Oversight

IG: USPS at risk of unauthorized network access

broken lock

The U.S. Postal Service has an elevated risk of network intrusions because it does not know how many internet-facing hosts it has on its networks and it lacks adequate firewall protections, according to a Nov. 3 inspector general report.

In fiscal 2015, the USPS.com website averaged 3 million daily visits from customers who conducted more than 50 million transactions and generated $1 billion in revenue for the agency. In addition, more than 493,000 USPS employees use internet-facing devices to sign up for direct deposit or complete other human resources-related transactions, the report states.

Auditors found that USPS cybersecurity managers do not scan the agency's entire network to identify web-based hosts when conducting vulnerability assessments and instead only scan known hosts. As a result, USPS cannot catalog all the devices on its networks and is at greater risk of unauthorized and unknown connectivity.

Even on the known hosts, USPS can only identify the host name and its IP address; it cannot ascertain the system's owner, operating system or location of the device.

Managers also find it difficult to record all data elements because USPS relies on disparate information systems.

Furthermore, auditors found that USPS' obsolete firewall settings do not filter unnecessary traffic, which violates industry best practices, and can allow outside devices to discover other hosts on the network. In addition, managers lack an adequate plan to update firewall policies when configuration changes are made to internet-facing hosts.

Auditors recommended that USPS create a centralized catalog of internet-facing hosts, develop a review process to update that catalog, regularly conduct host enumeration scans, and review and update firewall rules to limit unnecessary network traffic.

USPS officials generally concurred with the IG's recommendations and said they plan to complete an inventory of web-based devices, conduct a review process to eliminate data gaps and begin quarterly firewall configuration reviews by Dec. 15. In addition, they pledged to scan for and close unnecessary network connections by Jan. 30, 2017.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.