerabilities that we identified and began mitigation activities related to these risks. ------- |