| Vulnerability#1: |
Lack of auditing features, audit trails, or policies and procedures. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Twelve of the critical IT assets reported vulnerabilities in the area of auditing features or audit trails. In some of the systems, the auditing function was non-existent, either because it was disabled or was not a feature of the software. In other systems, the audit trail did not track activities of system users to modify, bypass, or negate system security safeguards. In some of the systems that had adequate audit features, the logs were not reviewed, there were no policies or procedures in place addressing reviewing the audit logs, or the mechanism to review the audit logs were insufficient to detect a pattern of access that would indicate a problem. |
| Risk Rating: |
Low - moderate |
| Mitigation Action: |
Components ensure the current IT security policy on auditing and audit trails is implemented on their critical IT assets. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #2: |
Improper or inadequate password protection, password aging, and construction. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Nine of the critical IT assets have vulnerabilities related to password aging, inadequate password protection, and password construction. Some of the systems had more than one vulnerability in this area.
- Three systems had vulnerabilities related to default passwords.
- Three of the systems allowed passwords that either did not meet the requirements of minimum length or did not enforce the use of alphanumeric or special characters.
- Three systems had vulnerabilities associated with unencrypted passwords.
- Three of the systems did not enforce the password aging policy.
- Three of the systems had vulnerabilities associated with users sharing passwords.
|
| Risk Rating: |
Moderate |
| Mitigation Action: |
Change initial login and default passwords immediately as the login passwords can be easily guessed or are widely known. Also, implement the current IT security policy on encryption, identification and authentication, and password management. Information Management and Security Staff will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #3: |
Lack of Encryption. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Lack of encryption was cited as a vulnerability in five SBU critical IT systems. No National Security Information (NSI) [systems] had vulnerabilities related to encryption.
- Four of the systems stored and transmitted highly sensitive data without encryption, including passwords (mainframe applications).
- Three systems transmit highly sensitive data without encryption across the wide area network.
|
| Risk Rating: |
Moderate |
| Mitigation Action: |
Encrypt SBU data across general support systems because of the impact the information has on the Department's PDD 63 mission. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #4: |
Software patches not installed for known vulnerabilities. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Five systems were lacking patches to fix known vulnerabilities.41 Exploiting known software vulnerabilities is a primary means of gaining privileged access to a system or implementing a denial of service attack. |
| Risk Rating: |
Moderate |
| Mitigation Action: |
Program managers should establish a program to identify, review, and install, as appropriate, patches to operating systems and other software. The patches should also be included in the configuration management documentation for the system. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #5: |
Lack of limited or untested contingency plans. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Six IT systems had vulnerabilities associated with contingency plans. The vulnerabilities included no contingency plans, limited contingency plans that addressed only one scenario, and not testing contingency plans. |
| Risk Rating: |
Moderate |
| Mitigation Action: |
Develop and test contingency plans for all the critical assets. The Justice Management Division has made the testing of contingency plans a performance measure for the Department and will track the progress of the individual systems within the tracking database. |
| Vulnerability #6: |
Lack of computer security incident response capability. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Four critical IT systems reported vulnerabilities in its Computer Security Incident Response Capability (CSIRC).
- Two systems had a draft CSIRC plan that had not been finalized.
- One system did not have procedures in place for reporting incidents as required by the agency's policy.
- The Computer System Security Officer for the last system did not report incidents in the time frame specified by the agency's policy.
|
| Risk Rating: |
Low |
| Mitigation Action: |
Component Computer System Security Officers should review and ensure their CSIRC plans are current and ensure the officers are knowledgeable of the reporting requirements. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #7: |
Lack of access controls. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Seven critical IT systems reported vulnerabilities in access controls. The vulnerabilities included the failure to delete user accounts when personnel are terminated and privileges when access is no longer required due to a change of position or task. |
| Risk Rating: |
Low - Moderate |
| Mitigation Action: |
Components should ensure access privileges and accounts are deleted when an individual is terminated and privileges are periodically reviewed and updated based on "least privileges" and "separation of duties." The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #8: |
Lack of configuration management. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Nine critical IT systems reported vulnerabilities associated with configuration management. The vulnerabilities included inadequate configuration management policies and documentation and no process to review configuration management documents on a regular basis. |
| Risk Rating: |
Moderate |
| Mitigation Action: |
Components should ensure system administrators for critical IT systems have established a configuration management process for their systems. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #9: |
Lack of intrusion detection. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Six critical IT assets reported vulnerabilities in the area of intrusion detection. The affected critical IT systems either did not have an intrusion detection capability, the intrusion detection system did not provide real-time monitoring, or the system did not monitor internal packet exchange traffic. |
| Risk Rating: |
Low - Moderate |
| Mitigation Action: |
Components should ensure their critical IT systems have an intrusion detection capability. Also, the Department established a procedure for the components to report any intrusions on their critical IT assets. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #10: |
Lack of or inadequate virus protection. |
| Threat: |
All threat areas can impact this vulnerability. |
| Discussion: |
Six critical IT systems had vulnerabilities associated with lack of or inadequate virus protection. Some of the systems did not have virus protection installed on all the personal computers and network servers; other systems did not update the virus signature files on a regular basis. |
| Risk Rating: |
Moderate |
| Mitigation Action: |
Components should ensure the critical IT systems have virus detection software installed on all personal computers, servers, and e-mail systems, and that the software conducts a scan on a periodic basis. Additionally, the components should frequently update the protection signature files so the critical IT systems are protected from recently released viruses. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
| Vulnerability #11: |
Exploitable network services enabled. |
| Threat: |
All threat areas can impact this vulnerability.
Discussion: Five critical IT systems had vulnerabilities associated with exploitable network services. The network services enabled on the systems included anonymous File Transfer Protocol service, Internet Protocol forwarding, Network File System, network finger service, and .rhosts file. |
| Risk Rating: |
Moderate - High |
| Mitigation Action: |
Determine which services are currently running on critical IT systems, either through penetration testing or other means. Network services should be reviewed and those that are not necessary should be disabled. Appropriate countermeasures should be applied to those services that are necessary, such as "tcp wrappers" to restrict and log host access when using the finger network service. Components should ensure future penetration testing includes the identification of exploitable network services as a major focus of the testing. The IMSS will utilize its internal database to track the resolution of this vulnerability. In addition, for those systems that have not undergone an independent review, the IMSS will make those systems a priority for an independent review during the next 12 months. |
| Vulnerability #12: |
Lack of warning banners. |
| Threat: |
All threat areas could exploit this vulnerability.
Discussion: Components of seven of the critical SBU IT assets did not display warning banners before the system sign-on screen. |
| Risk Rating: |
Low |
| Mitigation Action: |
Ensure all critical IT assets display warning banners before the system sign-on screen. The IMSS will utilize its internal database to track the resolution of this vulnerability. |
Source: Justice Management Division's March 2002 Vulnerability Assessment
- Information Technology Laboratory Bulletin, "Computer Attacks: What They Are and How to Defend Against Them," May 1999. [This note appears in the "source" for this table.]
|