WPCS 2BJZ Courier3|x x6X@`7X@HP LaserJet 5Si room 752A LPT2HPLAS5SI.PRSx  @\G"[X@2p6 ZF13|x HP LaserJet 5Si room 752A LPT2HPLAS5SI.PRSd6X@C\G"[@#d6X@CN@# CERTIFICATION TEST REPORT bruce wilkinsbruce wilkins 2'{>CourierCG Omega ItalicCourier ItalicDefault Paraz6:Default Paragraph Font(OT*OR¯" FhE;;#Xv6X@CX@##d6X@C@#HEADING 5z6:P| 1D=(O8FT*OR¯" FhE34 <DL!T$444#A\  PP# #A\  PP# HEADING 4z6:| 1D=(O8FT*OR¯" FhE4 <DL!T$#XN\  PXP#4 <DL!(##A\  PP#2(gz0gvH(`DLA2 Fz6:LVL28Fo4oH B!*O FT*OR¯" FhE+   " 2H1¯"LSmall Circle+1cO1oH+LFO1L L:1 "«d6X@C@<6X9`(CourierXv6X@CX@;6X9`("Courier New (TT)Xd6X@C@<6X9`(CourierA\  PP\  `$Times NewRomanA\  PP\  `$Times NewRomanXN\  PXP\  `$Times NewRomanXA\  PP\  `$Times NewRomand6X@C@<6X9`(CourierXx6X@X@<L4 9Z .Courier New RegularXd6X@ C@<6X9`(Courierd6X@ C@<6X9`(Courierd6X@ C@<6X9`(CourierXv6X@ CX@;6X9`("Courier New (TT)XXx6X@ X@<L4 9Z .Courier New RegularXXv6X@CX@;6X9`("Courier New (TT)Xd6X@C@<6X9`(Courierx6XPX@<6X9`(XXx6X@X@<L4 9Z .Courier New RegularXXv6X@CX@;6X9`("Courier New (TT)Xx6XPX@<6X9`(XXx6X@X@<L4 9Z .Courier New RegularXx6XPX@<6X9`(Xx6XPX@<6X9`(XXx6X@X@<L4 9Z .Courier New RegularXx6XPX@<6X9`(Xx6XPX@<6X9`(XXx6X@X@<L4 9Z .Courier New RegularXx6XPX@<6X9`(XXx6X@X@<L4 9Z .Courier New RegularXx6XPX@<6X9`(Xx6XPX@<6X9`(Xx6XPX@<6X9`(Xx6XP X@<6X9`(Xx6XP!X@<6X9`(Xx6XP"X@<6X9`(Xx6XP#X@<6X9`(XXx6X@$X@<L4 9Z .Courier New RegularXx6XP%X@<6X9`(Xx6XP&X@<6X9`(Xx6XP'X@<6X9`(XXx6X@(X@<L4 9Z .Courier New RegularXx6XP)X@<6X9`(XXx6X@*X@<L4 9Z .Courier New RegularXx6XP+X@<6X9`(XXx6X@,X@<L4 9Z .Courier New RegularXxd6XP-@<6X9`(d6X@.@<L4 9Z .Courier New Regulara8DocumentgDocument Style StyleXX` `  ` 2*p(k`) k) 6*a4DocumentgDocument Style Style . a6DocumentgDocument Style Style GX  a5DocumentgDocument Style Style }X(# a2DocumentgDocument Style Style <o   ?  A.  24- v + t+ +,a7DocumentgDocument Style Style yXX` ` (#` BibliogrphyBibliography :X (# a1Right ParRight-Aligned Paragraph Numbers :`S@ I.  X(# a2Right ParRight-Aligned Paragraph NumbersC @` A. ` ` (#` 2-0f- ..n/a3DocumentgDocument Style StyleB b  ?  1.  a3Right ParRight-Aligned Paragraph NumbersL! ` ` @P 1. ` `  (# a4Right ParRight-Aligned Paragraph NumbersUj` `  @ a. ` (# a5Right ParRight-Aligned Paragraph Numbers_o` `  @h(1)  hh#(#h 23_0'112a6Right ParRight-Aligned Paragraph Numbersh` `  hh#@$(a) hh#((# a7Right ParRight-Aligned Paragraph NumberspfJ` `  hh#(@*i) (h-(# a8Right ParRight-Aligned Paragraph NumbersyW"3!` `  hh#(-@p/a) -pp2(#p a1DocumentgDocument Style StyleXqq   l ^) I. ׃  27+3456Doc InitInitialize Document Style  0*0*  I. A. 1. a.(1)(a) i) a) I. 1. A. a.(1)(a) i) a)DocumentgTech InitInitialize Technical Style. k I. A. 1. a.(1)(a) i) a) 1 .1 .1 .1 .1 .1 .1 .1 Technicala5TechnicalTechnical Document Style)WD (1) . a6TechnicalTechnical Document Style)D (a) . 29977849a2TechnicalTechnical Document Style<6  ?  A.   a3TechnicalTechnical Document Style9Wg  2  1.   a4TechnicalTechnical Document Style8bv{ 2  a.   a1TechnicalTechnical Document StyleF!<  ?  I.   2D(: :!4;7?a7TechnicalTechnical Document Style(@D i) . a8TechnicalTechnical Document Style (D a) . PleadingHeader for numbered pleading paper!P@n   $] X X` hp x (#%'0*,.8135@8:d6Nhez7Hi) . (1) . a6TechnicalTechnical Dont Style)D  ?4E#x6X@`7X@# REPORT ON THE AUDIT OF NETWORK ?,4 REMOTE DIALIN SECURITY    ?4;TABLE OF CONTENTSĐ\  ?4` `   hhCqpp  * Page(#(# EXECUTIVE DIGEST ........................................... 1 AUDIT OBJECTIVE ............................................ 4 AUDIT SCOPE ................................................ 4 BACKGROUND ................................................. 4   FINDING The Commission Has Not Adequately Secured The ` ` Network Remote DialIn Capability o Details of Finding .................................. 7  E o Recommendations ..................................... 11  ? 4APPENDIX 1  Audit Team and Acknowledgements  ?4APPENDIX 2  Audit Methodology  ?,4APPENDIX 3  October 18, 1996 report entitled "Flash Report on ` `  Vulnerabilities Identified during our Review of ` `  Remote DialIn Security"  ?L4APPENDIX 4  January 10, 1997 report entitled "Audit Of The Federal Communications Commission (FCC) Remote DialIn Capability" prepared by TWM Associates, Inc. reporting the detailed results of Remote DialIn Testing(#  ?!4APPENDIX 5  Managing Director's Response to the Draft Audit Report(# ` `  "%0*0*0*("  ?4    EXECUTIVE DIGEST #Xx6X@X@#In 1992, the Commission engaged in an agencywide effort to modernize its automated information systems. The goal of the program, entitled "Information Systems Modernization (ISM)", was to "replace the Commission's obsolete IRM [Information Resource Management] equipment and systems with an entirely new information systems architecture to meet our mission needs." Many objectives were envisioned including "easier access to all databases and greatly enhanced ability to retrieve and to manipulate data to support regulatory and administrative decisions" and "widespread use of electronic mail and bulletin boards for dissemination of information, exchange of documents, and communications within the Commission and with the public." To accomplish these objectives, the Commission moved from a centralized mainframe processing environment to a distributed networkbased processing environment. Since 1992, the Commission has made tremendous strides in implementing the distributed networked environment which existed only on paper at that time. In fact, the rapidity of changes in computers have resulted in accomplishments beyond those originally anticipated. For example, the introduction and encouraged use of the Internet as a means of distributing information has greatly reduced the need for bulletin boards as originally envisioned. However, along with the benefits that have clearly been derived from the Commission's conversion to a distributed environment, have come increased risks. The major risk to networked environments such as the Commission's is an unauthorized user gaining access to the network or an authorized user accessing inappropriate network resources. As part of our ongoing efforts to ensure the security of the Commission's network, the Office of Inspector General (OIG), working closely with the office of the Associate Managing Director Information Management (AMDIM), has conducted an audit of network remote dialin security. To conduct this review, the OIG contracted with the computer security firm of TWM Associates, Inc. (hereafter referred to as "TWM") to provide technical support. The FCC Wide Area Network (WAN) supports remote access using a centralized modem pool, Novell's GroupWise Remote and Symantec's PcAnywhere for Window's communication software, and standard phone service. Depending on the type of communication software installed, modem pool users can do everything from checking email to accessing databases. In addition, access to the network can be gained using standalone modems and analog phone service. This method of access includes both known entry points (modems purchased and distributed by AMDIM) and unknown entry points (modems purchased and installed without AMDIM's knowledge). The objective of this task was to evaluate the current security"'0*((," configuration of modem pool dialin security and, as needed, define an enhanced security posture. An additional objective was the identification of unknown dialup entry ports supporting standalone modem access (i.e.,"rogue" modems), an assessment of the security of those ports, and the identification of alternatives for securing those ports (please refer to figure 1 below).  r5 4h#d6Nhez7>H#figure 1 Series of standalone modems collected from network hub rooms#x6X@`7X@#ѐ\ During our review, we determined that the Commission's network is vulnerable to compromise via remote dialin. In fact, during testing the audit team was able to gain access to the network and compromise a limited number of components. In our opinion, given  ? 4time and using readily available automated toolsA ) r5#4 e 4ԍ` ` The audit team chose not to use these tools because of concerns  e 4about compromising network integrity. In addition, testing the  e 4logical security of internal network components was not an objective of this review.(#` A, the audit team could have compromised additional components of the network and affected its overall integrity, confidentiality, and availability. Due to the severity of the specific condition"#,0*((&" identified during testing, the OIG issued a report entitled "Flash Report on Vulnerabilities Identified during our Review of Remote DialIn Security" during the audit. A copy of the flash report is included as Appendix 3 to this report. In addition to the specific vulnerabilities identified in our flash report, we determined that Commission equipment and telecommunication inventory records do not accurately reflect distributed modems; telecommunications resources are not physically secured; selected network components are not properly configured and administered to ensure secure use; and security violation logs are not adequately monitored. As we have stated, the Commission has become increasingly dependent upon its automated systems. Interruption to services provided by the network, which include access to databases, email, and the Internet, would be extremely disruptive to the Commission. Loss of the network would have an immediate and profound effect on employee productivity and would impact the Commission's ability to service its customers. For example, the email system could be disabled, information available on Commission databases could not be retrieved, or distribution of public information could be hampered. Strong controls over the network remote dialin capability, particularly over "rogue" modems, help create a secure environment and reduce the risk of these scenarios. Detailed information about the methodology used, specific conditions identified, and other sensitive material collected in this review is included in a series of appendices attached to this report. Those appendices  d"Q containing sensitive information  d"Q are hand stamped "SENSITIVE" and will be distributed only to those personnel with a need for the information. Those personnel receiving these appendices are requested not to photocopy or otherwise distribute this material."0*((Z"  ?4AUDIT OBJECTIVE The Federal Communications Commission (FCC) has established access to the internal Wide Area Network (WAN) through remote dialup connectivity allowing FCC users to access the network from remote locations using laptop or standalone personal computers via a centralized modem pool. The objective of this audit was to evaluate the current security configuration of this dialin capability and, as needed, define an enhanced security posture for the existing configuration. An additional objective was the identification of unknown dialup entry ports (supporting standalone "rogue" modems), an assessment of the security of those ports, and the identification of alternatives for securing those ports.  ? 4AUDIT SCOPE The audit was conducted in accordance with Generally Accepted Government Auditing Standards and included such analysis, interviews and testing as required to support the audit findings. The scope of this review included all components of the Commission's WAN, however, our review of field office components was limited to telephone interviews and did not include a physical observation of the automated environment. In addition, our review did not include an assessment of Integrated Services Digital Network (ISDN) modems. At the time of our review, the Commission was testing a limited number of these modems.  ?4 Audit fieldwork included interaction with most Commission Bureaus and Offices and was performed from September through November 1996.  ?4BACKGROUND  ?4 On December 24, 1985, the Office of Management and Budget (OMB) issued Circular No. A130. This Circular provides a general policy framework for management of Federal information resources.  ?4The Circular implements provisions of the Paperwork Reduction Act  ?x4of 1980 as well as other statutes, Executive Orders, and policies concerning general information policy, information technology, privacy, and maintenance of Federal records. In addition, the Circular places specific responsibility on the head of each agency to "(e)nsure that the information policies, principles, standards, guidelines, rules and regulations prescribed by OMB are implemented appropriately within the agency." Appendix III to OMB Circular No. A130, entitled "Security of Federal Automated Information Systems", establishes a minimum set of controls to be included in Federal automated information systems security programs. The appendix specifically requires  ?'4that agencies shall:"'0*((,"Ԍ ?4ԙa.XAssure that there are appropriate technical, personnel, administrative, environmental, and telecommunications safeguards in automated information systems;(#  ? 4b.XAssure the continuity of operations of automated information systems that support critical agency functions;(#  ?x4c.XImplement and maintain an automated information systems security program, including the preparation of policies, standards, and procedures;(#  ?4d.XAssure that an appropriate level of security is maintained at all information technology installations operated by or on behalf of the Federal Government.(#  ? 4On January 8, 1988, the President signed the Computer Security  ? 4Act of 1987 into law. The purpose of the law was to recognize  ?H 4that "improving the security and privacy of sensitive information in Federal computer systems is in the public interest." The law "creates a means for establishing minimum acceptable security practices for such systems, without limiting the scope of security measures already planned or in use." The Commission's network remote dialin capability is currently provided via a centralized modem pool and a special FCCmodified version of Symantec's Norton PcAnywhere for Windows and Novell's GroupWise Remote product (please refer to figure 2 on page 6). Based upon a July 1996 survey conducted by the Office of the Associate Managing Director Information Management (AMDIM), there are threehundred fiftyone (351) potential Groupwise Remote users (i.e., users who have requested Groupwise Remote for their home personal computers). In addition to the AMDIM controlled modem pool, there are an unknown number of additional analog and Integrated Services Digital Network (ISDN) modems installed by endusers (please refer to figure 1 on page 2)."0*((Z"  r5`"4#d6Nhez7>H#figure 2 ` ` Closeup of the centralized modem pool maintained in the  r5#4Commission computer room in the 1919 M Street facility#x6X@`7X@#(#`  X&4#Xw< 0xu7HXX#"&0*((*+"  ?4#d6X@`7N@##x6X@`7X@#Finding The Commission Has Not Adequately Secured The Network (#(#  ?4 Remote DialIn Capability During our review, we determined that the Commission has not established effective controls to ensure the security of the network remote dialin capability. For example, we determined that Commission equipment and telecommunication inventory records do not accurately reflect distributed modems; telecommunications resources are not physically secured; selected network components are not properly configured and administered; and security violation logs are not adequately monitored. Inadequate controls over the network remote dialin capability threaten the viability of the network by increasing the risk of inappropriate access. During our review, we determined that the Commission's network is vulnerable to compromise via remote dialin. In fact, during testing the audit team was able to gain access to the network and compromise a limited number of components. In our opinion, given time and using readily available automated tools, the audit team could have compromised additional components of the network and affected its overall integrity, confidentiality, and availability. Due to the severity of the condition and to ensure a timely response, the OIG issued a "Flash Report." A copy of the flash report, entitled "Flash Report on Vulnerabilities Identified during our Review of Remote DialIn Security" and dated October 18, 1996, is included as Appendix 3 to this report.  ?4  ?4Requirements For Securing The Remote DialIn Capability Are Well  ?4Established In Government, Industry And Commission Standards  ?84The requirements for securing network connectivity are well established in Government and industry standards. Office of Management and Budget (OMB) Circular No. A130, entitled "Management of Federal Information Resources", establishes a minimum set of controls to be included in Federal automated information systems security programs. The Circular states that agencies shall "assure that there are appropriate technical, personnel, administrative, environmental, and telecommunications safeguards in automated information systems" and that agencies "assure the continuity of operation of automated information systems that support critical agency functions." In December 1990, the Institute for Internal Auditors published  ?`"Athe Systems Auditability and Control Report, hereafter referred to as the "SAC Report." The SAC Report is the result of a major research project conducted by top professionals in the information systems audit profession and provides comprehensive guidance on information technology and information systems auditing. Requirements for network remote access controls are recognized in several modules of the SAC Report. In module eight, entitled "Telecommunications", the SAC Report recognizes"'0*((," dialin security as a "major means of network control" to "prevent an unauthorized user from gaining access to the network through a combination of hardware, software, and physical security." The module goes on to state that "(t)he likelihood of an unauthorized user accessing the network through the telephone line is directly related to the ease of determining the network port's telephone number, the costs incurred while attempting this  ?x4action, and the effectiveness of logical security barriers. When  ?@4the network access number is easy and inexpensive to obtain and logical security controls are inadequate, the possibility that an unauthorized user will attempt to breach network security is  ?4relatively high" (emphasis added). In fact, these conditions were identified during our testing of remote dialin security. FCC Directive 1479.1, entitled "FCC Computer Security Program" and dated November 30, 1995, establishes a framework of guidelines for remote dialin at the Commission. The directive states that the "guidelines should be considered by FCC users and AMDIM Network Administrators to facilitate secure dialin/out communication with FCC computer systems." The following  ?4guidelines are provided:  ?04` ` Dialin ports should be protected from unauthorized access;(#`  ?4` ` Dialin to FCC computer systems must only occur through entry points approved by AMDIM;(#`  ?4  ?4` ` Updates and changes in system communication hardware and software should be tested thoroughly to prevent unintentional access exposures;(#`  ?4` ` Controls should be established to ensure remote users are positively identified and authenticated before connection to the network is authorized. Further, remote system(s) access using Guest accounts must be prohibited; and(#`  ?4` ` Reasonable care should be taken to protect communication equipment and telecommunications cables from unauthorized access. Any installation or adjustment of communication equipment must be coordinated through AMDIM, NMD [Network Management Division] in advance.(#` In our opinion, these guidelines present a solid framework for managing network remote dialin security. The audit team found little evidence of the implementation of these controls during our review.  ?'4Commission computer equipment and telecommunications inventory  ?'4records do not accurately reflect distributed modems "' 0*((,"ԌAs part of our review of remote dialin security, we obtained and reviewed copies of computer equipment and telecommunication inventory records. Using these records, the audit team conducted a physical survey of Commission work space. The objective of the survey was twofold. The first objective was to locate modems and the second objective was to assess the accuracy of inventory records. During the review, we located numerous modems which did not have FCC inventory tags and which were not reflected in the equipment inventory. Telecommunication inventory records identify both ISDN and analog phone lines. In general, ISDN lines support Commission voice service and analog lines support fax machines, secure phones, and modem resources. The audit team obtained an automated copy of the telecommunication inventory records and developed a report, sorted by physical location, of analog lines. In addition to physically tracing analog phone lines to test accuracy, the audit team used "war dialer" software to call several thousand Commission extensions. As a result of this testing, the team identified numerous modems which were not accurately recorded in telecommunications inventory records. Detailed results of our testing is provided in Appendix 4 of this report.  ?4Telecommunications resources are not physically secured In March 1994, the OIG issued an audit report entitled "Report on the Audit of Physical Security of the Local Area Network." In that report, the OIG reported weaknesses in the physical security of areas, including telephone closets used for vertical cabling, where critical network components are stored. In that report, we recommended that steps be taken to ensure that these areas are secured. In March 1996, the OIG issued an audit report entitled "Report on the FollowUp Audit of Physical Security of the Local Area Network." In that report, the OIG reported that weaknesses in physical security in areas where critical network components are stored continue to exist and recommended that steps be taken to ensure that these areas are secured. As part of our review of remote dialin security, we conducted a physical survey of Commission work space in the Washington, DC area and at the Gettysburg, PA. facility. The Washington D.C. locations included:  ?!4` `  2000 L Street(#  ?`"4` `  1919 M Street(#  ?(#4` `  2000 M Street(#  ?#4` `  2025 M Street(#  ?$4` `  2033 M Street(#  ?%4` `  2100 M Street(#  ?H&4` `  1250 23rd Street (# During our review of work space in the Washington, DC. area we"' 0*((," identified several phone closets containing both telecommunications wiring and network cabling which were not physically secured. In addition, we identified numerous ISDN handsets (telephones) stored in these unsecured areas. These ISDN handsets are valued from $500 to $800 per unit.  ?4Selected Network Components Are Not Properly Configured As part of our assessment of remote dialin security, we used "war dialer" software, as well as computer equipment and telecommunication inventory records, to identify network ports supporting remote communication. Following identification, we conducted offsite tests to assess the security of those ports. Standard login procedures were used in an attempt to "break into" the system. In addition to assessing these ports, we evaluated security of the modem pool supported by AMDIM. During testing, we identified several weaknesses in the configuration of network components. For example, we were able to compromise a network component that was configured to allow GUEST logins. Using this component as an attack platform, we were able to compromise additional network equipment which allowed GUEST login. In addition, we identified network components which were not configured to require userids and passwords. In our opinion, this equipment could have been "captured" by the audit team by simply establishing a User ID and password. The result would have been the inability of network management personnel to gain access to this equipment. Detailed results of our testing is provided in Appendix 4 of this report.  ?p4Security Violation Logs Are Not Adequately Monitored As reported in the previous finding, we conducted offsite testing of identified network ports supporting remote dialin. Initially, the testing was conducted after Commission business hours to reduce the likelihood of identification by network management personnel. However, after several successful attacks against the network, the team decided to conduct testing openly during business hours. Our intent in conducting tests during  ?x4business hours was to assess the degree to which network management personnel were able to review security logs and report security incidents in a real time manner. Our testing indicated that security violation logs were not being adequately monitored.  ?`"4Remote DialIn Security Weaknesses Threaten Network Viability  ?(#4 Inadequate remote dialin security increases the risk of inappropriate access and threatens the availability, integrity, and confidentiality of information on the network. During our testing, we demonstrated the vulnerability of the network to inappropriate access by remote dialin. After successfully compromising one inappropriately configured computer, the audit"' 0*((," team was able to attack and compromise several additional network components. In our opinion, the audit team gained enough privilege to compromise components of the network and affect its overall integrity, confidentiality, and availability.  ?4Recommendation for Corrective Action 1 of 3  ?4  ?xAThe Managing Director implement and enforce the remote dialin guidelines established in FCC Directive 1479.1, entitled "FCC Computer Security Program." In addition, the Managing Director: (1) conduct a complete inventory of Commission modems and adjust inventory records to reflect this action; (2) require justification for the use of each modem identified; (3) assess the security and operational requirements of each modem for which a valid requirement exists; (4) remove modems for which no valid  ? 4requirement exists; and (5) establish a program for periodically testing modems to ensure that an acceptable level of network security is maintained.  ?4Recommendation for Corrective Action 2 of 3  ?4 The Managing Director take steps to physically secure areas where critical telecommunications resources are stored.  ?4Recommendation for Corrective Action 3 of 3  ?P4The Managing Director address the specific conditions reported in  ?4Appendix 4) r5p4 e h4ԍ` ` Because of the sensitive nature of the material contained in this  e 84document, copies will only be distributed to those personnel with a need for the information.(#` . In addition, the Managing Director examine all network components to ensure that: (1) all components employ unique individually assigned userids and passwords; (2) adequate security features including password files and audit files are implemented and protected; and (3) access to sensitive communication applications be limited. Furthermore, the Managing Director direct network management personnel to establish a program for daily review of security incident logs.  ? 4Management Response The Managing Director concurred with the report results and provided specific comments about selected conditions identified during the review. With respect to our finding of Guest account login with no password, the Managing Director reports that this capability has been disabled. In addition, the Managing Director reports that two components accessed during the review, "Maglink1" and "Maglink2", are "bridges which were previously used to support network connectivity" and that "these devices are not physically connected to the network." The Managing Director"# 0*(('" goes on to state that "since the devices are kept in inventory for contingency use, AMDIM has coordinated an effort to take precautionary measures and now require a password for future use of the devices." With respect to ourd"Qthe finding that dynamic userid/password files created by GroupWise can be recovered using Norton Utilities, the Managing Director explains that "the threat is minimized by the fact that successfully hacking one computer will only allow access to the last GroupWise email account accessed from that computer." Furthermore, the Managing Director points out that "to accomplish such a breakin, a person would require physical access to the space where a computer is located."