UNITED STATES GOVERNMENT
National Labor Relations Board
Office of Inspector General
March 25, 2002
To: Louis B. Adams
Chief Information Officer
From: Jane E. Altenhofen
Inspector General
Subject: Inspection Report No. OIG-INS-20-02-02: Computer Penetration Test
The objective of this testing was to determine whether sufficient protections exist to prevent intrusions into the National Labor Relations Board's (NLRB) computer systems. Specifically, the analysis included penetration testing to evaluate external and internal firewalls, including those between the offices of the Board and General Counsel. Also, a security test and evaluation (ST&E) of the operational and technical controls associated with these systems was conducted. Avenues of access that were tested included both Internet and internal connectivity.
The Office of Inspector General contracted with TROY Systems, Inc. (TROY) to conduct penetration tests and ST&E. Other than a lack of password complexity, TROY found the NLRB network controls were well designed and prohibit unauthorized access to the Board or General Counsel systems externally from the Internet. However, a number of vulnerabilities were identified within the internal network that could lead to unauthorized access between the Board and the General Counsel.
The password complexity was not in conformance with guidelines of National Institute of Standards and Technology Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, for the 5 external and 18 internal systems that were scanned. Many user identifications (IDs) were found to have either the same ID and password or no password at all. This is perhaps the greatest exposure identified on the NLRB network. An attacker can run simple scanning tools and discover user IDs without having to go through the laborious process of having to actually circumvent existing security controls. The effect of allowing weak password configurations is that normal security controls can be easily bypassed just by using a user ID that already has the authority that an attacker desires. According to the NIST Special Publications 800-18 guidelines, password complexity should be six to eight characters in length, encompass all user IDs on a system, and allow for the use of alphanumeric as well as special characters.
Other vulnerabilities identified are:
Five external addresses were tested. TROY located one external Internet protocol address themselves by scanning the Internet and was then supplied the four other addresses by the NLRB. Of the five addresses tested, four were rated as High risk. One was rated as Low risk. All 18 internal systems tested were rated as High risk. A high risk is a vulnerability that if exploited by an intruder would lead to the root compromise of the system and could allow the intruder to penetrate deeper into the network. A low risk is defined as any vulnerability that could, in conjunction with other vulnerabilities, cause a system compromise or lead to a denial of service.
If left uncorrected, these vulnerabilities by themselves pose a threat to NLRB. As the NLRB network topography changes over time, these vulnerabilities, combined with new vulnerabilities introduced by new topography changes, could increase the risk and threat toward the NLRB. In order to have a high level of security for the internal systems, new services should be evaluated for their effect on system security and the various systems should be monitored for suspicious events.
We suggest that the Chief Information Officer prohibit the use of anonymous logons; implement a password policy that is in accordance with Federal guidelines; develop and implement a standard system configuration policy; place a banner page, mirroring the one used for normal sign-on, at every system entry point; examine Web page access compromised through software installation; and remove Web pages when not needed for system operations.
Management controls, security awareness, and training issues were addressed in previous reviews such as the Review of Information Systems Security issued on September 29, 2000, and Audit of Case Activity Tracking System Security issued on August 1, 2001. Numerous recommendations were made in those reports that are currently in the process of being implemented.
A draft report was provided to Chief Information Officer for his review and comment. Management generally agreed with our findings and suggestions. This inspection was conducted in accordance with Quality Standards for Inspections between November 2001 and March 2002.
TABLE OF CONTENTS
1.1 BACKGROUND
1.2 OBJECTIVE
1.3 TEST METHODOLOGY
1.3.1 Penetration Testing Methodology
1.3.2 Security Test And Evaluation Methodology
2.1 ASSUMPTIONS AND CONSTRAINTS
2.2 EXTERNAL PENETRATION TESTING
2.3 INTERNAL PENETRATION TESTING
2.4 SECURITY TEST AND EVALUATION
3. FINDINGS AND VULNERABILITIES
3.1 PENETRATION TEST
3.2 SECURITY TEST AND EVALUATION
APPENDICES
(Not Publicly Distributed)
Appendix A - External and Internal Penetration Testing
Appendix B - System Tests and Evaluations
Appendix C - Security Configuration Guidelines
Appendix D - Security Advisories and Information
Appendix E - Tool List
Appendix F - Glossary
1. INTRODUCTION
1.1 BACKGROUND
The National Labor Relations Board (NLRB or Agency) administers the principal labor-relations law of the United States, the National Labor Relations Act of 1935, as amended. The Act is generally applied to all enterprises engaged in interstate commerce, including the United States Postal Service, but excluding some other governmental entities, as well as the railroads and the airline industry. The Agency consists of two major organizations, the Board and the General Counsel.
In Fiscal Year (FY) 2001, the Agency was authorized 2,002 people at: Headquarters; 3 Division of Judges Satellite Offices; and in 32 Regional, 3 Subregional, and 16 Resident Offices (field offices). The Agency's FY 2001 appropriation was more than $216 million.
The NLRB information technology infrastructure consists of personal computers and local servers connected to local area networks (LANs). The LANs are connected to a wide area network that provides the communication linkage throughout the agency. The Division of Administration, Information Technology Branch (ITB), is responsible for developing, implementing, and maintaining NLRB information system controls and security policies, procedures, and practices. Field office personnel are responsible for security administration of their network servers.
1.2 OBJECTIVE
The objective of this testing was to determine whether sufficient protections exist to prevent intrusions into the Agency's computer systems. Specifically, the analysis included penetration testing to evaluate external and internal firewalls, including those between the offices of the Board and General Counsel. Also, a security test and evaluation (ST&E) of the operational and technical controls associated with these systems was conducted.
1.3 TEST METHODOLOGY
1.3.1 Penetration Testing Methodology
The penetration methodology used by TROY follows industry "best practices" and utilized a logical three-step process. The Test Team used proven network intrusion and exploitation techniques to identify the vulnerabilities of computers, routers, firewalls, network operating systems, protocols, and other network components.
The penetration process consisted of the following steps:
The planned methodology of this test did not include disruption of computer systems or network operations. Care was taken to ensure that network availability and data integrity were not compromised. To reduce the risk of damage to the NLRB Web site, the NLRB trusted agent was kept informed of the progress and results of the testing effort. Testing was conducted using a laptop running Windows 2000 provided by TROY. External testing was conducted at the TROY site, while internal testing was conducted at the NLRB site. At no time was a TROY employee signed onto or using a NLRB user identification (ID) or system.
1.3.2 Security Test And Evaluation Methodology
A six-step process was used to evaluate the effectiveness of the safeguards between Board and General Counsel:
The ST&E evaluated selected control measures to ensure that they were in place and that the cumulative protection provided by all of the control measures were adequate to protect the confidentiality, integrity, and availability of data on the network. For this evaluation, some measures that were not in place were still tested for the purpose of gathering additional information to be used in making effective recommendations. Additionally, since the security plan and risk analysis are still in the development process, a number of tests were conducted for the purpose of identifying vulnerabilities or determining the control measure status.
2. DESCRIPTION OF TESTING
2.1 ASSUMPTIONS AND CONSTRAINTS
The following assumptions and constraints governed the testing process:
2.2 EXTERNAL PENETRATION TESTING
TROY performed the external systems vulnerability assessment using software penetration testing tools. The targeted systems were tested in attempts to attack potential vulnerabilities exposed during the data collection phase of this assessment. External scans were done on the Washington, DC firewall.
The assessment on these systems began by gathering the Point of Contact information and the resolution of Internet protocol (IP) addresses to server names. The Test Team next used automated tools to map the servers in order to determine which ports were being allowed through each server. Each system will be broken down in Appendix A by its location and its specific vulnerabilities.
2.3 INTERNAL PENETRATION TESTING
TROY performed the internal systems technical vulnerability assessment using software penetration testing tools. The targeted systems were tested in an attempt to exploit vulnerabilities exposed during the data collection phase of this assessment. Internal scans were done on four sites: Washington, DC; Atlanta, GA; Manhattan, NY; and San Francisco, CA.
The assessment on these systems followed the same approach described above in the External Testing section. Testing was conducted from the Washington, DC segment of the network. The servers were scanned internally from the office of the Office of Inspector General (OIG).
2.4 SECURITY TEST AND EVALUATION
Tests were conducted on a sample of Headquarters and field office servers selected by the OIG. The tests were conducted on three Headquarters network servers, three Case Activity Tracking System Servers, and three e-mail servers. Firewall tests were conducted on the single firewall.
NLRB stressed to TROY that this ST&E should not duplicate the tests that have been conducted during previous assessments. Accordingly, the ST&E plan included a range of operational and technical controls that are not addressed in standard reviews but are recommended by the vendors of the various systems. Management controls and security awareness and training issues were not tested because such controls were addressed in previous reviews such as the Review of Information Systems Security issued on September 29, 2000, and Audit of Case Activity Tracking System Security issued on August 1, 2001.
3. FINDINGS AND VULNERABILITIES
3.1 PENETRATION TEST
Five main vulnerabilities pose risk to the NLRB network. Each is discussed in depth below.
The password complexity was not in conformance with guidelines of National Institute of Standards and Technology Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, for the 5 external and 18 internal systems that were scanned. Many user IDs were found to have either the same ID and password or no password at all. This is perhaps the greatest exposure identified on the NLRB network. An attacker can run simple scanning tools and discover user IDs without having to go through the laborious process of having to actually circumvent existing security controls. The effect of allowing weak password configurations is that normal security controls can be easily bypassed just by using a user ID that already has the authority that an attacker desires. According to the NIST Special Publications 800-18 guidelines, password complexity should be six to eight characters in length, encompass all user IDs on a system, and allow for the use of alphanumeric as well as special characters.
Anonymous logons were allowed. Through anonymous logons an attacker can determine the logon IDs that exists on a system as well as registry information and gain access to the security accounts manager password file. The use of anonymous logons allow users to bypass access control lists that are on the specific system. The user who gains unauthorized access to a system can then use the connection to further exploit the system. This has the effect of rendering other forms of security useless.
Of the 18 internal and 5 external systems that were scanned, none of them shared a common configuration. Systems performing the same functions, but for different regions, showed vastly different services running and services available to run. Allowing different system configurations makes system administration difficult because no one can determine when processes are running that should not be running. Thus, the effect of opening security vulnerabilities may go undetected.
Many systems support other types of access beyond the normal user sign-on process. Some of these accesses are allowed for remote system administration or remote system access and are accomplished through a service such as file transfer protocol or terminal emulation, also known as Telnet. The need for the accesses should be determined by the system administrator. Each entry point into a system needs to have a banner page stating the consequences for improper use of the system and its resources.
When software is installed it will often open ports or install components unbeknownst to the administrator. These often take the form of services provided through Web pages. These Web pages are rife with security vulnerabilities such as default logon IDs, buffer overflows, and access to system information. On several of the 18 internal systems scanned, such Web pages existed that allow access to system information, such as modules loaded and processing on the system, and allowing for changes to be made in the system configuration.
Appendix A contains the vulnerabilities and recommended solutions listed by site for each of the tests conducted in this assessment.
3.2 SECURITY TEST AND EVALUATION
Our analysis revealed that the controls that are not in place pose risks to the NLRB and should be addressed as soon as possible. Each of these controls would enhance the security between Board and General Counsel; conversely, each control not in place reduces the security of the separation between them.
A summary of the controls that are not in place is presented.
Appendix B lists all system tests conducted and their results.
4. SUGGESTIONS
We suggest that the Chief Information Officer:
1. Implement a password policy that is in accordance with NIST guidelines;
2. Prohibit the use of anonymous logons by changing the system registry for the affected systems;
3. Develop and implement a standard system configuration policy;
4. Place a banner page, mirroring the one used for normal sign-on, at every system entry point;
5. Examine Web page access compromised through software installation and remove Web pages when not needed for system operations; and
6. Implement controls identified in the ST&E as not being in place.