*************************************************** 
                         NOTICE
***************************************************

This document was converted from
Word97 to ASCII Text format.

Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page
numbers will not show up in this text version.

All text attributes such as bold, itallic, underlining, etc. from the
original document will not show up in this text version.

Features of the orginal document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.

If you need the complete document, download the
Word97, or Adobe Acrobat versions, if available.

The path and name of the Word97, and Acrobat files
 will be the same as the ASCII Text file except that they  will 
end with the letters wp, doc, or pdf  respectively, 
instead of the letters txt.

****************************************************

 



OFFICE OF INSPECTOR GENERAL

M E M O R A N D U M





DATE:	June 13, 2001

TO:		Chairman 

FROM:	Inspector General

SUBJECT:	Report on Audit of Web Presence Security

The Office of Inspector General (OIG) has completed an Audit of Web Presence Security.  A copy of 
our Audit Report, entitled "Audit of Web Presence Security" (Audit Report No. 00-AUD-01-10), is 
attached for your review and comment.  The objective of this audit was to measure how successful the 
Commission has been in securing its web portals.  Because the use of the Internet for commerce 
presents new and unique security challenges, we developed a set of specific information security related 
objectives for this audit.  Specific objectives were to:

	Determine if any conditions exist that could allow external user or hacker to penetrate web 
server security and cause possible harm to Commission assets;
	Ensure that the FCC is not vulnerable to known Web-based security attacks; and
	Identify vulnerabilities in the general controls over web-based assets.

To accomplish the objectives of this audit, we contracted with the computer security firm of TWM 
Associates, Inc. (TWM) to perform the audit.  Under our supervision, TWM developed an audit plan 
that was designed to measure the extent that the Commission's web presence infrastructure fulfilled the 
above mentioned security goals.  This audit included an assessment of the current security posture of 
those Commission-wide systems providing information via the Web and the use of audit tests and 
techniques designed to identify vulnerabilities in web presence security.  We interviewed FCC personnel 
responsible for Internet and web security, including the Computer Security Office (CSO), Information 
Technology Center (ITC) and Auctions systems personnel, and Bureau and Office personnel 
responsible for application development.  We also reviewed FCC system documentation.  In addition, 
we performed a number of tests to determine the level of security of the FCC's web presence.  For 
example, to determine what Internet system services the FCC web hosts offered, TWM examined the 
ITC and Auctions systems using a network scanning tool and used a proprietary program to perform 
sophisticated analyses of the FCC's Unix and Windows NT web presence hosts.  Finally, we used 
system penetration techniques to test the security of the Commission's web-based applications.

During our audit, we found that the Commission has implemented numerous computer security controls 
designed to protect and preserve its web-based assets.  However, during the audit, we identified thirty-
eight findings (38) that impact the effectiveness of the Commission's program.  Six (6) of the audit 
findings were determined to be high-risk , thirty-one (31) were determined to be medium risk, and one 
(1) was determined to be low risk.  Findings occurred in the areas of host and network access, system 
software, service continuity, and application software development controls.  We recommend that the 
problems we identified be corrected to strengthen the security of the Commission's web presence.  Our 
recommendations, when implemented, will correct present problems and minimize the risk that future 
security problems will occur in the FCC's Internet web presence.  All recommendations contained in 
the attached report will be tracked for reporting purposes by the OIG. 

On March 28, 2001, we issued a draft report summarizing the results of our audit.  In that draft report, 
we requested that the Wireless Telecommunications Bureau (WTB) and the Information Technology 
Center (ITC) respond to the findings and recommendations presented in our report.  Each organization 
prepared a response addressing those findings and recommendations relevant to their portion of the 
Information Technology infrastructure.  ITC provided comments on thirty-one (31) of the thirty-eight 
(38) findings contained in the draft report and WTB provided responses to twenty (20) findings.  

In their response, ITC indicated concurrence with twenty-eight (28) of the thirty-one (31) findings for 
which they provided a response and indicated that they did not concur with three (3) findings.  For one 
(1) of the findings with which ITC did not concur, we examined the response, agreed with ITC's 
explanation and closed the finding.  For two (2) of the findings where ITC indicated that they did not 
concur, ITC explains that the finding has been addressed by events that took place after fieldwork was 
completed on the audit.  For each of these findings, we state in our comments that ITC should 
demonstrate this solution as part of the audit follow-up process to close this finding.  We have included 
a copy of the response from ITC in its entirety as Appendix D to this report.  Where ITC disagreed 
with our conclusions, we have added a section titled "OIG Comments," to explain our position.

In their response, WTB indicated concurrence with each of the recommendations for the twenty (20) 
findings that applied to the bureau.  Of these twenty (20) findings, WTB reported that fifteen (15) were 
closed as of May 7, 2001.  We have included a copy of the response from WTB in its entirety as 
Appendix C to this report. 










Because of the sensitive nature of the information contained in the appendices, we have marked them all 
"Privileged and Confidential, Non-Public - For Internal FCC Use Only" and have limited distribution.  
Those persons receiving this report are requested not to photocopy or otherwise distribute this material.




						H. Walker Feaster III
						Inspector General


Attachment

cc:	Chief of Staff
	Managing Director
	Chief, Wireless Telecommunications Bureau 
	Chief Information Officer
	AMD-PERM 
1	Each audit finding was evaluated to determine its degree of exposure based on the following risk ratings.  
High: Security risk can cause a business disruption, if exploited.  Medium: Security risk in conjunction with 
other events can cause a business disruption, if exploited.  Low: Security risk may cause operational 
annoyances, if exploited.