Oversight

IG: USPS at risk of unauthorized network access

broken lock

The U.S. Postal Service has an elevated risk of network intrusions because it does not know how many internet-facing hosts it has on its networks and it lacks adequate firewall protections, according to a Nov. 3 inspector general report.

In fiscal 2015, the USPS.com website averaged 3 million daily visits from customers who conducted more than 50 million transactions and generated $1 billion in revenue for the agency. In addition, more than 493,000 USPS employees use internet-facing devices to sign up for direct deposit or complete other human resources-related transactions, the report states.

Auditors found that USPS cybersecurity managers do not scan the agency's entire network to identify web-based hosts when conducting vulnerability assessments and instead only scan known hosts. As a result, USPS cannot catalog all the devices on its networks and is at greater risk of unauthorized and unknown connectivity.

Even on the known hosts, USPS can only identify the host name and its IP address; it cannot ascertain the system's owner, operating system or location of the device.

Managers also find it difficult to record all data elements because USPS relies on disparate information systems.

Furthermore, auditors found that USPS' obsolete firewall settings do not filter unnecessary traffic, which violates industry best practices, and can allow outside devices to discover other hosts on the network. In addition, managers lack an adequate plan to update firewall policies when configuration changes are made to internet-facing hosts.

Auditors recommended that USPS create a centralized catalog of internet-facing hosts, develop a review process to update that catalog, regularly conduct host enumeration scans, and review and update firewall rules to limit unnecessary network traffic.

USPS officials generally concurred with the IG's recommendations and said they plan to complete an inventory of web-based devices, conduct a review process to eliminate data gaps and begin quarterly firewall configuration reviews by Dec. 15. In addition, they pledged to scan for and close unnecessary network connections by Jan. 30, 2017.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.