Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Department of Homeland Security2IAgraveFHRIQVSHFWRUHQHUDO
Audit of Security Controls for DHS Information Technology Systems at DallasFort Worth
International Airport
OIG-14-132 September 2014
OFFICE OF INSPECTOR GENERAL Department of Homeland Security
Washington DC 20528 wwwoigdhsgov
September52014 MEMORANDUMFOR LukeJMcCormack
ChiefInformationOfficer
FROM RichardHarsche ActingAssistantInspectorGeneral
OfficeofInformationTechnologyAudits SUBJECT AuditofSecurityControlsforDHSInformationTechnology
SystemsatDallasFortWorthInternationalAirport AttachedforyourinformationisourfinalreportAuditofSecurityControlsforDHS InformationTechnologySystemsatDallasFortWorthInternationalAirportWe incorporatedtheformalcommentsfromtheTransportationSecurityAdministration theUSCustomsandBorderProtectionandtheUSImmigrationandCustoms Enforcementinthefinalreport Thereportcontains19recommendationsaimedatimprovingsecuritycontrolsforthe departmentrsquosinformationsystemsYourofficeconcurredwith18ofthe recommendationsAsprescribedbytheDepartmentofHomelandSecurityDirective 077Ͳ01FollowͲUpandResolutionsforOfficeofInspectorGeneralReport Recommendationswithin90daysofthedateofthismemorandumpleaseprovideour officewithawrittenresponsethatincludesyour(1)agreementordisagreement (2)correctiveactionplanand(3)targetcompletiondateforeachrecommendation Alsopleaseincluderesponsiblepartiesandanyothersupportingdocumentation necessarytoinformusaboutthecurrentstatusoftherecommendation TheOIGconsidersrecommendation6asunresolvedandopenBasedoninformation providedinyourresponsetothedraftreportweconsiderrecommendations215 and18resolvedandclosedWeconsidertheotherrecommendationsinthisreportto beresolvedbutopenOnceyourofficehasfullyimplementedtherecommendations pleasesubmitaformalcloseoutrequesttouswithin30dayssothatwemayclosethe recommendationsTherequestshouldbeaccompaniedbyevidenceofcompletionof agreedͲuponcorrectiveactions PleaseemailasignedPDFcopyofallresponsesandcloseoutrequeststo OIGITAuditsFollowupoigdhsgovUntilyourresponseisreceivedandevaluatedthe recommendationswillbeconsideredopen
OFFICE OF INSPECTOR GENERAL Department of Homeland Security
ConsistentwithourresponsibilityundertheInspectorGeneralActwewillprovide copiesofourreporttoappropriatecongressionalcommitteeswithoversightand appropriationresponsibilityovertheDepartmentofHomelandSecurityWewillpost thereportonourwebsiteforpublicdissemination
PleasecallmewithanyquestionsoryourstaffmaycontactSharonHuiswoudDirector ofInformationSystemsDivisionat(202)254Ͳ5451 Attachment
wwwoigdhsgov 2 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
TableofContents ExecutiveSummary 1 Background 2 ResultsofAudit 3
TSADidNotComplyFullywithDHSSensitiveSystemsPolicies3 Recommendations 12 ManagementCommentsandOIGAnalysis13 CBPDidNotComplyFullywithDHSSensitiveSystemsPolicies16 Recommendations 20 ManagementCommentsandOIGAnalysis21 ICEDidNotComplyFullywithDHSSensitiveSystemsPolicies22 Recommendations 29 ManagementCommentsandOIGAnalysis30
Appendixes
AppendixAObjectivesScopeandMethodology34 AppendixBManagementCommentstotheDraftReport36 AppendixCDHSActivitiesatDallasFortWorthInternationalAirport42 AppendixDMajorContributorstoThisReport47 AppendixEReportDistribution48
Abbreviations
CBP USCustomsandBorderProtection CIO ChiefInformationOfficer CISO ChiefInformationSecurityOfficer CVE CommonVulnerabilitiesandExposures DFW DallasFortWorthInternationalAirport DHCP DynamicHostConfigurationProtocol DHS DepartmentofHomelandSecurity EDS ExplosiveDetectionSystem FAMS FederalAirMarshallService FAMSNet FederalAirMarshallServiceNetwork
wwwoigdhsgov OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
FISMA FederalInformationSecurityManagementActof2002 GAO GovernmentAccountabilityOffice HSI HomelandSecurityInvestigations ICE USImmigrationandCustomsEnforcement ICS InfrastructureCoreSystem ISSO InformationSystemSecurityOfficer ISVM InformationSecurityVulnerabilityManagement IT informationtechnology LAN localareanetwork NOC NetworkOperationsCenter OCIO OfficeoftheCIO OIG OfficeofInspectorGeneral OneNet DHSOneNetwork OSC OfficeofSecurityCapabilities OWFPS OfficeoftheChiefInformationOfficerWorkstationswith
FileandPrintServers SAC SpecialAgentinCharge SOC SecurityOperationsCenter STIP SecurityTechnologyIntegratedProgram TSA TransportationSecurityAdministration TSANet TransportationSecurityAdministrationNetwork UPS uninterruptablepowersupply WFPS WindowsFileandPrintSystem
wwwoigdhsgov OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
ExecutiveSummary WeauditedsecuritycontrolsforDepartmentofHomelandSecurityinformation technologysystemsatDallasFortWorthInternationalAirportFourDepartment componentsmdashtheManagementDirectorateTransportationSecurityAdministration USCustomsandBorderProtectionandUSImmigrationandCustomsEnforcementmdash operateinformationtechnologysystemsthatsupporthomelandsecurityoperationsat thisairport Ourauditfocusedonhowthesecomponentshaveimplementedcomputersecurity operationaltechnicalandmanagementcontrolsfortheirsystemsattheairportand nearbylocationsWeperformedonsiteinspectionsoftheareaswhereinformation technologysystemsandassetswerelocatedintervieweddepartmentalstaffand conductedtechnicaltestsofcomputersecuritycontrolsWealsoreviewedapplicable policiesproceduresandotherrelevantdocumentation Theinformationtechnologysecuritycontrolsimplementedatthesesiteshad deficienciesthatifexploitedcouldresultinthelossofconfidentialityintegrityand availabilityofthecomponentsrsquoinformationtechnologysystemsWeidentified numerousdeficienciesintheinformationtechnologysecuritycontrolsassociatedwith theTransportationSecurityAdministrationrsquosSecurityTechnologyIntegrationProgram systemForexamplephysicalsecurityandenvironmentalcontrolsforroomscontaining thissystemrsquosinformationtechnologyassetsneedimprovementFurtheronsiteservers forthissystemwerenotbeingscannedregularlyforvulnerabilitiesLastlytechnical securitycontrolsforCustomsandBorderProtectionandImmigrationandCustoms Enforcementinformationtechnologyresourcesalsoneedimprovement WehavebriefedthecomponentsandtheDepartmentrsquosChiefInformationSystems SecurityOfficerontheresultsofourauditWehavealsomade19recommendations addressingthecontroldeficienciesidentifiedinthisreportWehaveincludedacopyof theDepartmentrsquoscommentstothedraftreportintheirentiretyinappendixB
wwwoigdhsgov 1 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Background Wedesignedourauditsofinformationtechnology(IT)securitycontrolstoprovide seniorDepartmentofHomelandSecurity(DHS)officialswithtimelyinformationon whethertheyhadproperlyimplementedDHSITsecuritypoliciesatcriticalsitesOur programisbasedonDHSSensitiveSystemsPolicyDirective4300Aversion100which providesdirectiontoDHScomponentmanagersandseniorexecutivesregardingthe managementandprotectionofsensitivesystemsThisdirectiveandanassociated handbookoutlinepoliciesonoperationaltechnicalandmanagementcontrols necessarytoensureconfidentialityintegrityandavailabilitywithintheDHSIT infrastructureandoperationsThesecontrolsaredefinedasfollows bull OperationalControlsndashFocusonmechanismsprimarilyimplementedand
executedbypeopleForexampleoperationalcontrolmechanismsinclude physicalaccesscontrolsthatrestricttheentryandexitofpersonnelfroman areasuchasanofficebuildingdatacenterorroomwheresensitive informationisaccessedstoredorprocessed
bull TechnicalControlsndashFocusonsecuritycontrolsexecutedbyinformation
systemsThesecontrolsprovideautomatedprotectionfromunauthorized accessfacilitatedetectionofsecurityviolationsandsupportapplicationsand datasecurityrequirementsForexampletechnicalcontrolsincludeapassword systemwhichperformsanauthenticationprocess
bull ManagementControlsndashFocusonmanagingboththesysteminformation
securitycontrolsandsystemriskThesecontrolsincludeperformingrisk assessmentsdevelopingRulesofBehaviorandensuringthatsecurityisan integralpartofboththesystemdevelopmentandprocurementprocesses
WeauditedsecuritycontrolsforITsystemsthatsupporthomelandsecurityoperations ofDHSManagementDirectorateTransportationSecurityAdministration(TSA) USCustomsandBorderProtection(CBP)andUSImmigrationandCustoms Enforcement(ICE)atDallasFortWorthInternationalAirport(DFW)AsaCategoryX airportDFWhasalargenumberofpassengerboardingsprocessingapproximately 58millionpassengers(158375passengersdaily)in20111 SeeappendixCforspecificdetailsofDHSactivitiesatDFWbycomponent
1TherearefivecategoriesofairportsmdashXIIIIIIandIVCategoryXairportshavethelargestnumberof passengerboardingsandcategoryIVairportshavethesmallestnumber
wwwoigdhsgov 2 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
ResultsofAudit
TSADidNotComplyFullywithDHSSensitiveSystemsPolicies
TSAdidnotcomplyfullywithDHSoperationaltechnicalandmanagement policiesforitsserversandswitchesoperatingatDFWSpecificallyphysical securityandenvironmentalcontrolsfornumerousTSAserverroomswere deficientAdditionallyTSAdidnothaveredundantdatatelecommunications linesprovidingservicetoitsDFWfacilitiesFurtherTSAhadnotdocumentedthe ITassetsorinterconnectionsrelatedtotheSecurityTechnologyIntegrated Program(STIP)Collectivelythesedeficienciesplaceatrisktheconfidentiality integrityandavailabilityofthedatastoredtransmittedandprocessedbyTSA atDFW OperationalControls WeauditedthesecuritycontrolsforTSAserverroomsandcommunications closetscontainingITassetsatDFWandatthesharedTSAFederalAirMarshall Service(FAMS)facilityinCoppellTXWedeterminedthatonsite implementationofoperationalcontrolsdidnotconformfullytoDHSpolicies Thesedeficienciesexistinphysicalsecurityhousekeepingandstorage electronicpowersupplyprotectionandtemperaturecontrolsAdditionally TSArsquosITassetsatDFWdidnothaveredundantdatatelecommunications
PhysicalSecurity VisitorsignͲinsheetswerenotpresentinsevenofnineSTIPExplosiveDetection System(EDS)serverroomsAdditionallyTSAhadnotadequatelysecuredseveral serverroomsandcommunicationsclosetscontainingSTIPassetsForexample airlineemployeeswereusingtworoomscontainingSTIPEDSserversasbreak roomsBothroomscontainednonͲDHSrefrigeratorsmicrowavesandTVsThe serverrackswerebeingusedtostoreblanketsandprovideelectricalpower AdditionallythedoorlockforoneroomwasdisabledwithducttapeFigures1a through1fshowdeficienciesobservedattheselocations
wwwoigdhsgov 3 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Figure1a Figure1b Figure1c DuctTapeonSTIP BlanketsStored NonͲDHSEquipment EDSServerRoom inSTIPRack inSTIPEDSServerRoom
Figure1d Figure1e Figure1f Smartphone STIPEDSServerRoom STIPEDSServerCabinet Poweredbya withAccessfrom UsedforNonͲDHSstorage STIPRack BaggageConveyerBelt AccordingtotheDHS4300ASensitiveSystemsHandbookversion10
Controlsfordeterringdetectingrestrictingandregulatingaccessto sensitiveareasshallbeinplaceandshallbesufficienttosafeguard againstpossiblelosstheftdestructiondamagehazardousconditions firemaliciousactionsandnaturaldisasters
Physicalsecurityvulnerabilitiesthatarenotmitigatedplaceatriskthe confidentialityintegrityandavailabilityofTSAdataForexampleunauthorized accesstoTSAserverroomsmayresultinthelossofITprocessingcapabilityused inthescreeningofpassengersandbaggagefordepartingflights
wwwoigdhsgov 4 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
TSAhastakenactionstoresolvethesereporteddeficienciesAccordingtoTSA theairlineemployeesrsquoaccesstothetwoSTIPEDSserverroomshasbeen removedAdditionallyTSAhascreatedakeylockmanagementprocessfor theseSTIPEDSserverrooms
HousekeepingandStorage
TSAserverroomsandcommunicationsclosetscontainedexcessstorageitems paintandcleaningsuppliesDuringourfieldworkTSAstaffremovedpaintcans fromaFAMSlocationAdditionallytheSTIPEDSserverroomscontainedtrash andworkareasweredusty(Seefigures2athrough2cfordetails)
Figure2a Figure2b Figure2c PaintCansinServerRoom DustCoveredSTIP TrashinSTIPEDS Workstation ServerRoom AccordingtotheDHS4300ASensitiveSystemsHandbook x Dustingofhardwareandvacuumingofworkareasshouldbeperformed
weeklywithtrashremovalperformeddailyDustaccumulationinsideof monitorsandcomputersisahazardthatcandamagecomputer hardware
Housekeepingandstoragevulnerabilitiesthatarenotmitigatedplaceatriskthe availabilityofTSAdataForexamplecomputerhardwaredamagedbydustand debrismaynotbeavailableforTSArsquospassengerandbaggagescreening processes
ElectronicPowerSupplyProtection Uninterruptiblepowersupply(UPS)forTransportationSecurityAdministration Network(TSANet)InfrastructureCoreSystem(ICS)STIPandFederalAir MarshalServiceNetwork(FAMSNet)systemsatfourof12serverrooms
wwwoigdhsgov 5 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
reviewedshowedwarninglightssignalingthatthebatteryneededtobereplaced orthatthebatterywasbeingbypassed AccordingtotheDHS4300ASensitiveSystemsHandbook
Electricalpowermustbefilteredthroughanuninterruptiblepower supply(UPS)systemforallserversandcriticalworkstationsSurge suppressingpowerstripsmustbeusedtoprotectallothercomputer equipmentfrompowersurges
Electricalpowersupplyvulnerabilitiesthatarenotmitigatedplaceatriskthe availabilityofTSAdataForexampleTSAserversthatarenotconnectedtoa workingUPSmaynotbeoperationalfollowingapoweroutage AccordingtoTSA22failingUPSdeviceswerereplacedacrossthreesystems (FAMSNetTSANetandICS)toimprovepowerprotectionandensurepolicy compliance
EnvironmentalControls AllTSAserverroomsexceededthetemperaturerangesestablishedbyDHS policiesAdditionallyseveraloftheserverroomsdidnotcontaintemperatureor humiditysensorsHowevertheTSAserverroomswerewithinhumidityranges establishedbyDHSpoliciesTable1providesthetemperatureandhumidity readingsforeachlocation
wwwoigdhsgov 6 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Table1TSAServerRoomsTemperatureandHumidityAverages
Location RecommendedTemperature 60ndash70DegreesFahrenheit
Recommended Humidity 35ndash65
OfficeofInspector General(OIG)
Average
TSA Reading
OIG Average
TSA Reading
FAMSCoppell 707 68 565 NoSensor ICSCoppell 751 72 407 41 ICSSTIPTerminalB 733 74 432 38 STIPTerminalBRoom2 752 66 497 NoSensor STIPTerminalA 779 No
Sensor 413 NoSensor
STIPTerminalCRoom1 788 76 51 NoSensor STIPTerminalCRoom2 7873 75 578 NoSensor STIPTerminalERoom1 848 No
Sensor 549 NoSensor
STIPTerminalERoom2 776 75 541 59 STIPTerminalERoom3 769 83 506 NoSensor STIPTerminalDRoom1 756 No
Sensor 496 NoSensor
STIPTerminalDRoom2 758 No Sensor 420 NoSensor
TemperaturereadingsinredexceededtheDHSrecommendedtemperature FurtheroneSTIPEDSserverroomcontainedanonͲDHSheaterinsideaserver rack(Seefigure3fordetails)
wwwoigdhsgov 7 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Figure3NonͲDHSHeaterinSTIPEDSRack
AccordingtotheDHS4300ASensitiveSystemsHandbook x Temperaturesincomputerstorageareasshouldbeheldbetween60and
70degreesFahrenheit x Humidityshouldbeatalevelbetween35percentand65percent
Hightemperaturescandamagesensitiveelementsofcomputersystems ThereforeTSAshouldmonitorandadjustserverroomtemperatureaccordingly
RedundantDataTelecommunicationsServices
TSAhadnotestablishedredundanttelecommunicationsservicesatitsCoppell facilityoratDFWSpecificallywhiletherewasadatatelecommunicationscircuit foreachserverroomattheCoppellfacilityandeachterminalatDFWTSAhad notconfiguredthesecircuitstoprovideredundancyAsaresultperformanceof missionactivitiesattheselocationswasvulnerabletodisruptionsintheeventof adatatelecommunicationscircuitfailure AccordingtoDHS4300ASensitiveSystemsHandbookAttachmentMTailoring NationalInstituteofStandardsandTechnology(NIST)SP800Ͳ53Security Controlsv91xls
RiskandInfrastructurendashAriskͲbasedmanagementdecisionismadeon therequirementsfortelecommunicationservicesTheavailability requirementsforthesystemwilldeterminethetimeperiodwithinwhich thesystemconnectionsmustbeavailableIfcontinuousavailabilityis requiredredundanttelecommunicationsservicesmaybeanoption
wwwoigdhsgov 8 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Redundantdatatelecommunicationsservicesvulnerabilitiesthatarenot mitigatedplaceatrisktheavailabilityofTSAdataForexampleifthereisa servicedisruptionontheonetelecommunicationslineITsystemsmaynotbe availableforTSArsquospassengerandbaggagescreeningprocesses AccordingtoTSAstaffTSAdetermineditisnotnecessarytoinstallredundant datacircuitsforeachoftheindividualcircuitsalreadyatDFWbecauseTSAhas seventelecommunicationsdatacircuitsprovidingconnectivitytotheFSDOffice FAMSFieldOfficeandfiveDFWterminals TechnicalControls TSArsquosimplementationoftechnicalcontrolsforsystemsoperatingatDFWdidnot conformfullytoDHSpoliciesForexampleOfficeofSecurityCapabilities(OSC) hadnotimplementedaprocesstoreportSTIPͲrelatedcomputersecurity incidentstotheTSASecurityOperationsCenter(SOC)AdditionallyTSAhadnot resolvedinatimelymanneridentifiedpatchmanagementvulnerabilitieson FAMSNetandICSserversatDFWFurtherTSAwasnotscanningSTIPEDS serversatDFWforvulnerabilities
STIPComputerSecurityIncidents OSChadnotestablishedprocedurestoreportSTIPͲrelatedcomputersecurity incidentstoTSASOCAccordingtoTSAstaffifSTIPusersidentifyaproblem theyreportittoacontractorͲoperatedTSAServiceResponseCenterTherewere noproceduresinplaceforthiscentertoreportcomputersecurityincidentsto TSASOC AccordingtoDHS4300ASensitiveSystemsHandbookAttachmentFIncident ResponseandReporting
AllusersofDHSinformationsystemsincludingsystemandnetwork administratorsandsecurityofficershavethefollowingresponsibilities
bull ReportincidentstoComponentSOCsimmediatelyuponsuspicionor
recognition STIPcomputersecurityincidentsthatarenotreportedtoTSASOCplaceatrisk theconfidentialityintegrityandavailabilityofTSAdataSpecificallywithout adequatereportingTSASOCmaynotbeabletoeffectivelycoordinateincident
wwwoigdhsgov 9 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
responseandinitiateincidentevaluationprocessestoaSTIPͲrelatedcomputer securityincident
PatchManagement InDecember2013weobservedTSAstaffscanningtwoFAMSNetandsixICS serverslocatedatDFWforvulnerabilitiesThesetechnicalscansdetectedhigh vulnerabilitiesontheeightserversAdditionallyfouroftheservershadacritical vulnerabilityInadditionpatchinformationforsomevulnerabilitieswas publishedmorethanoneyearbeforethescanswereperformedFurtherTSA hadprovidedvulnerabilityassessmentreportstoDHSforonlyfiveoftheeight serversidentifiedatDFWTable2providesthenumberofvulnerabilitiesby server
Table2CriticalandHighVulnerabilitiesby CommonVulnerabilitiesandExposures(CVE)
TSA
Server Name
TotalNumber ofCritical
Vulnerabilities
TotalNumber ofUniqueHigh Vulnerabilities2
Total Numberof Highor
CriticalCVEs3
DateofLast Vulnerability ScanReportto
DHS Server1 0 2 1 12192013 Server2 1 10 15 12192013 Server3 1 6 3 12192013 Server4 0 2 1 NotReported Server5 1 9 14 NotReported Server6 1 6 3 NotReported Server7 0 2 2 12192013 Server8 0 1 1 12192013
AccordingtoDHS4300ASensitiveSystemsHandbook
Informationsecuritypatchesshallbeinstalledinaccordancewith configurationmanagementplansandwithinthetimeframeordirection
2ThescanningsoftwareprovidesadescriptionofthevulnerabilitiesSeveralCVEsmayhavethesame vulnerabilitydescriptionAdditionallythevulnerabilitymaynothaveanassociatedCVEsuchas ldquoAntiVirusSoftwareCheckrdquo 3AccordingtoNationalInstituteofStandardsandTechnologyInteragencyReport7298Revision1 GlossaryofKeyInformationSecurityTermsCVEisadictionaryofcommonnamesforpubliclyknown informationsystemvulnerabilities
wwwoigdhsgov 10 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
statedintheInformationSecurityVulnerabilityManagement(ISVM) message
AccordingtoDHS4300ASensitiveSystemsHandbookAttachmentO VulnerabilityManagementProgram
Detailedvulnerabilityassessmentscanschedulesandresultsmustbe providedtotheDHSVulnerabilityManagementBranchinordertosatisfy FederalInformationSecurityManagementActrequirementsfor enterpriseͲwidesecuritysituationalawarenessofassetsandrisks
FurtherTSAwasnotscanningforvulnerabilitiesontheSTIPEDSserversatDFW AccordingtoTSAstaffSTIPEDSserverssimilartothoseatDFWwerescanned inJune2013Thosescansdeterminedthatthevendordidnotsupportsome systemsoftwareandothersoftwaredidnotcontainthelatestsecuritypatches Thosescansalsoreportedmorethan79highvulnerabilitiesontheSTIPdevices AccordingtoDHSSensitiveSystemsPolicyDirective4300A
Componentsshallmanagesystemstoreducevulnerabilitiesthrough vulnerabilitytestingandmanagementpromptlyinstallingpatchesand eliminatingordisablingunnecessaryservices
Servervulnerabilitiesthatarenotmitigatedplaceatrisktheconfidentiality integrityandavailabilityofTSAdataForexampleoneoftheunpatched vulnerabilitieswouldallowarbitrarycodeexecutiononTSArsquosinformation systems AccordingtoTSAstaffseveraloftheidentifiedvulnerabilitieswereconsidered tobelsquofalseͲpositiversquoorduplicates4ForexampleaccordingtoTSAstaffone falseͲpositivewasaresultofidentifyinganapplicationthatwasnotinuse AdditionallyTSAhasresolvedseveraloftheidentifiedvulnerabilitiesandhas remediationplansfortheremaining ManagementControls TSArsquosmanagementcontrolsforsystemsoperatingatDFWdidnotconformfully toDHSpoliciesSpecificallyOSChadnotestablishedinterconnectionsecurity agreementstodocumenttheSTIPconnectionstononͲDHSbaggagehandling
4AfalseͲpositiveisavulnerabilitythatdoesnotactuallyexistbutiscountedinameasurement
wwwoigdhsgov 11 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
systemsAccordingtoTSAiftheSTIPsoftwareoraTSAscreenerdetermines thatanindividualbagisnotconsideredhazardoustheSTIPEDSdevicesendsa signaltothebaggagehandlingsystemtoallowthebagtocontinueontothe baggagehandlingsystemAdditionallytheSTIPsystemsecurityplanwhichisa securityauthorizationprocessdocumentdidnotdescribetheserversswitches andworkstationsassociatedwiththesystem AccordingtoDHS4300ASensitiveSystemsHandbookAttachmentN PreparationofInterconnectionSecurityAgreements
AnISA[InterconnectionSecurityAgreement]isrequiredwheneverthe securitypoliciesoftheinterconnectedsystemsarenotidenticalandthe systemsarenotadministeredbythesameAuthorizingOfficial
AccordingtoDHS4300ASensitiveSystemsHandbooktheAuthorizingOfficial
Ensuresnewhardwareandsoftwareproductshavebeenapprovedand documentedintheSecurityAuthorizationProcessdocumentation
Undocumentedinterconnectionsecurityagreementsplaceatriskthe confidentialityintegrityandavailabilityofTSAdataForexamplethesecurity protectionsthatmustoperateoninterconnectedsystemsmaynotbe establishedwithoutaninterconnectionsecurityagreement Securityauthorizationistheofficialmanagementdecisiontoauthorizeoperation ofaninformationsystemSecurityauthorizationinvolvescomprehensivetesting andevaluationofsecurityfeaturesandaddressessoftwareandhardware securitysafeguardsTheAuthorizingOfficialwillnotbeabletomakean informeddecisionaboutthesecurityofasystemifthesystemrsquoshardware inventoryisincomplete Recommendations WerecommendthattheTSAChiefInformationOfficer(CIO) Recommendation1 ComplywithDHSpolicyconcerningphysicalsecuritytemperaturehousekeeping andelectronicpowersupplyprotectionatlocationsatDFWthatcontainTSAIT assets
wwwoigdhsgov 12 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation2 Determinewhetheritisnecessaryandcosteffectivetoestablishredundantdata telecommunicationsservicesatTSArsquosCoppellfacilityandDFWterminal locations Recommendation3 EstablishaprocesstoreportSTIPcomputersecurityincidentstoTSASOC Recommendation4 ScanTSAserversannuallyandresolveidentifiedvulnerabilitieswithinthe timeframeordirectionstatedintheInformationSecurityVulnerability ManagementmessagepublishedbyDHSSOC Recommendation5 ProviderequiredvulnerabilityassessmentreportstotheDHSVulnerability ManagementBranch Recommendation6 Establishinterconnectionsecurityagreementstodocumenttheinterconnection betweenSTIPandnonͲDHSbaggagehandlingsystems Recommendation7 DocumentinthesystemsecurityplantheSTIPserversswitchesand workstations ManagementCommentsandOIGAnalysis WeobtainedwrittencommentsonadraftofthisreportfromtheAssistant DirectorDepartmentalGovernmentAccountabilityOffice(GAO)OIGAudit LiaisonWehaveincludedacopyofthecommentsintheirentiretyinappendix BDHSconcurredwithrecommendations1through5and7DHS nonͲconcurredwithrecommendation6AdditionallyTSAprovided documentationtosupporttheresolutionandclosureofrecommendation2 FurtherTSAhasalreadytakenactionstoresolvereporteddeficiencieswith
wwwoigdhsgov 13 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
recommendations13through5and7Weconsiderthese recommendationsresolvedbutopenpendingverificationofplannedactions Recommendation1 TSAconcurredandinitiatedaprojectatDFWin2013toreplacefailingUPS devicesTSAhasremediationplanstoresolvetheelectricalsupplydeficiency TheremainingsixUPSswererefreshedAdditionallyFAMS temperaturehumiditysensorsareinplaceandfunctionalDocumentation illustratingremediationofseveralhousekeepingconcernswasprovidedtoOIG HowevertocompletetherecommendationTSAmustsecurethecooperationof thirdpartiesatDFWTSAwillworkwiththesethirdpartiestoclosethe recommendation TSArsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilTSAprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted Recommendation2 TSAconcurredwiththisrecommendationTSAhasdeterminedthatitwouldnot becosteffectivetoimplementtheredundanciesTSArequestedthatOIGclose recommendation2 TSArsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedandclosed Recommendation3 TSAconcurredwiththisrecommendationTSArsquosCybersecurityAwarenessand OutreachSupportTeamwillreachouttotheDFWTSAstafftoappropriately trainthosepersonnelonthecorrectincidentreportingprocessTheestimated completiondateisJune302015 TSArsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilTSAprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted
wwwoigdhsgov 14 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation4 TSAconcurredwiththisrecommendationAccordingtoTSAserversarescanned onamonthlybasisandtheresultsordatafeedsaresubmittedtotheDHS VulnerabilityManagementBranchEvidenceofreportscanbeprovidedas requestedTSAsupportstheDHSInformationSecurityVulnerability ManagementprogrambyresolvingvulnerabilitiesasdirectedbyDHSSOCto AlertsandBulletinsAdditionallyTSArequestedthatOIGconsiderthis recommendationresolvedandclosed HoweverTSAhasnotprovideddocumentationthattheSTIPEDSserversatDFW arebeingscannedonamonthlybasisAdditionallyTSAhasnotprovided documentationthatactionshavebeentakentoresolvethevulnerabilities identifiedontheICSservers TSArsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilTSAprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted Recommendation5 TSAconcurredwiththisrecommendationAccordingtoTSAserversarescanned onamonthlybasisandtheresultsordatafeedsaresubsequentlysubmittedto theDHSVulnerabilityManagementBranchEvidenceofreportswillbeprovided toOIGuponrequestTSArequestedthatOIGconsiderthisrecommendation resolvedandclosed HoweverTSAhasnotprovideddocumentationthatvulnerabilitiesassociated withtheSTIPEDSserversatDFWarebeingreportedTSArsquosactionssatisfythe intentofthisrecommendationWeconsiderthisrecommendationresolvedbut itwillremainopenuntilTSAprovidesdocumentationtosupportthatthe plannedcorrectiveactionsarecompleted Recommendation6 TSAnonͲconcurredwiththisrecommendationAccordingtoTSAtheSTIPdoes nothaveaninterconnectionwithnonͲDHSbaggagehandlingsystemsand thereforeaninterconnectionsecurityagreementisnotneededTSArequested thatOIGconsiderthisrecommendationresolvedandclosed
wwwoigdhsgov 15 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
HoweverduringtheauditTSAprovideddocumentationthattheseconnections dooccurThedocumentationdetailsthetypesofconnectionsbetweenSTIPEDS andtheBaggageHandlingSystemaswellasthedatatransmittedbetweenthe twosystemsWeconsiderthisrecommendationunresolvedandopenitwill remainunresolvedandopenuntilTSAprovidesacorrectiveactionplan Recommendation7 TSAconcurredwiththisrecommendationAccordingtoTSAtheSTIPEDSserver andendpointinventorywillbeassessedduringtheSecurityAuthorization processduring2014о2015andshallbeaddedasanartifactintheDHS informationAssuranceComplianceSystemwheretheSecurityPlanisalso storedTheestimatedcompletiondateisJune302015 TSArsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilTSAprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted CBPDidNotComplyFullywithDHSSensitiveSystemsPolicies
CBPdidnotcomplyfullywithDHSoperationaltechnicalandmanagement controlsSpecificallythetwoCBPserverroomsauditedexceededtemperature rangesestablishedbyDHSpoliciesAdditionallyCBPhadnotimplemented knownpatchestoitsserversatDFWCBPalsohadnotappointedaninformation systemsecurityofficer(ISSO)fortheWindowsFileandPrintSystem(WFPS) Collectivelythesedeficienciesplaceatrisktheconfidentialityintegrityand availabilityofthedatastoredtransmittedandprocessedbyCBPatDFW OperationalControls CBPserverroomsandcommunicationsclosetsatDFWandthePortOfficeof DallaswerecleanandwellmaintainedFurtherCBPhadimplementedadditional physicalsecurityforITassetsinpublicareasHoweveronsiteimplementationof environmentalcontrolsthatdidnotconformfullytoDHSpoliciesincluded inadequatetemperatureandhumiditycontrolsforCBPrsquostwoserversrsquoroomsat DFW
PhysicalSecurityControls DuringourauditfieldworkweobservedthatCBPhadtakenadditionalstepsto securetheirITassetsinareasthatcouldbeaccessiblebythepublicSpecifically
wwwoigdhsgov 16 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
CBPhadsecuredtheportsconnectingtothesedeviceswithahardwarelock (Seefigure4fordetails)
Hardware locks
Figure4HardwareLocksonLANPorts
EnvironmentalControls ThetwoCBPserverroomsexceededthetemperaturerangesestablishedbyDHS policiesAdditionallyoneofthetwoCBPserverroomsdidnotcontain temperatureorhumiditysensorsHoweverCBPserverroomswerewithin humidityrangesestablishedbyDHSpoliciesTable3providesthetemperature andhumidityreadingsforeachlocation
Table3CBPServerRoomsTemperatureandHumidityAverages
Location
Recommended Temperature
60ndash70DegreesFahrenheit
RecommendedHumidity
35ndash65 OIG
Average CBP
Reading OIG
Average CBP
Reading ConcourseD 738 NoSensor 4401 NoSensor PortOfficeofDallas 723 66 483 53 AccordingtoCBPofficialsrepairsweremadetotheairconditioneratthePort OfficeserverroomresolvingthisdeficiencyAdditionallybaseduponarequest byCBPtheDFWAirportAuthorityresolvedthetemperaturedeficiencyinthe ConcourseDserverroomFurtherCBPisworkingwithDFWAirporttoestablish monitoringandalertingfortemperaturesthatfalloutsideestablishedranges
wwwoigdhsgov 17 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AccordingtotheDHS4300ASensitiveSystemsHandbook x Temperaturesincomputerstorageareasshouldbeheldbetween60and
70degreesFahrenheit x Humidityshouldbeatalevelbetween35percentand65percent
Hightemperaturescandamagesensitiveelementsofcomputersystems ThereforeCBPshouldmonitorandadjusttheserverroomaccordingly
TechnicalControlsmdashPatchManagement InOctober2013weobservedCBPstaffscanserverslocatedatDFWfor vulnerabilities5Thesetechnicalscansdetectedcriticalandhighvulnerabilities onthefiveserversTable4providesthenumberofvulnerabilitiesforeach server
Table4CriticalandHighVulnerabilitiesbyCVE
CBP
Server Name
TotalNumberof Critical
Vulnerabilities
TotalNumberof UniqueHigh Vulnerabilities
Total Number ofHighor Critical CVEs
DateofLast Vulnerability ScanReportto
DHS
Server1 2 2 11 12192013 Server2 2 6 23 12192013 Server3 2 7 23 12192013 Server4 5 9 200 12192013 Server5 2 8 60 12192013 AccordingtoDHS4300ASensitiveSystemsHandbook
Componentsshallmanagesystemstoreducevulnerabilitiesthrough vulnerabilitytestingandmanagementpromptlyinstallingpatchesand eliminatingordisablingunnecessaryservices
Servervulnerabilitiesthatarenotmitigatedplaceatrisktheconfidentiality integrityandavailabilityofCBPdataTheserisksallowarbitrarycodeexecution onCBPrsquosinformationsystems
5AccordingtotheDHSOfficeoftheChiefInformationSecurityOfficerCBPhadprovidedreportsof vulnerabilitiesforfiveoftheserversatDFW
wwwoigdhsgov 18 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
DuringthecourseofourauditCBPtookactionstocorrectmanyoftheidentified vulnerabilitiesForexampleCBPremovedserver4fromthenetworkand installedthenecessarypatchestoresolvethecriticalvulnerabilitiesexceptfor onethatCBPconsidersalsquofalseͲpositiversquoAccordingtoCBPstaffthisfalseͲ positivewastheresultofthescanningsoftwarenotproperlyidentifyingthe versionofthetargetsystem ManagementControls CBPrsquosimplementationofmanagementcontrolsforsystemsoperatingatDFW didnotconformfullytoDHSpoliciesSpecificallysinceJanuary2013theWFPS hasbeenwithoutanISSOtoreceiveandmanageITsystemsecuritymatters AdditionallyCBPdoesnothavecentralizedstorageforSouthwestFieldlocal areanetwork(LAN)auditlogsbecausethereisinsufficientspacetostoreand maintaintheauditlogsHoweverCBPhasrecognizedtheauditlogstorage spaceissueasadeficiencyandhascreatedaplanofactionsandmilestonesto addressit FurtheraspartofourDFWfieldworkwerequestedtheimplementationstatus ofourpreviousDynamicHostConfigurationProtocol(DHCP)auditlog recommendation6SpecificallywereportedinJuly2013thatCBPwasnot reviewingtheautomatedDHCPservermessagesWerecommendedthatCBP assigntheresponsibilitytoreviewDHCPserverautomaticmessagesandLAN auditlogsAccordingtoCBPstafftheNetworkOperationsCenter(NOC)andthe DHSOneNetwork(OneNet)Securityteamsareverifyingthattheauditlogsare beingsenttotheNationalDataCenterInadditiontheOneNetSecurityteam hadcreatedastandardoperatingprocedureforthereviewandwasperforming weeklyreviewsFurthermoretheNOCISSOandtheOneNetsecurityteamplan toreviewtheauditlogs Howeverthetoolusedforcollectingunifyingstoringandautomatingsecurity logsandeventsforanalysisandreportingwasnotreceivingtherequireddata AccordingtotheCBPstaffhardwareandsoftwareneedtobeupgradedto assurethattheeventsaresenttotheNOCandOneNetSecurityTeamsAlso accordingtoCBPstaffwhileanewloggingsolutionhasbeenidentifiedthe solutionhasnotreceivedfundingandhasbeenplacedonthe2014unfunded requirementslistsCBPsubmittedawaiverrequesttotheDHSChiefInformation SecurityOfficer(CISO)toaccepttheriskInMarch2014DHSCISOapprovedthis
6TechnicalSecurityEvaluationofDHSActivitiesatHartsfieldͲJacksonAtlantaInternationalAirport(OIGͲ 13Ͳ104)July2013
wwwoigdhsgov 19 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
waiver AccordingtoDHS4300ASensitiveSystemsHandbook
AnISSOshallbedesignatedforeveryinformationsystemandserveas thepointofcontactforallsecuritymattersrelatedtothatsystem
Componentsshallensurethatauditlogsarerecordedandretainedin accordancewiththeComponentrsquosRecordScheduleorwiththeDHS RecordsScheduleAtaminimumaudittrailrecordsshallbemaintained onlineforatleastninety(90)daysAudittrailrecordsshallbepreserved foraperiodofseven(7)yearsaspartofmanagingrecordsforeach systemtoallowauditinformationtobeplacedonlineforanalysiswith reasonableease
Managementcontrolvulnerabilitiesthatarenotmitigatedplaceatriskthe confidentialityintegrityandavailabilityofCBPdataForexamplewithout assigningtheresponsibilitytoanISSOcomponentsmaynotadequately implementandmaintainsystemsecuritycontrolsinaccordancewiththeDHS policies Recommendations
WerecommendthatCBPCIO
Recommendation8 Maintainthetemperatureandhumidityoftheidentifiedserverroomswithinthe temperatureandhumidityrangesestablishedbytheDHS4300ASensitive SystemsHandbook Recommendation9 Addressandresolveidentifiedvulnerabilitieswithinthetimeframeordirection statedintheInformationSecurityVulnerabilityManagementmessagepublished byDHSSOC Recommendation10 DesignateanISSOforWFPS
wwwoigdhsgov 20 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation11 StoremaintainandreviewasrecommendedbytheDHS4300ASensitive SystemsHandbook x x
WFPSauditlogsand DHCPauditlogs
ManagementCommentsandOIGAnalysis WeobtainedwrittencommentsonadraftofthisreportfromtheAssistant DirectorDepartmentalGAOOIGAuditLiaisonWehaveincludedacopyofthe commentsintheirentiretyinappendixBDHSconcurredwithrecommendations 8through11andhasalreadytakenactionstoresolvereporteddeficiencies Weconsidertheserecommendationsresolvedbutopenpendingverificationof plannedactions Recommendation8 CBPconcurredwiththisrecommendationCBPcorrectedthetemperatureinthe DallasPortOfficeLANRoomCBPalsocorrectedthetemperatureintheDFW AirportLANRoombyaskingDFWAirporttolowerthesetpointoftheroomto 68degreesFahrenheitCBPisworkingwithDFWAirportAuthoritytoestablish monitoringandalertingfortemperaturesthatfalloutsideestablishedranges withintheLANRoomTheestimatedcompletiondateisOctober312014 CBPrsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilCBPprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted Recommendation9 CBPconcurredwiththisrecommendationCBPplanstocontinuetopatch systemvulnerabilitiesinatimelymannerandwillensurethatoutstanding patchesareimplementedTheestimatedcompletiondateisDecember312014 CBPrsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilCBPprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted
wwwoigdhsgov 21 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation10 CBPconcurredwiththisrecommendationCBPplanstoprovideISSOdutiesto WFPSinitiallythroughexistingISSOresourceswhileacontractISSOisaddedto theexistingcontractOtheroptionsarebeingreviewedrelatedtoWFPS boundariesTheestimatedcompletiondateisNovember302014 CBPrsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilCBPprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted Recommendation11 CBPconcurredwiththisrecommendationCBPplanstostoremaintainand reviewWFPSauditlogswhenanISSOisassignedRegardingtheDHCPauditlogs CBPhassubmittedafundingrequestandispursuingthecapabilitytomeetthis requirementRemediationofthispartofthefindingwilldependuponfunding approvalwhichisexpectedtobedeterminedbytheendoffiscalyear2014 CBPrsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilCBPprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted ICEDidNotComplyFullywithDHSSensitiveSystemsPolicies ICEdidnotcomplyfullywithDHSoperationaltechnicalandmanagement operationalpoliciesforitsserversandswitchesoperatingatDFWForexample ICEhadnotimplementedknownpatchestoitsSpecialAgentinCharge(SAC) DallasandDFWAirportGroupserversandwasnotregularlyscanningitsservers atDFWAlsoICEhadnotincludedtheHomelandSecurityInvestigations(HSI) serversatDFWaspartofarecognizedFederalInformationSecurity ManagementAct(FISMA)inventoriedsystem7 AdditionallyoneICEserverroomdidnotcomplywithtemperatureranges establishedbyDHSpoliciesFurtherICEdidnotimplementredundantdata telecommunicationslinestoavoidsinglepointsoffailureatDFWandSACDallas sitesCollectivelythesedeficienciesplaceatrisktheconfidentialityintegrity andavailabilityofthedatastoredtransmittedandprocessedbyICEatDFW
7TheFederalInformationSecurityManagementActof2002(PL107Ͳ347)
wwwoigdhsgov 22 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
OperationalControls ICEserverroomsandcommunicationsclosetsatDFWandSACDallasOfficewere cleanandwellmaintainedHoweveronsiteimplementationofoperations controlsdidnotconformfullytoDHSpoliciesForexamplethetemperaturein theDFWserverroomwasnotwithinthetemperaterangeasrecommendedby theDHS4300ASensitiveSystemsHandbookAdditionallytheICEsiteatDFWdid nothaveredundantdatatelecommunicationscapabilitytoavoidsinglepointsof failure
EnvironmentalControls OneofthetwoICEserverroomsexceededtemperaturerangesestablishedby DHSpoliciesAdditionallyoneofthetwoICEserverroomsdidnotcontain temperatureorhumiditysensorsHowevertheICEserverroomswerewithin humidityrangesestablishedbyDHSpoliciesTable5providesthetemperature andhumidityreadingsforeachlocation
Table5ICEServerRoomsTemperatureandHumidityAverages
Location
RecommendedTemperature 60ndash70DegreesFahrenheit
RecommendedHumidity
35ndash65 OIG
Average ICE
Reading OIG
Average ICE
Reading SACDallasServer Room 738 69 383 51
DFWStorageArea ServerCabinet 775 NoSensor 425 NoSensor
AccordingtotheDHS4300ASensitiveSystemsHandbook x Temperaturesincomputerstorageareasshouldbeheldbetween60and
70degreesFahrenheit x Humidityshouldbeatalevelbetween35percentand65percent
8WemeasuredtheaveragetemperaturefortheSACDallasServerRoomas728degreesFahrenheit Howevertheheatingventilationandairconditioning(HVAC)systemwasmomentarilyshutoffto facilitatetheauditteamsitevisitaccountingforthetemperaturevariation
wwwoigdhsgov 23 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
TheaveragetemperaturefortheDFWareacontainingtheICEservercabinetdid notmeetDHStemperaturerequirementsat775degreesFahrenheitFurther ICEdidnothavetemperatureorhumiditysensorspresentintheroom AccordingtoICEstaffthetemperatureintheDFWstoragearealocationwhere theservercabinetislocatedwasmanagedbytheDFWAirportBoard Hightemperaturescandamagesensitiveelementsofcomputersystems ThereforeICEshouldmonitorandadjusttheserverroomtemperature accordingly
DataTelecommunicationsServices ICEhadnotestablishedredundanttelecommunicationsservicesatitsSACDallas orDFWfacilitiesSpecificallyonlyasingletelecommunicationslineservesthe HSIAirportGroupAdditionallywhiletheSACDallasofficeisservedbymultiple circuitsthecircuitsarefromasinglevendorandmaylackdiverseroutingto providesufficientlyalternatetelecommunicationsserviceAsaresultmissionͲ criticalactivitiesattheselocationsarevulnerabletodisruptionintheeventofa datatelecommunicationsfailure AccordingtoDHS4300ASensitiveSystemsHandbookAttachmentMTailoring NISTSP800Ͳ53SecurityControlsv91xls
RiskandInfrastructurendashAriskͲbasedmanagementdecisionismadeon therequirementsfortelecommunicationservicesTheavailability requirementsforthesystemwilldeterminethetimeperiodwithinwhich thesystemconnectionsmustbeavailableIfcontinuousavailabilityis requiredredundanttelecommunicationsservicesmaybeanoption
AdditionallyweobservedanICEdatatelecommunicationslineatDFWlocated inasharedwiringclosetwithanexistingconnectionofDHSOneNetforCBPThe monthlycostforthiscircuitisapproximately$330Theremaybepotentialcost savingsiftheDHSOneNetconnectionwereusedbybothCBPandICE Redundantdatatelecommunicationsservicesvulnerabilitiesthatarenot mitigatedplaceatrisktheavailabilityofICEdataForexampleifthereisa servicedisruptionontheonetelecommunicationslineITsystemsmaynotbe availableforICErsquospassengerscreeningprocesses
wwwoigdhsgov 24 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
TechnicalControls ICEimplementationoftechnicalcontrolsforsystemsoperatingatDFWdidnot conformfullytoDHSpoliciesForexampleidentifiedvulnerabilitiesonICE serverswerenotbeingresolvedinatimelyfashionAlsoICEwasnotregularly scanningforvulnerabilitiesonICEHSIserversatDFWFurtheraninsecure communicationsprotocolwasavailableonanICEserver
PatchManagement InOctober2013weobservedICEsecurityoperationscenterstaffperforma vulnerabilityscanonitsfourserversinuseatSACDallasandDFWThesescans identifiedatotalofninehighvulnerabilitiesTable6providesthenumberof vulnerabilitiesforeachserverAdditionallyICEhadprovidedreportsof vulnerabilitiestoDHSforonlythreeofthefourserversidentifiedatDFW
Table6HighVulnerabilitiesbyCVE
ICEServer Name
TotalNumberof UniqueHigh Vulnerabilities
TotalNumber ofHighCVEs
DateofLast VulnerabilityScan ReporttoDHS
Officeof theChief Information Officer (OCIO) Server1
1 0 12192013
OCIO Server2
1 0 12192013
OCIO Server3
3 2 12192013
HSI Server1
4 2 NotReported
AccordingtotheDHSSensitiveSystemsPolicyDirective4300A
Componentsshallmanagesystemstoreducevulnerabilitiesthrough vulnerabilitytestingandmanagementpromptlyinstallingpatchesand eliminatingordisablingunnecessaryservices
wwwoigdhsgov 25 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AccordingtoDHS4300ASensitiveSystemsHandbookAttachmentO VulnerabilityManagementProgram
Detailedvulnerabilityassessmentscanschedulesandresultsmustbe providedtotheDHSVulnerabilityManagementBranchinordertosatisfy FederalInformationSecurityManagementActrequirementsfor enterpriseͲwidesecuritysituationalawarenessofassetsandrisks
Servervulnerabilitiesthatarenotmitigatedcouldcompromisethe confidentialityintegrityandavailabilityofICEdataIftheidentifiedsecurity vulnerabilitiesarenotaddressedtheycouldleadtotheintroductionof maliciouscodeorunauthorizedaccesstoICEinformationsystems ICEhastakenactionandimplementedpatchestoresolvetheidentifiedhigh vulnerabilities
HSIServersWereNotRegularlyScannedforVulnerabilities ICEhadnotscannedtheHSIelectronicsurveillanceserversthatareisolatedfrom theDHSOneNet9 AccordingtotheDHS4300ASensitiveSystemsHandbook
Componentsshallconductvulnerabilityassessmentsandortestingto identifysecurityvulnerabilitiesoninformationsystemscontaining sensitiveinformationannuallyorwheneversignificantchangesaremade totheinformationsystems
WereportedinJuly2013thatICEwasnotregularlyscanningHSIrsquoselectronic surveillancesystemsforvulnerabilitiesandrecommendedthatICEscanservers atHartsfieldͲJacksonAtlantaInternationalAirportandtheSACAtlantaoffice annually10ICEhasmadeprogressinvulnerabilityscanningfortheDHSOneNet connectedsegmentoftheHSIcommunicationsurveillanceandanalysissystem HoweverICESOCdidnotperformavulnerabilityassessmentforHSIservers isolatedfromtheDHSOneNetFurtherICEhadnotimplementedvulnerability scanningforthestandaloneelectronicsurveillancesystem
9TheseserverswerenotincludedinourobservedOctober2013scansofICEservers 10Ibid
wwwoigdhsgov 26 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Proactivevulnerabilityscanningallowsforeffectivecountermeasuresfor improvingsecurityleadstofasterdetectionofvulnerabilitiesandreduces damagetobreachedsystemsAstheelectronicsurveillancesystemisnot connectedtotheDHSOneNettheprotectionofsensitivelawenforcementdata maybeatriskiftheserversarenotregularlyscannedforvulnerabilities
InsecureCommunicationsProtocol
AccordingtotheOctober2013vulnerabilityassessmentscanstheOCIOserver atDFWwasrunninganunencryptedtelnetprotocol AccordingtotheDHSSensitiveSystemsPolicyDirective4300A
TelnetshallnotbeusedtoconnecttoanyDHScomputerAconnection protocolsuchasSecureShell(SSH)thatemployssecureauthentication (twofactorencryptedkeyexchange)andisapprovedbytheComponent shallbeusedinstead
Servervulnerabilitiesthatarenotmitigatedcouldcompromisethe confidentialityofICEdataSpecificallytelnettransfersinformationinldquoclear textrdquo(unencryptedhumanͲreadabletext)whichallowsotherusersontheLAN tointerceptandreadthetraffic AccordingtoICEofficialstheinsecureprotocolwasadefaultsettingforthe remoteadministrationaccessthathadnotbeendisabledICEofficialshave reportedthatthetelnetvulnerabilitywasresolvedduringourauditfieldworkby disablingtelnetaccess ManagementControls ICEimplementationofmanagementcontrolsforsystemsoperatingatSACDallas andDFWfacilitiesdidnotconformfullytoDHSpoliciesSpecificallyICEhadnot individuallyaccountedfortheservershostingHSIrsquoscommunicationsanalysisand surveillancesystemsaspartofarecognizedsystemintheDepartmentrsquosFISMA inventoryFurtherthestandaloneelectronicsurveillancesystemwasnot includedinaFISMAinventory WereportedinJuly2013thatICEofficialsplannedtoincludetheHSIserversas partoftheICESubpoenaSystemaFISMAinventory11InNovember2013ICE
11Ibid
wwwoigdhsgov 27 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
officialsreportedthattheywereimplementingtherecommendationand includedthecommunicationsanalysisandsurveillancesoftwareaspartofthe ICESubpoenaSystemsecurityplanHoweverICErsquosplanforinclusionofthe communicationsanalysisandsurveillancesoftwareintotheICESubpoena SystemsecurityplanislimitedtosoftwareICEofficialsdonotconsiderthe physicalserversaspartoftheICESubpoenaSystemAccordinglythe communicationsanalysisandsurveillanceserversarenotpartofaFISMA inventory AtDFWthephysicalserversusedforthecommunicationsanalysisand surveillancesystemareformerOCIOserversthatICErepurposedLocalOCIO staffcontinuetomaintainthephysicalserversfollowingrepurposingbut considertheserversrunningcommunicationsanalysisandsurveillancesoftware asownedbyHSI(Seefigure5fordetails)
Figure5AnHSICommunicationsAnalysisandSurveillanceSystemServerandOCIO
ServersintheSameRack
wwwoigdhsgov 28 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AccordingtotheDHSSensitiveSystemsPolicyDirective4300A
EveryDHScomputingresource(desktoplaptopserverportable electronicdeviceetc)shallbeindividuallyaccountedforaspartofa FISMAͲInventoriedinformationsystem
ICEofficialsreportedtakingstepstoincludethesurveillancesystemsserversas partofrecognizedFISMAͲinventoryInadditiontothephysicalserversforthe communicationsanalysisandsurveillancesystemthestandaloneelectronic surveillancesystemwillbeaddedtotheFISMAinventory Recommendations WerecommendthatICECIO
Recommendation12 MaintainserverroomsatDFWwithinDHSrsquorecommendedtemperatureranges Recommendation13 Determinewhetheritisnecessaryandcosteffectivetoestablishredundantdata telecommunicationsservicesattheSACDallasfacility Recommendation14 DeterminewhetheritwouldbecosteffectivetosharetheDHSOneNet connectioninthesharedCBPICEcommunicationscloset Recommendation15 Resolveidentifiedvulnerabilitieswithinthetimeframeordirectionstatedinthe InformationSecurityVulnerabilityManagementmessagepublishedbyDHSSOC
Recommendation16 ProviderequiredvulnerabilityassessmentreportstotheDHSVulnerability ManagementBranch
wwwoigdhsgov 29 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation17 ScantheICEserversattheSACDallassitesannuallyincludingHSIsystems separatedfromDHSOneNet Recommendation18 Useaconnectionprotocolthatemployssecureauthenticationordisable unnecessaryportsfromtheserver Recommendation19 IncludetheHSIsurveillancesystemserversinarecognizedFISMAͲinventoried system ManagementCommentsandOIGAnalysis WeobtainedwrittencommentsonadraftofthisreportfromtheAssistant DirectorDepartmentalGAOOIGAuditLiaisonWehaveincludedacopyofthe commentsintheirentiretyinappendixBDHSconcurredwithrecommendations 12through19AdditionallyICEhasprovideddocumentationtosupportthe resolutionandclosureofrecommendations15and18FurtherICEhas alreadytakenactionstoresolvereporteddeficiencieswithrecommendations 1213141617and19Weconsidertheserecommendations resolvedbutopenpendingverificationofplannedactions Recommendation12 ICEconcurredwiththisrecommendationICEplanstoworkwithCBPtorequest andcompletechangesnecessarywithDFWpartiestomaintaintheserverrooms withinDHSrsquorecommendedtemperaturerangesTheestimatedcompletiondate isSeptember302014 ICErsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilICEprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted
wwwoigdhsgov 30 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation13 ICEconcurredwiththisrecommendationICEHSIplanstoreviewthepotential missionbusinessimpactiftheSACDallasFacilitylosesconnectivityAriskͲbased decisiontoestablishredundantdatatelecommunicationswillbemadeafterthe analysisiscompleteTheestimatedcompletiondateforthisrecommendationis December312014 ICErsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilICEprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted Recommendation14 ICEconcurredwiththisrecommendationICEOCIOplanstoworkwithCBPto determineifitiscosteffectivetosharetheDHSOneNetConnectionintheDFW sharedCBPICEcommunicationsclosetTheestimatedcompletiondateforthis recommendationisDecember312014 ICErsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilICEprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted Recommendation15 ICEconcurredwiththisrecommendationTherewereninevulnerabilitiesnoted intheauditreportICESOCremediatedandvalidatedthesenineidentified vulnerabilitiesbyDecember162013OnamonthlybasistheICEChief InformationSecurityOfficerandAuthorizingOfficialmeettoreviewISVM complianceovertheprevious60daysDuringthismeetingapprovaltocreatea planofactionandmilestonesforunmetISVMdatesareprovidedandora requestismadetopatchdeviceswithinaspecifiedtimeperiodScansweresent toOIGonDecember162013ICErequestedthatOIGconsiderthis recommendationresolvedandclosed ICErsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedandclosed
wwwoigdhsgov 31 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation16 ICEconcurredwiththisrecommendationAnongoingscheduleforscanning OCIOWorkstationswithFileandPrintServers(OWFPS)OrganizationalUnitsona monthlybasiswhichincludesSACDallasandDFWhasbeendevelopedand implementedResultsofthescansareprovidedinICErsquosmonthlyreporttothe DHSvulnerabilityManagementBranchEvidenceofreportscanbeprovided separatelyA6ͲmonthforecastedVulnerabilityAssessmentTestscanschedule wascreatedandimplementedaspartofthetransitiontoanewvendorICE requestedthatOIGconsiderthisrecommendationresolvedandclosed WhileICEhasprovideddocumentationconcerningOWFPSICEhasnotprovided documentationconcerningvulnerabilityreportingforHSIsystemsseparated fromDHSOneNetICErsquosactionssatisfytheintentofthisrecommendationWe considerthisrecommendationresolvedbutitwillremainopenuntilICE providesdocumentationtosupportthattheplannedcorrectiveactionsare completed Recommendation17 ICEconcurredwiththisrecommendationAnongoingscheduleforscanning OWFPSOrganizationalUnitswhichincludesSACDallasandDFWhasbeen developedandimplementedA6ͲmonthforecastedVulnerabilityAssessment Testscanschedulewascreatedandimplementedaspartofthetransitiontoa newvendor ICEOCISOandICEHSIwilldetermineifscanningthestandaloneserversis appropriateTheserverscontainlawenforcementsensitivedatatherefore thereisaneedtoverifythatchainofcustodyrulesarenotviolatedbythescan Afterthedeterminationismadeeitheraplanofactionandmilestoneswillbe openedbyICEHSItodetermineproceduresforcoordinatingwithICESOCto scanICEHSIsystemsseparatefromDHSOneNetorICEOCISOwillassistICEHSI withcreatingawaiverrequestTheestimatedcompletiondateforthis recommendationisDecember312014 ICErsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilICEprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted
wwwoigdhsgov 32 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Recommendation18 ICEconcurredwiththisrecommendationTheunsecureprotocoltelnetwasa defaultsettingfortheremoteadministrationaccessthathadnotbeendisabled OWFPSISSOsubmittedarequesttomanuallydisabletelnetontheSACandDFW serversICESOCranscansonDecember162013andvalidatedthattheissue wasremediatedICEprovidedscanresultstoOIGonDecember162013andthis remediationwasnotedintheauditreportICErequestedthatOIGconsiderthis recommendationresolvedandclosed ICErsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedandclosed Recommendation19 ICEconcurredwiththisrecommendationICEOCISOiscurrentlyworkingwithICE HSItodetermineoptionsforincludingtheHSIsurveillancesystemserversintoa recognizedFISMApackageTheestimatedcompletiondateforthis recommendationisAugust312014 ICErsquosactionssatisfytheintentofthisrecommendationWeconsiderthis recommendationresolvedbutitwillremainopenuntilICEprovides documentationtosupportthattheplannedcorrectiveactionsarecompleted
wwwoigdhsgov 33 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AppendixA ObjectivesScopeandMethodology TheDepartmentofHomelandSecurityOfficeofInspectorGeneralwasestablishedby theHomelandSecurityActof2002(PublicLaw107Ͳ296)byamendmenttotheInspector GeneralActof1978Thisisoneofaseriesofauditinspectionandspecialreports preparedaspartofouroversightresponsibilitiestopromoteeconomyefficiencyand effectivenesswithintheDepartment ThisauditispartofaprogramtoauditonanongoingbasistheimplementationofDHS technicalandinformationsecuritypoliciesandproceduresatDHSsitesTheobjectiveof thisprogramistodeterminetheextenttowhichcriticalDHSsitescomplywiththe Departmentrsquostechnicalandinformationsecuritypoliciesandproceduresaccordingto DHSSensitiveSystemsPolicyDirective4300AanditscompaniondocumenttheDHS 4300ASensitiveSystemsHandbookOurprimaryfocuswasonauditingthesecurity controlsovertheserversroutersswitchesandtelecommunicationscircuitscomprising DHSITinfrastructureatthissiteForexamplewerecordedtemperatureandhumidity atdifferentlocationsintheserverroomsandthenaveragedthesereadingsWealso recordedcomponenthumidityandtemperaturereadingsobtainedfromcomponent sensorsthatexistedintheroomsduringfieldworkWethencomparedthesereadings withDHSguidance WecoordinatedtheimplementationofthisauditofITsecuritycontrolswiththeDHS ChiefInformationSecurityOfficerWeinterviewedCBPICETSAandDHSOfficeofthe ChiefInformationSecurityOfficerstaffWeconductedsitevisitsofCBPICEandTSA facilitiesatandnearDFWWecomparedDHSITinfrastructurethatweobservedonsite withthedocumentationprovidedbytheauditees WereviewedInformationAssuranceComplianceSystemdocumentationsuchasthe authorityͲtoͲoperatelettercontingencyplansandsystemsecurityplansAdditionally wereviewedguidanceprovidedbyDHStothecomponentsintheareasofsystem documentationpatchmanagementandwirelesssecurityWereviewedapplicableDHS andcomponentsrsquopoliciesandproceduresaswellasgovernmentͲwideguidanceWe gavebriefingsandpresentationstoDHSstaffconcerningtheresultsoffieldworkand theinformationsummarizedinthisreport WeconductedthisperformanceauditbetweenSeptember2013andFebruary2014 pursuanttotheInspectorGeneralActof1978asamendedandaccordingtogenerally acceptedgovernmentauditingstandardsThosestandardsrequirethatweplanand performtheaudittoobtainsufficientappropriateevidencetoprovideareasonable
wwwoigdhsgov 34 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
basisforourfindingsandconclusionsbaseduponourauditobjectivesWebelievethat theevidenceobtainedprovidesareasonablebasisforourfindingsandconclusions baseduponourauditobjectives WeappreciatetheeffortsofDHSmanagementandstafftoprovidetheinformationand accessnecessarytoaccomplishthisreviewTheprincipalOIGpointsofcontactforthe auditareRichardHarscheActingAssistantInspectorGeneralforInformation TechnologyAudits(202)254Ͳ4100andSharonHuiswoudDirectorInformation SystemsDivision(202)254Ͳ5451MajorOIGcontributorstotheauditareidentifiedin appendixD
wwwoigdhsgov 35 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AppendixB ManagementCommentstotheDraftReport
wwwoigdhsgov 36 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
wwwoigdhsgov 37 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
wwwoigdhsgov 38 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
wwwoigdhsgov 39 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
wwwoigdhsgov 40 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
wwwoigdhsgov 41 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AppendixC DHSActivitiesatDallasFortWorthInternationalAirport ManagementDirectorate TheManagementDirectoratersquosOfficeoftheChiefInformationOfficerprovides connectivityforDHScomponentsatDFWthrough bull DHSOneNetndashprovidesnetworkcommunicationsfortheDHSsensitivebut
unclassifiedenvironmentTheDepartmentrsquosgoalfortheDHSOneNetisto facilitatetheabilityofDHScomponentstosharedatabyintegratingcomponent networksintoasharednetworkinfrastructuretoincludenetworkoperations securityoperationsarchitectureandmanagementDHSOneNetsupports communicationandinteractionamongmanyorganizationalentitieswithinand outsideofDHSandhasbeendesignatedasaDHSmissionͲessentialsystemto performoneormoreofthecomponentsrsquomissionͲessentialfunctions
DHSOneNetequipmentatDFWlocationsislocatedwithinTSACBPandICEfacilities Wedidnotidentifyoperationaltechnicalormanagementcontroldeficienciesrelated toDHSOneNetequipment TransportationSecurityAdministration TSArsquosactivitiesincludescreeningpassengersandbaggageondepartingflightsatDFW TosupporttheseactivitiesTSAhasoperationsineachoftheDFWterminalsandata nearbyofficebuildingWeauditedITsecuritycontrolsatthefollowingTSAlocations bull OfficeoftheFederalSecurityDirectorCoppellTX bull OfficeofFAMSCoppellTX bull DFWTerminalsABCDandE TSAstaffattheselocationsusethefollowingsystems bull FAMSNetndashprovidestheITinfrastructuretosupporttheFAMSmissionFAMS
staffincludeslawenforcementofficersthathelptodetectdeteranddefeat hostileactstargetingUSaircarriersairportspassengersandcrewsFAMSNet supportsFAMSrsquooverallcriticalmissionbyprovidingInternetaccessaswellas internalaccesstoFAMSinformationsystemsincludingbutnotlimitedtoemail database(s)filesharingprintingandanumberofcriticaladministrativeand enforcementrelatedprogramsFAMSNetalsoprovidesacommunication
wwwoigdhsgov 42 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
pathwaytothirdͲpartyandgovernmentnetworkssuchasthoseusedbyDHS TSAtheFederalAviationAdministrationandotherStateandlocallaw enforcemententitiesFAMSNethasbeendesignatedamissionͲessentialsystem
bull ICSndashprovidescoreservicesincludingfileandprintservicestotheentireTSA
usercommunityInfrastructureCoreSystemhasbeendesignatedamissionͲ essentialsystem
bull STIPndashcombinesmanydifferenttypesofcomponentsincludingtransportation
securityequipmentserversandstoragesoftwareapplicationproductsand databasesAuserphysicallyaccessesthetransportationsecurityequipmentto performscreeningorotheradministrativefunctionsSTIPͲenablementof transportationsecurityequipmentencompassesExplosiveTraceDetectorsEDS AdvancedTechnologyXͲrayAdvancedImagingTechnologyandCredential AuthenticationTechnologyTSArsquosOSCistheownerofSTIPSTIPhasnotbeen designatedamissionͲessentialsystem
bull TSANetndashprovidesconnectivityforairportsandtheirusersTSANetconsistsofa
geographicallydispersedwideͲareanetworkandeachsitersquosLANThenetworkis connectedtotheDHSOneNetandhasbeendesignatedamissionͲessential system
USCustomsandBorderProtection AtDFWCBPpersonnelstaffupto45primarypassengerlanesreviewflightdatafor terroristrelatedactivitiescollectdutiesandwhenCBPdiscoversaviolationoflaw assessfinesandcivilpenaltiesAdditionallyCBPstaffatnearbylocationsuseITassets toperformcargomanifestreviewandtargetingaswellasoutboundpassengerreview andtargeting WeauditedITsecuritycontrolsatthefollowingCBPlocations bull PortOfficeofDallasDallasFortWorthTX bull DFWConcourseD CBPstaffattheselocationsusethefollowingsystems bull SouthwestFieldLANndashprovidesthegeneralsupportnetworkinfrastructureand
endpointsforDHSCBPusersandelectroniccommunicationstoolswhich enablestheexecutionofofficialdutiesTheSouthwestFieldLANconsistsof331 geographicallydispersedsitesusing3423devicesconnectedtotheDHSOneNet
wwwoigdhsgov 43 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
toprovideapplicationservicestoCBPfieldofficesTheSouthwestFieldLAN boundaryspanstheSouthwestandEastTexasOfficeofInformationTechnology FieldSupportRegionstoincludeArizonaNewMexicoTexasandOklahomaThe SouthwestFieldLANhasbeendesignatedamissionͲessentialsystem
bull CBPNOCndashmaintainstheperformancemanagementandadministration
capabilitiesoftheCBPcorenetworkandCBPfieldsitelocationsandthe underlyingsupportingenvironmentInadditionCBPNOCdeploysandmaintains anetworkmanagementsystemandasuiteofnetworkdevicesthatcollectand reportrealͲtimeinformationonthenetworkFurtherCBPNOCsystemenforces authorizationsforcontrollingtheflowofinformationwithinthesystemand betweeninterconnectedsystems(DHSOneNetandCBPFieldSites)in accordancewithCBPDHSSensitiveSecurityPolicyCBPNOChasbeen designatedamissionͲessentialsystem
x Windows7PCClient61ndashusedastheWindows7standarddesktopimagefor
CBPworkstationsTheimagedoesnotstoreanypersonallyidentifiable informationTheWindows7PCClient61consistsofasetofstandard configurationstobuildtheclientforWindows7installtheapplicationsoftware andconfigurethesystemaccordingtoDHSandCBPtechnicalstandards Windows7PCClient61hasnotbeendesignatedamissionͲessentialsystem
bull WFPSndashprovidesCBPwithfileandprintingservicesusingtheMicrosoftWindows
Server2008x64platformWFPShasnotbeendesignatedamissionͲessential system
bull TECSndashsupportsenforcementandinspectionoperationsforseveralcomponents
ofDHSandisavitaltoolforthelawenforcementandintelligencecommunities onthelocalStatetribalandFederalGovernmentlevels12TECScomprises severalsubsystemsthatincludeenforcementinspectionandintelligence recordsrelevanttotheantiterroristandlawenforcementmissionofCBPandthe otherFederalagenciesitsupportsTECShasbeendesignatedamissionͲessential system
12FormerlyknownastheTreasuryEnforcementCommunicationsSystemTECSisnolongeranacronym (effectiveDecember192008)andisprincipallyownedandmanagedbyCBP
wwwoigdhsgov 44 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
USImmigrationandCustomsEnforcement ICEsOfficeofSACDallasTexasisresponsiblefortheadministrationandmanagement ofinvestigativeandenforcementactivitieswithinitsgeographicalboundariesWithin theSACDallasofficetheHSIAirportGroupisresponsiblefortheidentification disruptionanddismantlementoftransnationalcriminalorganizationsattemptingto exploitvulnerabilitieswithintheairtransportationsystematDFWTheHSIAirport GroupsareasofconcernatDFWinclude
x contrabandsmuggling x currencysmuggling x nationalsecurity x humansmugglingtrafficking x sexualtourism x insiderthreatand x thetheftandtraffickingofculturalheritageandart
TheHSIAirportGroupalsocoversinvestigationsfortheAddisonAllianceLoveField MeachamandMcKinneyairportsaswellassmallergeneralaviationlandingfieldsand facilitieswithintheHSIDallasareaofresponsibility WeauditedITsecuritycontrolsatthefollowingICElocations
x DFWInternationalAirportGroupfacilityDFWTerminalD x SACDallasOfficeIrvingTX
ICEstaffattheselocationsusethefollowingsystems bull OWFPSndashprovidesworkstationlaptopprintservicesandfileservicestoICE
programareasnationwidePrintserversallowICEuserstousenetworked printingThefileserversprovideanetworkedfilerepositoryforgroupsand usersOWFPSincludesworkstationslaptopsfileserversprintersandprint serversateachfieldsitemanagedbytheICEOCIOITFieldOperationsBranch OWFPShasnotbeendesignatedamissionͲessentialsystem
bull ICECommunicationoverNetworksndashageneralsupportsystemthatprovides
supportfornetworkdevicesanddatacommunicationsthatemploythe
wwwoigdhsgov 45 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
infrastructurethroughoutICEand287(g)sitesintheContinentalUnitedStates13 TheauthorizationboundaryforICECommunicationoverNetworksincludesICE OperationsmanagedswitchesfirewallsandintrusiondetectionsensorsICE CommunicationoverNetworkshasnotbeendesignatedamissionͲessential system
bull AcommunicationsurveillanceandanalysissystemthathelpsHSIstaffwith
intelligencegatheringandlivecollectionofdatainsupportofICErsquoslaw enforcementmissionSpecificallythesystemassembleshistoricaltelephone recordsmonitorstelephoneandInternetcommunicationsandpermits searchesofwarrantdatafromonlineprovidersThecommunicationsurveillance andanalysissystemmaybeinstalledandconnectedtotheICEnetwork infrastructureoronaseparatestandalonenetworkThishasnotbeen designatedamissionͲessentialsystem
bull AstandaloneelectronicsurveillancesystemthatispartofHSIrsquosundercover
operationsThesystemwhichisnotattachedtotheDHSOneNetwork interceptscellphonesvoicemailandvoicepagersaswellastraditional landlinetelephonesThesystemalsointerceptselectroniccommunicationsuch astextmessagesemailnonͲvoicecomputerandInternettransmissionsfaxes communicationsoverdigitalͲdisplaypagingdevicesandinsomecasessatellite transmissionsThesystemisauthorizedforuseinaccordancewithTitleIIIofthe OmnibusCrimeControlandSafeStreetsActof1968asamendedThishasnot beendesignatedamissionͲessentialsystem
13The287(g)programundertheImmigrationandNationalityActallowsastateandlocallaw enforcemententitytoenterintoapartnershipwithICEunderajointMemorandumofAgreementin ordertoreceivedelegatedauthorityforimmigrationenforcementwithintheirjurisdiction
wwwoigdhsgov 46 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AppendixD MajorContributorstoThisReport SharonHuiswoudDirector KevinBurkeAuditManager CharlesTwittySeniorAuditor StevenTsengITSpecialist CraigAdelmanReferencer
wwwoigdhsgov 47 OIGͲ14Ͳ132
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
AppendixE ReportDistribution
DepartmentofHomelandSecurity Secretary DeputySecretary ChiefofStaff DeputyChiefofStaff GeneralCounsel ExecutiveSecretary DirectorGAOOIGLiaisonOffice AssistantSecretaryforOfficeofPolicy AssistantSecretaryforOfficeofPublicAffairs AssistantSecretaryforOfficeofLegislativeAffairs UnderSecretaryforManagement DHSCISO DHSCISOAuditLiaison CommissionerCBP CBPCIO CBPAuditLiaison DirectorICE ICECIO ICEAuditLiaison AdministratorTSA TSACIO TSAAuditLiaison ChiefPrivacyOfficer OfficeofManagementandBudget ChiefHomelandSecurityBranch DHSOIGBudgetExaminer Congress CongressionalOversightandAppropriationsCommitteesasappropriate
wwwoigdhsgov 48 OIGͲ14Ͳ132
ADDITIONAL INFORMATION To view this and any of our other reports please visit our website at wwwoigdhsgov For further information or questions please contact Office of Inspector General (OIG) Office of Public Affairs at DHS-OIGOfficePublicAffairsoigdhsgov or follow us on Twitter at dhsoig OIG HOTLINE To expedite the reporting of alleged fraud waste abuse or mismanagement or any other kinds of criminal or noncriminal misconduct relative to Department of Homeland Security (DHS) programs and operations please visit our website at wwwoigdhsgov and click on the red tab titled Hotline to report You will be directed to complete and submit an automated DHS OIG Investigative Referral Submission Form Submission through our website ensures that your complaint will be promptly received and reviewed by DHS OIG Should you be unable to access our website you may submit your complaint in writing to
Department of Homeland Security Office of Inspector General Mail Stop 0305 Attention Office of Investigations Hotline 245 Murray Drive SW Washington DC 20528-0305
You may also call 1(800) 323-8603 or fax the complaint directly to us at (202) 254-4297 The OIG seeks to protect the identity of each writer and caller