U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Results of Technical Network Vulnerability Assessment: EPA's Region 6 Report No. 12-P-0659 August 10, 2012 ------- Report Contributors: Rudolph M. Brevard Warren Brooks Scott Sammons Jeremy Sigel Hotline To report fraud, waste, or abuse, contact us through one of the following methods: e-mail: OIG Hotlirie@epa.aov write: EPA Inspector General Hotline phone: 1-888-546-8740 1200 Pennsylvania Avenue NW fax: 202-566-2599 Mailcode 2431T online: http://www.epa.gov/oig/hotline.htm Washington, DC 20460 ------- STA?. .* *. U.S. Environmental Protection Agency 12-P-0659 £ &M \ Dffiro r»f Incnprtnr August 10, 2012 ^ (fcjl z Office of Inspector General iSIE*1 ' At a Glance Why We Did This Review We sought to assess the security configurations of the U.S. Environmental Protection Agency's (EPA's) Region 6 wireless network infrastructure. We sought to conduct network vulnerability testing of the Region 6 Local Area Network to identify resources that contained commonly known high-risk and medium-risk vulnerabilities. We also sought to assess the physical controls and environmental controls around critical information technology assets located in Region 6. We conducted this audit as part of the annual review of EPA's information security program as required by the Federal Information Security Management Act. Furthering EPA's Goals and Cross-Cutting Strategies • Strengthening EPA's Workforce and Capabilities Results of Technical Network Vulnerability Assessment: EPA's Region 6 What We Found Our vulnerability assessments of EPA's Region 6 wireless network infrastructure found no security weaknesses. However, our vulnerability testing of networked resources located at Region 6 facilities identified Internet Protocol addresses with potentially 35 critical-risk, 217 high-risk, and 878 medium-risk vulnerabilities. Additionally, our server room assessments revealed a lack of adequate monitoring of environmental controls, the lack of a process to ensure only authorized personnel are approved for access to server rooms, and the existence of unsecured and unlogged media in the server rooms. If not resolved, these vulnerabilities could expose EPA's assets to unauthorized access and potentially harm the Agency's network. Recommendations and Agency Corrective Actions We recommend that the Senior Information Official within Region 6 provide the Office of Inspector General a status update for every critical-risk, high-risk, and medium-risk vulnerability identified by the scanning tool; create plans of action and milestones in the Agency's Automated Security Self-Evaluation and Remediation Tracking system for all vulnerabilities according to Agency interim procedures; perform a technical vulnerability assessment test of assigned network resources within 60 days to confirm completion of remediation activities; and remediate all identified physical and environmental control weaknesses identified in the server rooms. Region 6 representatives acknowledged the existence of the vulnerabilities that we identified and stated they have begun developing corrective actions to address the risks related to these weaknesses. The detailed testing results have already been provided to Agency representatives. Due to the sensitive nature of the report's technical findings, the technical details will not be made available to the public. For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.gov/oiq/reports/2012/ 20120810-12-P-0659. pdf ------- ^tDsrx £ *'o < H0? s UNITED STATES ENVIRONMENTAL PROTECTION AGENCY \ V\l// ® WASHINGTON, D.C. 20460 PRO^ THE INSPECTOR GENERAL August 10,2012 MEMORANDUM SUBJECT: Results of Technical Network Vulnerability Assessment: EPA's Region 6 Report No. 12-P-0659 FROM: Arthur A. Elkins, Jr. Chji*/Ur (vy^. TO: Lynda Carroll Senior Information Official Region 6 This is our quick reaction report on the subject audit conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). Due to the sensitive nature of the technical findings, we are issuing this report for urgent management remediation. The site assessments were conducted in conjunction with our annual audit of EPA's information security program as required by the Federal Information Security Management Act. This report provides the summary of our security assessments of networked resources located at EPA's Region 6 office in Dallas, Texas, and laboratory in Houston, Texas. Our tests disclosed that network resources at the Region 6 office and laboratory contained potentially a combined 35 critical-risk, 217 high-risk, and 878 medium-risk vulnerabilities. Our server room assessments revealed a lack of adequate monitoring of environmental controls, the lack of a process to ensure only authorized personnel are approved for access to server rooms, and the existence of unsecured and/or unlogged media in the server rooms. We provided your office representatives with the technical results during our site visit to facilitate immediate remediation actions. We performed this audit work from February through August 2012 at EPA's Region 6 office in Dallas and laboratory in Houston. We performed this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient and appropriate evidence to provide a reasonable basis for our findings and conclusions based on the audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions. 12-P-0659 1 ------- We conducted testing to identify the existence of commonly known vulnerabilities using a commercially available network vulnerability assessment tool recognized by the National Institute of Standards and Technology (NIST). We interviewed EPA personnel responsible for managing the network resources located in Region 6. We reviewed relevant EPA interim procedures to obtain an understanding of the Agency's Automated Security Self-Evaluation and Remediation Tracking system used for recording identified weaknesses. We tested the Internet Protocol addresses associated with network resources located in the Region 6 office and laboratory. We used the risk ratings provided by the vulnerability software to determine the level of harm a risk could pose to a networked resource due to the vulnerability and accepted the results from the software tool as the level of risk to EPA's network. Upon follow-up with your office representatives, they acknowledged the existence of the vulnerabilities and stated that some mitigation activities had already begun related to these risks. We performed an inspection of EPA's Region 6 server rooms with key information technology (IT) personnel to assess the physical controls and environmental controls around IT assets. We interviewed Agency IT staff to determine the extent to which IT equipment is protected from physical, environmental, and human threats. We used NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations, as the template for evaluating IT security controls around the server rooms. Appendix A includes a summary of our findings at the server rooms assessed and our recommendations by site. We also conducted testing of EPA's Region 6 wireless infrastructure to identify any possible configuration weaknesses using a commercially available wireless scanning tool. Specifically, we performed tests to identify whether any unauthorized wireless devices existed on the region's network. We also performed tests to determine whether the wireless encryption protocols being used on the region's wireless local area network were sufficient to secure it. We found no weaknesses during either of these tests. Recommendations We recommend that the Senior Information Official within Region 6: 1. Provide the OIG a status update for all identified critical-risk, high-risk, and medium-risk vulnerability findings from the technical scanning tool within 30 days of this report. 2. Create plans of action and milestones in the Agency's Automated Security Self- Evaluation and Remediation Tracking system for all vulnerabilities according to Agency procedures within 30 days of this report. 3. Perform a technical vulnerability assessment test of assigned network resources within 60 days to confirm completion of remediation activities. 4. Establish written procedures for granting authorized access to Region 6 server rooms in Dallas and Houston. 12-P-0659 2 ------- 5. Sanitize and secure all used drives kept in the Houston server room in addition to logging their receipt, rotation, and/or disposal. 6. Establish a process for continuous monitoring of Dallas and Houston server rooms' environmental conditions by personnel or real-time monitoring by existing IT equipment with environmental monitoring capabilities. Action Required Please provide written responses to this report within 30 calendar days. You should include a corrective actions plan for agreed-upon actions, including milestone dates. Due to the sensitive nature of the report's technical findings, the technical details are not included in this report and will not be made available to the public. The OIG plans to post on the OIG's public website the corrective action plans that you provide to us that do not contain sensitive information. Therefore, we request that you provide the response to recommendation 1 in a separate document; we will not make that response available to the public if it contains sensitive information. Your responses should be provided as Adobe PDF files that comply with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. Except for your response to recommendation 1, which will not be posted if it contains sensitive information, your responses should not contain data that you do not want to be released to the public; if those responses contain such data, you should identify the data for redaction or removal. If you or your staff have any questions regarding this report, please contact Patricia H. Hill, Assistant Inspector General for Mission Systems, at (202) 566-0894 or hill.patricia@epa.gov; or Rudolph M. Brevard, Product Line Director, Information Resources Management Assessments, at (202) 566-0893 or brevard.rudv@epa. gov. 12-P-0659 3 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS POTENTIAL MONETARY BENEFITS (in $000s) Rec. No. Page No. Subject Status1 Action Official Planned Completion Date Claimed Agreed-To Amount Amount 1 2 Provide the OIG a status update for all identified critical-risk, high-risk, and medium-risk vulnerability findings from the technical scanning tool within 30 days of this report. U Senior Information Official, Region 6 2 2 Create plans of action and milestones in the Agency's Automated Security Self-Evaluation and Remediation Tracking system for all vulnerabilities according to Agency procedures within 30 days of this report. U Senior Information Official, Region 6 3 2 Perform a technical vulnerability assessment test of assigned network resources within 60 days to confirm completion of remediation activities. u Senior Information Official, Region 6 4 2 Establish written procedures for granting authorized access to Region 6 server rooms in Dallas and Houston. u Senior Information Official, Region 6 5 3 Sanitize and secure all used drives kept in the Houston server room in addition to logging their receipt, rotation, and/or disposal. u Senior Information Official, Region 6 6 3 Establish a process for continuous monitoring of Dallas and Houston server rooms' environmental conditions by personnel or real-time monitoring by existing IT equipment with environmental monitoring capabilities. u Senior Information Official, Region 6 1 0 = recommendation is open with agreed-to corrective actions pending C = recommendation is closed with all agreed-to actions completed U = recommendation is unresolved with resolution efforts in progress 12-P-0659 4 ------- Appendix A Table of Server Room Assessment Findings and Recommendations by Site Key: X = Weakness found at location Ui'l ulllllli'lMlilliolls | |o||s|o|| DiilLis Lack of written procedures for authorizing access to the server rooms. Establish written procedures for granting authorized access to Region 6 server rooms in Dallas and Houston. X X Lack of environmental controls to monitor server room temperature and humidity and alert personnel of emergency. Establish a process for continuous monitoring of Dallas and Houston server room's environmental conditions by personnel or real-time monitoring by existing IT equipment with environmental monitoring capabilities. X X Charged wet-piped fire suppression system leaves uncovered server racks susceptible to water damage. X Un-sanitized data drives with EPA information not logged and left unsecured within server room. Sanitize and secure all used drives kept in the Houston server room in addition to logging their receipt, rotation and/or disposal. X No logging of rotation of backup tapes or transportation/receipt at the Addison offsite storage facility. X 12-P-0659 5 ------- Appendix B Distribution Office of the Administrator Assistant Administrator for Environmental Information and Chief Information Officer Regional Administrator, Region 6 Senior Information Official, Region 6 Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for External Affairs and Environmental Education Senior Agency Information Security Officer Audit Follow-Up Coordinator, Region 6 12-P-0659 6 ------- |