Oversight

IG: USPS at risk of unauthorized network access

broken lock

The U.S. Postal Service has an elevated risk of network intrusions because it does not know how many internet-facing hosts it has on its networks and it lacks adequate firewall protections, according to a Nov. 3 inspector general report.

In fiscal 2015, the USPS.com website averaged 3 million daily visits from customers who conducted more than 50 million transactions and generated $1 billion in revenue for the agency. In addition, more than 493,000 USPS employees use internet-facing devices to sign up for direct deposit or complete other human resources-related transactions, the report states.

Auditors found that USPS cybersecurity managers do not scan the agency's entire network to identify web-based hosts when conducting vulnerability assessments and instead only scan known hosts. As a result, USPS cannot catalog all the devices on its networks and is at greater risk of unauthorized and unknown connectivity.

Even on the known hosts, USPS can only identify the host name and its IP address; it cannot ascertain the system's owner, operating system or location of the device.

Managers also find it difficult to record all data elements because USPS relies on disparate information systems.

Furthermore, auditors found that USPS' obsolete firewall settings do not filter unnecessary traffic, which violates industry best practices, and can allow outside devices to discover other hosts on the network. In addition, managers lack an adequate plan to update firewall policies when configuration changes are made to internet-facing hosts.

Auditors recommended that USPS create a centralized catalog of internet-facing hosts, develop a review process to update that catalog, regularly conduct host enumeration scans, and review and update firewall rules to limit unnecessary network traffic.

USPS officials generally concurred with the IG's recommendations and said they plan to complete an inventory of web-based devices, conduct a review process to eliminate data gaps and begin quarterly firewall configuration reviews by Dec. 15. In addition, they pledged to scan for and close unnecessary network connections by Jan. 30, 2017.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.