f O U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Compliance with the law Operating efficiently and effectively Without a Process for Monitoring Sensitive Data, EPA Region 4 Risks Unauthorized Access to File Servers and Share Folders Report No. 18-P-0234 August 28, 2018 [III.I- KM. !•. l Sum to au< r. inI. 0«32l>12CFCC»ni CMC KR IK.i PC MHH AcJ.ancerf Securrtv iettavas for G:1. . ;ir- » Auditing Effective Access For tddrtienjl mfcfmabc«v double-click a pemvisicn entry. To modify » permission entry, sete Permitjasn nines' Type Piw*ei_ Access rrtherited from Applies to It Allow OIG-N... fUl control Non* This feU*r, iuHeldtri *nd Mtf Jit Allovii ACtJL. Rend St execute Norte This foMer wily It Allow ACt.A— M«Wy Nco# Thu suMddtn »nd M« St Allow AdtTV... FuN control None This fcWer only ------- Report Contributors: Rudolph M. Brevard Iantha Maness Christina Nelson Jeremy Sigel Sabrena Stewart Abbreviations AC Access Control AU Audit and Accountability DSS Directory Service System EPA U.S. Environmental Protection Agency IT Information Technology NIST National Institute of Standards and Technology OIG Office of Inspector General SEMS Superfund Enterprise Management System SP Special Publication Cover Image: Share folder permission example. (EPA OIG image) Are you aware of fraud, waste or abuse in an EPA program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, DC 20460 (888) 546-8740 (202) 566-2599 (fax) OIG Hotline@epa.gov Learn more about our OIG Hotline. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (2410T) Washington, DC 20460 (202) 566-2391 www.epa.gov/oiq Subscribe to our Email Updates Follow us on Twitter @EPAoig Send us your Project Suggestions ------- x-^tD ST/ij. U.S. Environmental Protection Agency 18-P-0234 i ftA \ Office of Inspector General August 28,2018 ~ SB?* 3 \\|// ? At a Glance Why We Did This Project The U.S. Environmental Protection Agency (EPA), Office of Inspector General (OIG), conducted this audit to assess the EPA's implementation of security controls for agency file servers. A file server provides file sharing services so that only authorized users can access, modify, store and delete files. File servers are considered components of an information system and therefore should meet the security guidance of National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This report addresses the following: • Compliance with the law. • Operating efficiently and effectively. Without a Process for Monitoring Sensitive Data, EPA Region 4 Risks Unauthorized Access to File Servers and Share Folders What We Found We determined that a share folder found on EPA Region 4 file servers did not comply with federal and agency guidance for access administration. The Region 4 share folder contained sensitive data, and the region did not have a process to monitor user activity or content in file servers' share folders. Sensitive data are vulnerable to unauthorized disclosure without a tool or process in place to monitor user activity and access to share folders found on EPA Region 4 file servers. Federal and agency guidance requires agencies to implement security controls for their information systems and related components. Information system components include file servers and the share folders they host. Region 4 lacked documented procedures for EPA information technology security control requirements applicable to file servers and share folders. In addition, Region 4 lacked documented procedures for monitoring share folder access or content. EPA data were vulnerable to unauthorized access because Region 4 did not create procedures to ensure that EPA security control requirements were implemented for file servers and share folders. The lack of procedures, combined with the lack of audit logging or an audit log review process, put the EPA at risk for unauthorized activity being undetected and uninvestigated. Recommendation and Agency Corrective Actions Taken We recommend that the Regional Administrator for Region 4 develop a process to approve and monitor access to share folder content that is consistent with requirements contained in National Institute of Standards and Technology Special Publication 800-53 and EPA information security procedures. Region 4 agreed with our report and recommendation. The region completed all Send all inquiries to our public proposed corrective actions by August 14, 2018, and those actions satisfy the affairs office at (202) 566-2391 intent of the recommendation, or visit www.epa.gov/oiq. Listing of OIG reports. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 THE INSPECTOR GENERAL August 28, 2018 MEMORANDUM SUBJECT: Without a Process for Monitoring Sensitive Data, EPA Region 4 Risks Unauthorized Access to File Servers and Share Folders Report No. 18-P-023Z FROM: Arthur A. Elkins Jr. TO: Trey Glenn, Regional Administrator Region 4 This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). The project number for this audit was OA-FY17-0138. This report contains findings that describe the problems the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the final EPA position. The Information Systems Management Branch within EPA Region 4 is responsible for implementing the recommendation in this report. In accordance with EPA Manual 2750, your office completed acceptable corrective actions in response to the OIG recommendation. The recommendation is resolved, and no final response to this report is required. However, if you submit a response, it will be posted on the OIG's website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. We will post this report to our website at www.epa.gov/oig. ------- Without a Process for Monitoring Sensitive Data, 18-P-0234 EPA Region 4 Risks Unauthorized Access to File Servers and Share Folders Table of C Purpose 1 Background 1 Responsible Offices 2 Scope and Methodology 2 Results 3 EPA Region 4 Needs to Improve the Process for Verifying Access to SEMS Share Folder 4 No Process Is in Place to Review and Analyze Share Folders for Unauthorized Access 5 Conclusion 5 Recommendation 6 Agency Response and OIG Evaluation 6 Status of Recommendations and Potential Monetary Benefits 7 Appendices A Agency Response to Draft Report 8 B Distribution 10 ------- Purpose The U.S. Environmental Protection Agency (EPA), Office of Inspector General (OIG), sought to determine whether the EPA is implementing security controls for agency file servers. Background According to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-123, Guide to General Server Security, dated July 2008, a file server provides one or more services over a network as its primary Figure 1: Interrelationship of a file, ~ A r-. •. • share folder and file server function. A rile server provides services where authorized users can access, modify, store and delete files. As illustrated in Figure 1, file servers contain share folders. These share folders contain files that multiple users or groups can access based on their authorization. File servers are considered a component of an information system and therefore ... , •. -i r Source: OIG image, should meet security guidance or a NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organization. File servers can exist within the EPA's directory service system (DSS) or outside of the DSS. The EPA uses a commercial off-the-shelf product for its DSS. The EPA uses the DSS to centralize which type of servers can be accessed and which users are allowed access to the agency's network. The EPA also has stand-alone file servers outside of the DSS, which can be set up for a particular purpose or as part of an EPA application. The EPA's Superfund Enterprise Management System (SEMS) is the agency's system of record for the Superfund program. The SEMS contains the official inventory of Superfund sites, as well as documentation encompassing site cleanup activities at regional Superfund sites, contract documentation, enforcement records, and emergency response and contaminant information, among other items. The SEMS is key to the EPA meeting its responsibilities to federal agencies, Congress and the public regarding Superfund site remediation. The SEMS is also used for Freedom of Information Act requests, administrative records and litigation support. A directory service system provides a centralized location to store information about users, computers and other equipment on a network, as well as integrated services that are used to manage network users, services and devices. 18-P-0234 ------- Responsible Offices The Office of Information Technology Operations, within the Office of Environmental Information, is responsible for implementing and managing the EPA's information technology (IT) infrastructure, which includes the agency's DSS and IT solutions. EPA program and regional offices are responsible for the administration of their own file servers and associated share folders. This responsibility includes controlling who can access the file servers and share folders. In EPA Region 4, personnel in the Information Systems Management Branch are responsible for managing these activities. Scope and Methodology We conducted this audit from February 2017 to June 2018 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. We also obtained a population of file servers outside of the EPA's DSS, using survey responses from EPA program and regional offices' IT personnel responsible for administering file servers. During our audit fieldwork, we learned that users had migrated data on these servers to another technology. We followed up with system owners to gather an understanding of how they migrated the data. We identified the population of EPA file servers, as of March 2017, from an Office of Environmental Information report on file servers within the EPA's DSS network, and we judgmentally selected 10 file servers from the EPA offices listed in Table 1. File servers were sampled based on the portion of the EPA file server population owned by the EPA program office/region and on their proximity to EPA headquarters, where our audit work was performed. We interviewed office personnel about file server access administration and the existence of share folders with sensitive information on their file servers. Table 1: Sampled EPA program/regional office file servers on the DSS Program/regional office No. of file servers on the EPA's DSS network No. of file servers sampled No. of share folders with sensitive information hosted on sampled file servers Office of Enforcement and Compliance Assurance 17 2 0 Office of Environmental Information 16 2 0 Office of Research and Development 37 4 0 Region 4 22 2 1 Source: OIG-created table. 18-P-0234 ------- Based on our initial interviews with EPA offices, we narrowed our scope to the Region 4 sampled share folder that stores scanned SEMS documents with sensitive data. We tested whether the share folder was in compliance with the following NIST SP 800-53 security controls: • Access Control (AC)—Account Management. o AC-2b: Account manager assigned, o AC-2d: Specified authorized users of the system, o AC-2e: Authorized official approves accounts, o AC-2h: Notified managers of changes in user access, o AC-2i: Authorized information system access based on criteria, o AC-2j: Accounts reviewed for compliance with account management requirements. • Audit and Accountability (AU)—Audit Events. o AU-2: Audit organization-defined events within the information system. • AU—Audit Review, Analysis and Reporting. o AU-6: Audit records reviewed and analyzed for unusual activity. Results EPA Region 4 lacked implemented security controls for the sampled SEMS share folder. We found the conditions existed because Region 4 IT personnel lacked documented procedures for federal and agency IT guidance applicable to file servers and share folders. This lack of documentation included procedures for file servers and share folders that did or did not contain sensitive information. The EPA's IT security procedures require system owners to comply with NIST controls for all EPA information and information systems. There were no procedures implemented to track share folder content due to Region 4's reliance on user discretion and the access certification process. The file server with sensitive data was susceptible to compromise because of the lack of implemented security controls. Table 2 outlines NIST information system security controls reviewed and the compliance rate. 18-P-0234 3 ------- Table 2: Region 4 compliance with required NIST SP 800-53 access and audit and accountability controls NIST 800-53 controls tested Region 4 compliance AC-2b: Account manager assigned. Noncompliant AC-2d: Specified authorized users of the system. Noncompliant AC-2e: Authorized official approves accounts. Noncompliant AC-2h: Notified managers of changes in user access. Noncompliant AC-2i: Authorized information system access based on criteria. Noncompliant AC-2j: Accounts reviewed for compliance with account management requirements. Noncompliant AU-2: Audit organization-defined events within the information system. Noncompliant AU-6: Audit records reviewed and analyzed for unusual activity. Noncompliant Source: OIG-created table. EPA Region 4 Needs to Improve the Process for Verifying Access to SEMS Share Folder EPA Region 4 personnel were not verifying that access to the SEMS share folder is granted to only authorized users based on a valid access authorization. Region 4 personnel assigned share folder access roles to employees through the SEMS User Request System. Region 4 personnel stated that there is no documented list of authorized approvers or account managers for share folder users. There also was no regular review of share folder access for compliance with account management requirements. We found that share folder users were granted access without documented approval. In addition, share folders were not monitored for unusual activity or access to sensitive information. NIST SP 800-53, security control AC-2, Account Management, requires valid access authorization, an assigned account manager, regular compliance review, and authorized approval for agency information system accounts. NIST SP 800-53, security control AU-2, Audit Events, requires certain organization-defined events to be audited. Security control AU-6, Audit Review, Analysis and Reporting, requires an organization to review and analyze information audit system records for indications of inappropriate or unusual activity. The EPA Chief Information Officer Transmittal 2150-P-01.2, Information Security—Access Control Procedures, specifies that system owners shall review users' activities to enforce access controls. The Chief Information Officer Information Transmittal 2150-P-03.2, Information Security—Audit and Accountability Procedures, further requires an organization to review and analyze 18-P-0234 4 ------- audit logs and records weekly for organization-defined events, such as indications of inappropriate or unusual activity and access to sensitive information. The conditions existed because Region 4 personnel lacked documented procedures for EPA access administration or audit log requirements applicable to agency file servers and share folders. The EPA's IT security procedures state that system owners must comply with NIST requirements for all EPA information and information systems. However, those directives do not tell EPA offices how to specifically implement the procedures. No Process Is in Place to Review and Analyze Share Folders for Unauthorized Access There was no process in place to review and analyze share folder activity for unauthorized access or transactions. Region 4 personnel stated that adding or removing sensitive data in the share folder is entrusted to end users, whose compliance with agency information system access requirements is controlled by the SEMS User Request System certification process. Region 4 personnel stated that it is the end users' responsibility to make only authorized transactions when storing data on the share folder. Region 4 personnel also stated that they only review the number and permissions of their share folders from a Microsoft Excel spreadsheet. However, the spreadsheet that Region 4 personnel created was only spot-checked on an ad hoc basis, and personnel did not document their review. The agency's data were vulnerable to unauthorized access because Region 4 personnel did not create procedures for EPA security control requirements for file servers and share folders. The lack of documented procedures for EPA security controls also compromised the confidentiality and integrity of sensitive agency data stored on Region 4 share folders. Combined with the lack of audit logging or an audit log review process, the EPA risked unauthorized activity going undetected and uninvestigated. Region 4 had not implemented any of the mandated NIST information system security controls we reviewed. Conclusion By not implementing mandatory NIST information security controls, EPA Region 4 risked the unauthorized disclosure of sensitive agency data. 18-P-0234 5 ------- Recommendation We recommend that the Regional Administrator, Region 4: 1. Develop a process for approving and monitoring access to share folder content. The procedures should include a process to verify that personnel responsible for controlling access to file servers and share folders containing sensitive information implement access and audit log control procedures as required by National Institute of Standards and Technology Special Publication 800-53 and agency information security procedures. Agency Response and OIG Evaluation Region 4 agreed with the report's findings and recommendation. Region 4 indicated that it conducted an internal meeting to discuss the region's current procedures for managing access to share folders. Region 4 also documented standard operating procedures for approving and monitoring share folder content, which are consistent with NIST SP 800-53 requirements and approved by the acting Chief of the Information Systems Management Branch. We believe that the actions taken satisfy the intent of the recommendation, and all corrective actions were completed by August 14, 2108. Appendix A contains the full written response from Region 4. 18-P-0234 6 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS Potential Planned Monetary Rec. Page Completion Benefits No. No. Subject Status1 Action Official Date (In $000s) 1 6 Develop a process for approving and monitoring access to C Regional Administrator, 8/14/18 share folder content. The procedures should include a process Region 4 to verify that personnel responsible for controlling access to file servers and share folders containing sensitive information implement access and audit log control procedures as required by National Institute of Standards and Technology Special Publication 800-53 and agency information security procedures. 1 C = Corrective action completed. R = Recommendation resolved with corrective action pending. U = Recommendation unresolved with resolution efforts in progress. 18-P-0234 7 ------- Appendix A Agency Response to Draft Report '» rV PRO^ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY REGION 4 ATLANTA FEDERAL CENTER 61 FORSYTH STREET ATLANTA, GEORGIA 30303-8960 JUL 3 1 2018 MEMORANDUM SUBJECT: Response to the Office of Inspector General (OIG) Draft Report: EPA Region 4 Needs to Monitor and Review User Activity on File Servers (Project No. OA-FY17-0138) This memorandum is to acknowledge receipt of the subject draft report, dated July 5, 2018, written by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). EPA Region 4 has reviewed the report in its entirety and concurs with the factual accuracy of each finding, as well as the recommendation provided by the OIG. In response to the OIG's recommendation, Region 4 has taken preliminary steps to implement corrective actions consistent with requirements of the National Institute of Standards and Technology (NIST), Special Publication 800-53, and agency information security procedures. Accordingly, please note the following corrective actions: CORRECTIVE ACTIONS: 1. The Information Systems Management Branch (ISMB) of the Office of Policy and Management (OPM) will meet with the Superfund Enterprise Management System (SEMS) Administrator to discuss the Superfund Division's current procedures for managing access to shared folders. Planned Completion Date: Friday, July 13, 2018. 2. ISMB will develop official Standard Operating Procedures (SOPs) for SEMS management of shared folders which will include audit criteria, specific measures for managing access to folders, a detailed list of roles and responsibilities, and a process to verify personnel responsible for controlling access to file servers and shared folders containing sensitive data. The SOPs will align with the requirements and guidelines set 18-P-0234 8 FROM: Onis "Trey" Glenn, III Regional Administrator Region 4 TO: Rudolph M. Brevard, Director Information Resources Management Directorate Office of Environmental Information ------- by the agency's information security procedures and the National Institute of Standards and Technology (NIST) controls. Planned Completion Date: Friday, August 31, 2018 Should any questions or concerns arise regarding the above planned corrective actions, please contact Don Westra, Acting Chief, ISMB, at 404-562-8129 or Westra.Don@epa.gov. cc: Kristy Eubanks Rickey Felton Kathie Johnson Keith Mills Jeremy Sigel Pareasa Stevens Don Westra 18-P-0234 9 ------- Appendix B Distribution The Administrator Deputy Administrator Special Advisor, Office of the Administrator Chief of Staff Regional Administrator, Region 4 Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Deputy Regional Administrator, Region 4 Principal Deputy Assistant Administrator and Deputy Chief Information Officer, Office of Environmental Information Chief Information Security Officer, Office of Information Security and Privacy, Office of Environmental Information Director, Office of Continuous Improvement Director, Information Systems Management Branch, Region 4 Director, Office of Information Technology Operations, Office of Environmental Information Director, Office of Regional Operations Audit Follow-Up Coordinator, Office of the Administrator Audit Follow-Up Coordinator, Region 4 Audit Follow-Up Coordinator, Office of Environmental Information Public Affairs Officer, Region 4 18-P-0234 10 ------- |