UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the October 13, 2016 Inspector General MEMORANDUM FOR BETH F. CORBERT Acting Director FROM: NORBERT E. VINT Deputy Inspector General SUBJECT: Web Application Security Review (Report No. 4A-CI-00-16-061) The purpose of this memorandum is to communicate to you the results from our review of the U.S. Office of Personnel Management’s (OPM) security controls surrounding public facing web applications. We submitted a draft copy of our conclusions and recommendations to OPM’s Office of the Chief Information Officer (OCIO) representatives to elicit their comments. The OCIO’s comments on the draft memorandum were considered in preparing the final report and are attached as an Appendix to this report. Executive Summary Our review determined that there are multiple opportunities for improvement regarding the policies, procedures, and controls surrounding OPM’s web applications that face the public Internet. OPM does not maintain an adequate inventory of web applications or have policies and procedures specific to web application development or security. In addition, OPM has not historically conducted web application vulnerability scans, and the scans conducted by the Office of the Inspector General (OIG) during this engagement discovered multiple vulnerabilities in OPM’s web applications and the servers hosting those applications. As a result, we recommend that OPM create a formal web application inventory, create or enhance policies and procedures to address web application development and security, and implement a comprehensive web application vulnerability scanning program. Background The OPM OIG volunteered to participate in a government-wide project to examine the controls used to manage and secure the Federal government’s publicly accessible web applications. This project was led by the Council of Inspectors General on Integrity and Efficiency. The three main The Honorable Beth F. Cobert 2 objectives of the review were to: 1) develop a scope and methodology for conducting a review of Federal agency public Internet facing web applications, 2) determine the extent and efficiency of agencies’ efforts to identify and assess vulnerabilities on publicly accessible web applications and mitigate the most severe vulnerabilities, and 3) assess efforts to control or reduce the number of publicly accessible web applications and services. Scope and Methodology The scope of this review included OPM’s publicly accessible web applications that met the criteria defined by the U.S. Office of Management and Budget’s Memorandum M-15-13, which states that “Publicly-accessible websites and services are defined here as online resources and services available over HTTP or HTTPS over the public Internet that are maintained in whole or in part by the Federal Government and operated by an agency, contractor, or other organization on behalf of the agency.” We evaluated the accuracy and completeness of OPM’s web application inventory using our existing knowledge of the OPM network environment and through the use of automated scanning tools connected to the OPM network. We then performed vulnerability scans on a sample of public facing web applications and the computer servers hosting those applications, and compared these results to historical vulnerability scans run by OPM’s security operations team.1 We also interviewed OPM subject matter experts to determine what policies and procedures are in place to develop and secure OPM’s web applications. Our review was not conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). The nature and scope of the work performed was consistent with that expected of a GAGAS audit; however, because we consider this to be a limited-scope review and not an audit, the documentation, reporting, and quality control standards are not as stringent. Review Results Our review indicated that OPM could improve its web application security program in several areas, as described in the sections below. A. Web Application Inventory OPM does not maintain an adequate inventory of web applications. OPM’s OCIO has developed an inventory of servers, databases, and network devices, but the inventory does not identify the purpose, role, or owner of each device. At the beginning of this review, we 1 Throughout this report, the term “server” refers to the computer hardware and the operating system (e.g., Windows) that hosts web applications. Report No. 4A-CI-00-16-061 The Honorable Beth F. Cobert 3 requested an inventory of OPM’s public facing web applications and were informed that a formal inventory did not exist. We proceeded to work collaboratively with representatives from the OCIO to determine how many public facing web applications exist in OPM’s network environment, where the applications reside, who owns the programming code, and where the data used by the web application is located. While we were eventually able to collect enough information about OPM’s public facing web applications to proceed with this review, it is clear that OPM does not have a centralized process to track or monitor web applications. The National Institute of Standards and Technology Special Publication (NIST SP) 800-53, Revision 4, requires organizations to develop and document an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary, and includes the information necessary for information system component accountability. Failure to maintain an adequate inventory of web applications increases the risk that applications could exist in OPM’s network environment without the OCIO’s knowledge, which could result in these applications not being scanned, patched, and monitored as part of the OCIO’s continuous monitoring program. Recommendation 1 We recommend that OPM create a formal and comprehensive inventory of web applications. The inventory should identify which applications are public facing and contain personally identifiable information or sensitive agency information, identify the application owner, and itemize all system interfaces with the web application. OCIO Response: “OCIO concurs with the recommendation. The web team will work with application owners to update the inventory of web applications and maintain relevant inventory data on these applications.” OIG Comment: As part of the audit resolution process, we recommend that the OCIO provide evidence to OPM’s Internal Oversight and Compliance office that it has fully implemented this recommendation. This statement applies to all subsequent audit recommendations that the OCIO agrees to implement. Report No. 4A-CI-00-16-061 The Honorable Beth F. Cobert 4 B. Policies and Procedures OPM maintains information technology (IT) security policies and procedures that address NIST SP 800-53 security controls. OPM also maintains system development policies and standards. While these policies, procedures, and standards apply to all IT assets, they are written at a high level and do not address some critical areas specific to web application security and development. Specifically, the following policy related documents either do not exist or do not adequately address web applications: Procedures or standards for hardening web server operating systems (e.g., documented configuration security standards and configuration baselines); and Procedures or standards for secure design and coding of web-based applications. NIST SP 800-53, Revision 4, provides criteria and guidance that Federal agencies must follow regarding hardening web server operating systems and secure design and coding of web applications. Control CM-6, Configuration Settings, states that organizations must establish and document configuration settings for information technology products using security configuration checklists that reflect the most restrictive mode consistent with operational requirements. “Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system.” Control SA-8, Security Engineering Principles, states that organizations must apply information system security engineering principles in the specification, design, development, implementation, and modification of the information system. “Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.” Failure to establish adequate guidance related to hardening web server operating systems and the secure design and coding of web applications increases the risk that web applications and the servers that host them could contain weaknesses that could be exploited by an adversary. Report No. 4A-CI-00-16-061 The Honorable Beth F. Cobert 5 Recommendation 2 We recommend that OPM create or update its policies and procedures to provide guidance specific to the hardening of web server operating systems and the secure design and coding of web-based applications. OCIO Response: “OCIO concurs with the recommendation. The Office of the Chief Information Security Officer (OCISO) will incorporate requirements specifically associated with the hardening of web based applications and host operating systems into the policies and associated procedures as part of its effort to update the Information Security and Privacy Policy Handbook.” C. Web Application Vulnerability Scanning We requested the results of recent vulnerability scans conducted by the OCIO for a sample of public facing web applications and the servers hosting those applications. We also performed our own vulnerability scans on those same web applications and servers using automated scanning tools. While the OCIO was able to provide historical server vulnerability scan results, we were told that there is not a formal process in place to perform routine credentialed web application vulnerability scans (however, ad-hoc non-credentialed scans were performed). Scans performed without user credentials that allow the scanning tool to authenticate to the scan target may not be able to collect the information necessary to fully analyze the system. NIST SP 800-53, Revision 4, states that organizations must scan information systems and hosted applications for vulnerabilities. It also states that organizations must implement privileged access authorization for vulnerability scanning activities. Privileged access authorization (i.e., running the scan with user credentials) facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning. Failure to perform vulnerability scanning with sufficient access increases the risk that system flaws can go undetected, leaving the organization exposed to security threats. Furthermore, the results of the credentialed web application scans that we performed during this review indicate that several applications and the servers hosting these applications contain security weaknesses. Due to the sensitive nature of the specific vulnerabilities identified in the scans, they will not be discussed in this report. We directly provided the OCIO with the full scan results of our scans for review. Report No. 4A-CI-00-16-061 The Honorable Beth F. Cobert 6 Our fiscal year 2015 Federal Information Security Modernization Act audit reported that OPM did not have a process to centrally track the current status of security weaknesses identified during server vulnerability scans, and we had concerns that OPM was not remediating known vulnerabilities in a timely manner. The results of our server vulnerability scans performed during this review indicate that this situation still exists. Specifically, server vulnerability scans are routinely conducted, but the results are not adequately tracked to ensure the weaknesses are corrected. Recommendation 3 We recommend that OPM implement a process to perform credentialed web application vulnerability scans and track any identified vulnerabilities until they are remediated. OCIO Response: “OCIO concurs with the recommendation. OCISO will standardize its process for conducting credentialed web application vulnerability scans and incorporate the tracking and remediation of identified vulnerabilities into its risk management processes.” Recommendation 4 We recommend that OPM analyze our scan results to identify false positives and remediate any verified vulnerabilities. OCIO Response: “OCIO concurs with the recommendation. OCISO will work with application owners to review the web application scans, identify false positives, and remediate any verified vulnerabilities.” Attachment cc: Kiran Ahuja Chief of Staff David L. DeVries Chief Information Officer Chief Information Security Officer Report No. 4A-CI-00-16-061 The Honorable Beth F. Cobert 7 Mark W. Lambert Associate Director, Merit Systems Accountability and Compliance Janet L. Barnes Director, Internal Oversight and Compliance Clifton N. Triplett Senior Cybersecurity and IT Advisor Report No. 4A-CI-00-16-061 Appendix UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington , DC 20415 Chief Information Officer MEMORANDUM FOR CHIEF, INFORMATION SYSTEMS AUDIT GROUP OFFICE OF THE INSPECTOR GENERAL FROM: DAVID L. DEVRIES CHIEF INFORMATION OFFI Subject: Office of the Chief Information Officer Response to the Office of the Inspector General Web Application Security Review (Report No. 4A-CI- 00-16-061) Thank you for the opportunity to provide comments to the Office of the Inspector General (OIG) draft report for the Web Application Security Review for the U.S. Office of Personnel Management (OPM). The OIG comments are valuable to the office of the Chief Information Officer (OCIO) as they afford us an independent assessment of our operations and help guide our improvements to enhance the security of the data furnished to OPM by the Federal workforce, the Federal agencies, our private industry partners, and the public. We welcome a collaborative dialogue to help ensure we fully understand the OIG's recommendations as we plan our remediation efforts so that our actions and the closure of the recommendations thoroughly address the underlying issues. I look forward to continued discussions during our monthly reviews to help ensure we remain aligned. Each of the recommendations provided in the draft report is discussed below: Recommendation 1 We recommend that OPM create a formal and comprehensive inventory of web applications. The inventory should identify which applications are public facing and contain personally identifiable information or sensitive agency information, identify the application owner, and itemize all system interfaces with the web application. CIO Response: OCIO concurs with the recommendation. The web team will work with application owners to update the inventory of web applications and maintain relevant inventory data on these applications. Recommendation 2 We recommend that OPM create or update its policies and procedures to provide guidance specific to the hardening of web server operating systems and the secure design and coding of web based applications. www..opm.gov Recruit, Retain and Honor a World-Class Workforce to Serve the American People www.usajobs.gov Response to the OIG Web Application Security Review (Report No. 4A-CI-00-16-061) 2 CIO Response: OCIO concurs with the recommendation. The Office of the Chief Information Security Officer (OCISO) will incorporate requirements specifically associated with the hardening of web based applications and host operating systems into the policies and associated procedures as part of its effort to update the Information Security and Privacy Policy Handbook. Recommendation 3 We recommend that OPM implement a process to perform credentialed web application vulnerability scans and track any identified vulnerabilities until they are remediated. CIO Response: OCIO concurs with the recommendation. OCISO will standardize its process for conducting credentialed web application vulnerability scans and incorporate the tracking and remediation of identified vulnerabilities into its risk management processes. Recommendation 4 We recommend that OPM analyze our scan results to identify false positives and remediate any verified vulnerabilities. CIO Response: OCIO concurs with the recommendation. OCISO will work with application owners to review the web application scans, identify false positives, and remediate any verified vulnerabilities. Again, thank you for the opportunity to provide comment. Please contact me or if you have questions or need additional information. cc: Chief Information Security Officer Dovarius L. Peoples Associate Chief Information Officer Mark W. Lambert Associate Director, Merit Systems Accountability and Compliance Janet L. Barnes Director, Internal Oversight and Compliance Clifton N. Triplett Senior Cybersecurity and IT Advisor
Web Application Security Review
Published by the Office of Personnel Management, Office of Inspector General on 2016-10-13.
Below is a raw (and likely hideous) rendition of the original report. (PDF)