Inspection Report No. OIG-INS-20-02-02
Computer Penetration Test

UNITED STATES GOVERNMENT
National Labor Relations Board
Office of Inspector General

Memorandum

March 25, 2002

To: Louis B. Adams
Chief Information Officer

From: Jane E. Altenhofen
Inspector General

Subject: Inspection Report No. OIG-INS-20-02-02: Computer Penetration Test

The objective of this testing was to determine whether sufficient protections exist to prevent intrusions into the National Labor Relations Board's (NLRB) computer systems. Specifically, the analysis included penetration testing to evaluate external and internal firewalls, including those between the offices of the Board and General Counsel. Also, a security test and evaluation (ST&E) of the operational and technical controls associated with these systems was conducted. Avenues of access that were tested included both Internet and internal connectivity.

The Office of Inspector General contracted with TROY Systems, Inc. (TROY) to conduct penetration tests and ST&E. Other than a lack of password complexity, TROY found the NLRB network controls were well designed and prohibit unauthorized access to the Board or General Counsel systems externally from the Internet. However, a number of vulnerabilities were identified within the internal network that could lead to unauthorized access between the Board and the General Counsel.

The password complexity was not in conformance with guidelines of National Institute of Standards and Technology Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, for the 5 external and 18 internal systems that were scanned. Many user identifications (IDs) were found to have either the same ID and password or no password at all. This is perhaps the greatest exposure identified on the NLRB network. An attacker can run simple scanning tools and discover user IDs without having to go through the laborious process of having to actually circumvent existing security controls. The effect of allowing weak password configurations is that normal security controls can be easily bypassed just by using a user ID that already has the authority that an attacker desires. According to the NIST Special Publications 800-18 guidelines, password complexity should be six to eight characters in length, encompass all user IDs on a system, and allow for the use of alphanumeric as well as special characters.

Other vulnerabilities identified are:

• Anonymous logons were allowed;
• System configurations were not standardized;
• Banner pages were not present at all portals; and
• Manufacturer default software installations contained system access vulnerabilities.

Five external addresses were tested. TROY located one external Internet protocol address themselves by scanning the Internet and was then supplied the four other addresses by the NLRB. Of the five addresses tested, four were rated as High risk. One was rated as Low risk. All 18 internal systems tested were rated as High risk. A high risk is a vulnerability that if exploited by an intruder would lead to the root compromise of the system and could allow the intruder to penetrate deeper into the network. A low risk is defined as any vulnerability that could, in conjunction with other vulnerabilities, cause a system compromise or lead to a denial of service.

If left uncorrected, these vulnerabilities by themselves pose a threat to NLRB. As the NLRB network topography changes over time, these vulnerabilities, combined with new vulnerabilities introduced by new topography changes, could increase the risk and threat toward the NLRB. In order to have a high level of security for the internal systems, new services should be evaluated for their effect on system security and the various systems should be monitored for suspicious events.

We suggest that the Chief Information Officer prohibit the use of anonymous logons; implement a password policy that is in accordance with Federal guidelines; develop and implement a standard system configuration policy; place a banner page, mirroring the one used for normal sign-on, at every system entry point; examine Web page access compromised through software installation; and remove Web pages when not needed for system operations.

Management controls, security awareness, and training issues were addressed in previous reviews such as the Review of Information Systems Security issued on September 29, 2000, and Audit of Case Activity Tracking System Security issued on August 1, 2001. Numerous recommendations were made in those reports that are currently in the process of being implemented.

A draft report was provided to Chief Information Officer for his review and comment. Management generally agreed with our findings and suggestions. This inspection was conducted in accordance with Quality Standards for Inspections between November 2001 and March 2002.

TABLE OF CONTENTS

1. INTRODUCTION

    1.1 BACKGROUND
    1.2 OBJECTIVE
    1.3 TEST METHODOLOGY

        1.3.1 Penetration Testing Methodology
        1.3.2 Security Test And Evaluation Methodology

2. DESCRIPTION OF TESTING

    2.1 ASSUMPTIONS AND CONSTRAINTS
    2.2 EXTERNAL PENETRATION TESTING
    2.3 INTERNAL PENETRATION TESTING
    2.4 SECURITY TEST AND EVALUATION

3. FINDINGS AND VULNERABILITIES

    3.1 PENETRATION TEST
    3.2 SECURITY TEST AND EVALUATION

4. SUGGESTIONS

APPENDICES
(Not Publicly Distributed)

Appendix A - External and Internal Penetration Testing

Appendix B - System Tests and Evaluations

Appendix C - Security Configuration Guidelines

Appendix D - Security Advisories and Information

Appendix E - Tool List

Appendix F - Glossary

1. INTRODUCTION

1.1 BACKGROUND

The National Labor Relations Board (NLRB or Agency) administers the principal labor-relations law of the United States, the National Labor Relations Act of 1935, as amended. The Act is generally applied to all enterprises engaged in interstate commerce, including the United States Postal Service, but excluding some other governmental entities, as well as the railroads and the airline industry. The Agency consists of two major organizations, the Board and the General Counsel.

In Fiscal Year (FY) 2001, the Agency was authorized 2,002 people at: Headquarters; 3 Division of Judges Satellite Offices; and in 32 Regional, 3 Subregional, and 16 Resident Offices (field offices). The Agency's FY 2001 appropriation was more than $216 million.

The NLRB information technology infrastructure consists of personal computers and local servers connected to local area networks (LANs). The LANs are connected to a wide area network that provides the communication linkage throughout the agency. The Division of Administration, Information Technology Branch (ITB), is responsible for developing, implementing, and maintaining NLRB information system controls and security policies, procedures, and practices. Field office personnel are responsible for security administration of their network servers.

1.2 OBJECTIVE

The objective of this testing was to determine whether sufficient protections exist to prevent intrusions into the Agency's computer systems. Specifically, the analysis included penetration testing to evaluate external and internal firewalls, including those between the offices of the Board and General Counsel. Also, a security test and evaluation (ST&E) of the operational and technical controls associated with these systems was conducted.

1.3 TEST METHODOLOGY

1.3.1 Penetration Testing Methodology

The penetration methodology used by TROY follows industry "best practices" and utilized a logical three-step process. The Test Team used proven network intrusion and exploitation techniques to identify the vulnerabilities of computers, routers, firewalls, network operating systems, protocols, and other network components.

The penetration process consisted of the following steps:

• Information gathering: Off-line research and on-line discovery were used to gather information about the NLRB Web site system as well as internal systems. This information was then used to learn more about the potential system security vulnerabilities that could be exploited to gain access to the network and its associated components.
  
  
• Assess systems: Once adequate information was gathered and examined, the Test Team attempted to determine what services for each of the documented machines were open and determine the vulnerabilities of each service.
  
  
• Documentation: The Test Team then documented how each given exploit could be used to gain control of the network and what type of access each would have achieved.

The planned methodology of this test did not include disruption of computer systems or network operations. Care was taken to ensure that network availability and data integrity were not compromised. To reduce the risk of damage to the NLRB Web site, the NLRB trusted agent was kept informed of the progress and results of the testing effort. Testing was conducted using a laptop running Windows 2000 provided by TROY. External testing was conducted at the TROY site, while internal testing was conducted at the NLRB site. At no time was a TROY employee signed onto or using a NLRB user identification (ID) or system.

1.3.2 Security Test And Evaluation Methodology

A six-step process was used to evaluate the effectiveness of the safeguards between Board and General Counsel:

• Step 1 - Test team assembly
• Step 2 - Review of documentation supplied by the Agency
• Step 3 - Identification of controls, threats and vulnerabilities
• Step 4 - Prepare a security test and evaluation plan
• Step 5 - Conduct the security test and evaluation
• Step 6 - Document the results

The ST&E evaluated selected control measures to ensure that they were in place and that the cumulative protection provided by all of the control measures were adequate to protect the confidentiality, integrity, and availability of data on the network. For this evaluation, some measures that were not in place were still tested for the purpose of gathering additional information to be used in making effective recommendations. Additionally, since the security plan and risk analysis are still in the development process, a number of tests were conducted for the purpose of identifying vulnerabilities or determining the control measure status.

2. DESCRIPTION OF TESTING

2.1 ASSUMPTIONS AND CONSTRAINTS

The following assumptions and constraints governed the testing process:

• A member of the NLRB staff would be available to assist the security test team as a "trusted agent;"
  
  
• All hands-on testing using system hardware devices would be executed by NLRB personnel, with the security test team member monitoring the results;
  
  
• Testing would not cause a delay or disruption to the operations of the network or systems;
  
  
• Hands-on testing would not interfere with the process or operation of the system; and
  
  
• Testing should not be destructive to equipment, software, or data.

2.2 EXTERNAL PENETRATION TESTING

TROY performed the external systems vulnerability assessment using software penetration testing tools. The targeted systems were tested in attempts to attack potential vulnerabilities exposed during the data collection phase of this assessment. External scans were done on the Washington, DC firewall.

The assessment on these systems began by gathering the Point of Contact information and the resolution of Internet protocol (IP) addresses to server names. The Test Team next used automated tools to map the servers in order to determine which ports were being allowed through each server. Each system will be broken down in Appendix A by its location and its specific vulnerabilities.

2.3 INTERNAL PENETRATION TESTING

TROY performed the internal systems technical vulnerability assessment using software penetration testing tools. The targeted systems were tested in an attempt to exploit vulnerabilities exposed during the data collection phase of this assessment. Internal scans were done on four sites: Washington, DC; Atlanta, GA; Manhattan, NY; and San Francisco, CA.

The assessment on these systems followed the same approach described above in the External Testing section. Testing was conducted from the Washington, DC segment of the network. The servers were scanned internally from the office of the Office of Inspector General (OIG).

2.4 SECURITY TEST AND EVALUATION

Tests were conducted on a sample of Headquarters and field office servers selected by the OIG. The tests were conducted on three Headquarters network servers, three Case Activity Tracking System Servers, and three e-mail servers. Firewall tests were conducted on the single firewall.

NLRB stressed to TROY that this ST&E should not duplicate the tests that have been conducted during previous assessments. Accordingly, the ST&E plan included a range of operational and technical controls that are not addressed in standard reviews but are recommended by the vendors of the various systems. Management controls and security awareness and training issues were not tested because such controls were addressed in previous reviews such as the Review of Information Systems Security issued on September 29, 2000, and Audit of Case Activity Tracking System Security issued on August 1, 2001.

3. FINDINGS AND VULNERABILITIES

3.1 PENETRATION TEST

Five main vulnerabilities pose risk to the NLRB network. Each is discussed in depth below.

The password complexity was not in conformance with guidelines of National Institute of Standards and Technology Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, for the 5 external and 18 internal systems that were scanned. Many user IDs were found to have either the same ID and password or no password at all. This is perhaps the greatest exposure identified on the NLRB network. An attacker can run simple scanning tools and discover user IDs without having to go through the laborious process of having to actually circumvent existing security controls. The effect of allowing weak password configurations is that normal security controls can be easily bypassed just by using a user ID that already has the authority that an attacker desires. According to the NIST Special Publications 800-18 guidelines, password complexity should be six to eight characters in length, encompass all user IDs on a system, and allow for the use of alphanumeric as well as special characters.

Anonymous logons were allowed. Through anonymous logons an attacker can determine the logon IDs that exists on a system as well as registry information and gain access to the security accounts manager password file. The use of anonymous logons allow users to bypass access control lists that are on the specific system. The user who gains unauthorized access to a system can then use the connection to further exploit the system. This has the effect of rendering other forms of security useless.

Of the 18 internal and 5 external systems that were scanned, none of them shared a common configuration. Systems performing the same functions, but for different regions, showed vastly different services running and services available to run. Allowing different system configurations makes system administration difficult because no one can determine when processes are running that should not be running. Thus, the effect of opening security vulnerabilities may go undetected.

Many systems support other types of access beyond the normal user sign-on process. Some of these accesses are allowed for remote system administration or remote system access and are accomplished through a service such as file transfer protocol or terminal emulation, also known as Telnet. The need for the accesses should be determined by the system administrator. Each entry point into a system needs to have a banner page stating the consequences for improper use of the system and its resources.

When software is installed it will often open ports or install components unbeknownst to the administrator. These often take the form of services provided through Web pages. These Web pages are rife with security vulnerabilities such as default logon IDs, buffer overflows, and access to system information. On several of the 18 internal systems scanned, such Web pages existed that allow access to system information, such as modules loaded and processing on the system, and allowing for changes to be made in the system configuration.

Appendix A contains the vulnerabilities and recommended solutions listed by site for each of the tests conducted in this assessment.

3.2 SECURITY TEST AND EVALUATION

Our analysis revealed that the controls that are not in place pose risks to the NLRB and should be addressed as soon as possible. Each of these controls would enhance the security between Board and General Counsel; conversely, each control not in place reduces the security of the separation between them.

A summary of the controls that are not in place is presented.

• Network servers, including e-mail servers, Case Activity Tracking System (CATS) servers, and file servers, do not make use of password controls available from the servers' operating systems. Even administrative accounts did not have expiration requirements or complexity requirements. The lack of such controls makes it much easier for an attacker to guess user passwords.
  
  
• Network servers, including e-mail servers, CATS servers, and file servers, did not use intruder lockout and detection controls available from the operating systems. The lack of these controls makes it easier to launch a brute force attack, such as utilizing words in an electronic dictionary to guess passwords.
  
  
• The user "Administrator" was not renamed on all servers. This leaves a valid user name on the system that may be guessed by attackers.
  
  
• On some workstations, the user name of the previous user was shown as part of the login prompt. This may provide an attacker with a valid user ID.
  
  
• Some systems, such as the CATS system, did not display their own warning banner but instead depend on the warning banner from the network servers. This leaves a system liable to the claim by an attacker that there was no proper notification that this was a government system.
  
  
• Monitoring practices among the various servers was uneven and inconsistent. There was no requirement to monitor particular events or to review the audit logs. The lack of monitoring makes it difficult to track an intruder or document attacks on the system. Since some events, such as brute-force attacks on user passwords, are not monitored, there was consequently no alert to a system administrator that such an event has taken place.
  
  
• Some remote-access issues were addressed during the evaluation, such as the presence of remote commands on the server. The presence of such commands makes it easier for an attacker to gain control of a server without physical proximity.
  
  
• Although NLRB servers were assigned static IP addresses (addresses that do not change), some servers retain the software to support Dynamic Host Configuration Protocol (DHCP). Servers should not use DHCP, a protocol for assigning dynamic IP addresses to network devices. DHCP can be manipulated in a denial-of-service attack; this is also true for Windows Internet Naming Service, also known as WINS, software.
  
  
• The firewall between the Internet and the NLRB did not have fully redundant capability. If an attacker compromised this firewall, or in the event that the single firewall should fail, or if any of its components should fail, NLRB could lose connectivity to the Internet until a second firewall is brought online.
  
  
• Some servers did not implement specific settings that enhance server security.
  
  
• The CATS servers made the default list of procedures available on the systems. An installation should drop as many of these procedures as possible or restrict rights to these procedures for maximum security.

Appendix B lists all system tests conducted and their results.

4. SUGGESTIONS

We suggest that the Chief Information Officer:

1. Implement a password policy that is in accordance with NIST guidelines;

2. Prohibit the use of anonymous logons by changing the system registry for the affected systems;

3. Develop and implement a standard system configuration policy;

4. Place a banner page, mirroring the one used for normal sign-on, at every system entry point;

5. Examine Web page access compromised through software installation and remove Web pages when not needed for system operations; and

6. Implement controls identified in the ST&E as not being in place.