IG: USPS at risk of unauthorized network access
The U.S. Postal Service does not know how many internet-facing hosts it has, lacks adequate firewall protections and is therefore vulnerable to unwanted network intrusions.
The U.S. Postal Service has an elevated risk of network intrusions because it does not know how many internet-facing hosts it has on its networks and it lacks adequate firewall protections, according to a Nov. 3 inspector general report.
In fiscal 2015, the USPS.com website averaged 3 million daily visits from customers who conducted more than 50 million transactions and generated $1 billion in revenue for the agency. In addition, more than 493,000 USPS employees use internet-facing devices to sign up for direct deposit or complete other human resources-related transactions, the report states.
Auditors found that USPS cybersecurity managers do not scan the agency's entire network to identify web-based hosts when conducting vulnerability assessments and instead only scan known hosts. As a result, USPS cannot catalog all the devices on its networks and is at greater risk of unauthorized and unknown connectivity.
Even on the known hosts, USPS can only identify the host name and its IP address; it cannot ascertain the system's owner, operating system or location of the device.
Managers also find it difficult to record all data elements because USPS relies on disparate information systems.
Furthermore, auditors found that USPS' obsolete firewall settings do not filter unnecessary traffic, which violates industry best practices, and can allow outside devices to discover other hosts on the network. In addition, managers lack an adequate plan to update firewall policies when configuration changes are made to internet-facing hosts.
Auditors recommended that USPS create a centralized catalog of internet-facing hosts, develop a review process to update that catalog, regularly conduct host enumeration scans, and review and update firewall rules to limit unnecessary network traffic.
USPS officials generally concurred with the IG's recommendations and said they plan to complete an inventory of web-based devices, conduct a review process to eliminate data gaps and begin quarterly firewall configuration reviews by Dec. 15. In addition, they pledged to scan for and close unnecessary network connections by Jan. 30, 2017.