DHS OIG, OIG-07-16, Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security (Redacted) (2006)

DHS OIG

Section: Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security (Redacted)

Effective: 12/8/2006

Bluebook Citation: DHS OIG, OIG-07-16, Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security (Redacted) (2006)

DEPARTMENT OF HOMELAND SECURITY

Office of Inspector General Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security (Redacted) The Department of Homeland Security, Office of Inspector General, has redacted this report for public release. A review under the Freedom of Information Act will be conducted upon request. OIG-07-16 December 2006 Office of Inspector General U.S. Department of Homeland Security Washington, DC 20528 December 8, 2006 Preface The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, effectiveness, and efficiency within the department.

This report assesses the strengths and weaknesses of U.S. Customs and Border Protection (CBP) laptop computer security controls. It is based on interviews with CBP officials, direct observations, technical tests, and a review of applicable documents. The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. It is our hope that this report will result in more effective, efficient, and economical operations.

We express our appreciation to all of those who contributed to the preparation of this report. Richard L. Skinner Inspector General Table of Contents/Abbreviations Executive Summary .........................................................................................................................1 Background ......................................................................................................................................2 Results of Audit ...............................................................................................................................3 Standard Configuration Will Enhance Laptop Security ............................................................3 Improved Patch Management Will Increase Security .............................................................10 Enhanced Inventory Management Is Needed For Property Accountability ............................12 Recommendations..........................................................................................................................16 Management Comments And OIG Analysis .................................................................................17 Appendices Appendix A: Purpose, Scope, and Methodology ..................................................................... 19 Appendix B: Management’s Response.................................................................................... 24 Appendix C: FISMA Metrics...................................................................................................

29 Appendix D: Major Contributors to this Report ...................................................................... 31 Appendix E: Report Distribution............................................................................................. 32 Abbreviations ATL BIOS C&A CBP CIO CSIRC DAA DCOM Advanced Technology Laboratory Basic Input Output System Certification and Accreditation U.S. Customs and Border Protection Chief Information Officer Computer Security Incident Response Center Designated Accrediting Authority Distributed Component Object Model Improved Administration Can Enhance CBP Laptop Computer Security Table of Contents/Abbreviations DHS FBI FISMA ICE IP ISSM IT LPO NIST NSA OIG OMB PED POA&M SANS SBU SP ST&E VACIS Department of Homeland Security Federal Bureau of Investigation Federal Information Security Management Act of 2002 U.S. Immigration and Customs Enforcement Internet Protocol Information Systems Security Manager Information Technology Local Property Officer National Institute of Standards and Technology National Security Agency Office of Inspector General Office of Management and Budget Portable Electronic Device Plan of Action and Milestones SysAdmin, Audit, Network, Security Sensitive But Unclassified Special Publication Security Test and Evaluation Vehicle and Cargo Inspection System Improved Administration Can Enhance CBP Laptop Computer Security OIG Department of Homeland Security Office of Inspector General Executive Summary We audited the Department of Homeland Security (DHS) and its organizational components’ security program to evaluate the security and integrity of select government-issued laptop computers. This report focuses on U.S. Customs and Border Protection (CBP).

Our objective was to determine whether CBP has established and implemented adequate and effective security policies and procedures related to the physical security of and logical access to its government-issued laptop computers. Significant work remains for CBP to further strengthen the configuration, patch, and inventory management controls necessary to protect its government-issued laptop computers. Specifically, CBP has not established: (1) a standard configuration for its laptops that meets required minimum-security settings; (2) effective procedures to patch laptop computers; and (3) adequate inventory management procedures. As a result, sensitive information stored and processed on CBP’s laptop computers may not be protected adequately.

Further, because CBP uses the same procedures to develop a model for its desktop computers, the configuration weaknesses identified with laptop computers are relevant to all government-issued computers assigned within CBP. To secure CBP data stored on government-issued laptop computers, we are making seven recommendations to the Commissioner of CBP. CBP officials stated that they have already taken or plan to take corrective action to address the weaknesses we identified. As our fieldwork was complete, we did not verify that the weaknesses had been remedied.

In addition, plans of action and milestones (POA&Ms) will be created and tracked for the vulnerabilities we identified. CBP’s response is summarized and evaluated in the body of this report and included, in its entirety, as Appendix B. Improved Administration Can Enhance CBP Laptop Computer Security Background As the weight and price of laptops have decreased and their computing power and ease of use have increased, so has their popularity for use by government employees. DHS is heavily reliant on laptop computers for conducting business. The mobility of laptops has increased the productivity of the workforce, but at the same time increased the risk of theft, unauthorized data disclosure, and virus infection.

Thefts of laptop computers occur regularly from offices, airports, automobiles, and hotel rooms, and the incidence of laptop thefts is increasing. According to the DHS Computer Security Incident Response Center (CSIRC), 12 security incidents involving stolen DHS laptops were reported in 2005, including government-issued laptops from CBP, United States Secret Service, U.S. Immigration and Customs Enforcement, and the Science and Technology Directorate. Government organizations that provide for the use of laptop computers must take steps to ensure that the equipment and the information that is stored on them are adequately protected. Such steps may include ensuring secure storage of laptop computers when they are not in use, encrypting data files stored on laptops, installing adequate security software applications such as firewalls and anti-virus software, disabling and controlling built-in wireless, Bluetooth, and infrared connection capabilities, and regularly updating operating system and application software.

DHS Sensitive Systems Policy Directive 4300A and DHS National Security Systems Policy Directive 4300B provide direction to DHS components regarding the management and protection of sensitive and classified systems, respectively. 1 These policies outline the management, operational, and technical controls necessary for ensuring confidentiality, integrity, availability, and authenticity within the DHS information technology (IT) infrastructure and operations. DHS policy requires that its components ensure that strong inventory management, physical security, logical access, and wireless security controls are implemented for all systems processing sensitive or classified information. The department developed the DHS 4300A Sensitive Systems Handbook and DHS 4300B National Security Systems Handbook to provide specific techniques and procedures for implementing the requirements of DHS policy.

Further, in November 2004, DHS published a series of secure baseline 1 In this report, we refer to DHS Sensitive Systems Policy Directive 4300A and DHS National Security Systems Policy Directive 4300B collectively as “DHS policy.” Improved Administration Can Enhance CBP Laptop Computer Security Page 2 configuration guides for certain operating system and software applications, such as Microsoft Windows XP. The National Institute of Standards and Technology (NIST) has issued several publications related to laptop inventory management, physical security, logical access, and wireless security controls. Specifically, NIST Special Publication (SP) 800-12, An Introduction to Computer Security: The NIST Handbook, provides guidance for establishing adequate logical and physical access controls for sensitive government systems, including the use of strong passwords, encryption, and user administration practices. ----------------- -------------- ------------------------------------------------------------------------- - ------------------------ -------------------- - ----------------------------------------- - ----------------------------------------------- -------------------- -----------------------------------------------------------------2 --- ----------------------- The Federal Information Security Management Act of 2002 (FISMA) requires each agency to develop, document, and implement an agency-wide information security program to provide security for its information and systems.3 Policies should ensure that information security is addressed throughout the life cycle of each agency information system and determine minimally acceptable system configuration requirements. Results of Audit Standard Configuration Will Enhance Laptop Security CBP does not have a secure standard configuration for its laptop computers.

We evaluated the process used by CBP to develop a standard configuration for its laptop and desktop computers. Also, we conducted computerized and manual security tests of the model system to ensure that it was configured in conformance with DHS and federal guidelines. Finally, we tested a sample of 256 primary, secondary, and loaner laptop computers to determine whether CBP had effectively applied its model system.4 These tests included: -- - --- - -- --------------- - 2 ------ - -- - ---- - ----- --- --- -- ---------- -- --- ------ - - - --- -------- --- - - ----- --- -- --- ------ - - ----- ---- - -- - --- - --- - - -- -- ------ ---- -- - - -- - - ------ - -- - ---- --- --- - - - ---- -------- ------ ---- ------- - --- - ----- ----- - --- - - -- ------- ---- - - -------- - , -- ------- 3 FISMA is included under Title III of the E-Government Act of 2002 (Public Law 107-347). 4 As the review focused on vulnerability assessment rather than penetration testing, the audit team was provided administrator access to the CBP model system and laptops, and any hard drive encryption or personal firewalls were disabled. -- ----- -- -- - -------- - ------ -------- ---------- Improved Administration Can Enhance CBP Laptop Computer Security Page 3 • Automated vulnerability assessment scans and port scanning of all 256 laptops to identify configuration weaknesses. • Detailed technical testing for a subset of 69 laptops to confirm the automated testing results and determine account, audit, access privilege, and password parameter settings. • Password strength analysis on a subset of 122 laptops that do not regularly connect to the network. • Manual reviews for a subset of 75 laptops to verify the presence and configuration of installed software.

The laptop model system fails to establish the required minimum-security for laptop computers as directed by DHS. Because CBP uses the same process to develop the standard configuration for both its laptop and desktop computers, the configuration weaknesses are relevant to all CBP government-issued computers. In addition, CBP has not ensured that the model system is consistently implemented on all CBP laptops. As a result of the security issues identified, sensitive data may not be adequately protected.

SBU Model System Fails To Establish Minimum Security Settings CBP has established a model system for the component’s laptop computers. A model system, also referred to as a standard build or golden image, is a package of installed software with standardized configuration settings that is created for each major group of IT resources (e.g., routers, user workstations, file servers). The CBP model system was developed based on DHS server configuration guidelines for Microsoft Windows 2000; CBP Information Systems Security Policies and Procedures Handbook 1400-05B; National Security Agency (NSA) and Microsoft guidance; and the SysAdmin, Audit, Network, Security (SANS) Institute/Federal Bureau of Investigation (FBI) list of the twenty most critical internet security vulnerabilities. According to CBP, a security test and evaluation (ST&E) was conducted on the model system, and the results of the ST&E were incorporated in the certification and accreditation (C&A) of the system.

Improved Administration Can Enhance CBP Laptop Computer Security The CBP model system incorporates antivirus software, as well as a personal firewall for users that remotely access the CBP network. In addition, the model system employs hard drive encryption, which restricts access to BIOS settings. Also, any built-in wireless or infrared capabilities are disabled. Although these measures enhance the security of CBP’s laptop computers, certain critical controls were not incorporated into its model system.

Specifically, the model system does not: • • ------------------------- --- -------------------- ------------------------------------ ----------------------------- ----------- -- --------------------- -------------- - ------------------- --------------- ---------5 ------- ----------- -------------- ----------------------------------------------------------- ------------ ------------------------------------------------- ----------------------------------- ---- - ---------------------- ------------------------------------------------------- --------------------------------------------- -------------------------------------- --------------------------------- ------------------------- According to CBP IT officials, the weaknesses in the model system configuration were either (1) necessary for the normal functioning of the computers, although CBP officials were not certain that the risk associated with these weaknesses was documented in the ST&E and formally accepted by the systems’ designated accrediting authority (DAA); or (2) ---- ------------------- ------- - ----------------------------------- -------------------------- ------------- ------- ------ --------------------------------------------- -------------------- - . CBP officials stated that they plan to develop procedures to address configuration management of the model system and ensure compliance with the residual risks formally accepted by the DAA. DHS Information Security Architecture Guidance and NIST SP 800-40, Creating a Patch and Vulnerability Management Program, require that a model system be developed and implemented to ensure that a secure, standard configuration is implemented on desktop and laptop computers. According to NIST, standardized configurations reduce the labor involved in identifying, testing, and applying patches; and, ensure a higher level of consistency, which leads to improved security.

DHS requires that each fully supported operating system have a model system from which every computer is built. Also, ------ --------------------------------------------------------------------------------------------- ----------------- - ------------------------------ -------------------------------------------- 5 -------------------------- --------- -- -------- ------- ------- - - --------- - -- ---- - ----- --- - - --- - - --- -- -- --- -- ------- --- - --- - - -------- - -- ------- - - ------- ------ -------- ---- -- ----------------- - -------- - ------- ------------ ------- ----------------- -- - -- - -- Improved Administration Can Enhance CBP Laptop Computer Security Page 5 ------------------------------------ Finally, DHS policy and NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, require that components explicitly accept the risk to agency operations, assets, or individuals associated with the operation of an IT system, based on the implementation of an agreed-upon set of security controls. ---------------------------------------------- ------------- ----------------------- ---------------------------------- ------------------------------ ------- ----------- --------------------------- ----- ----------------------------------------------------------------------------- ----------- -------- -------------------- ------------------------------------ ---------------- ------------------------ ---- --------------- SBU Model System Has Not Been Implemented Uniformly CBP has not implemented consistently its model system for SBU laptop computers. The Windows 2000-based model system is loaded onto a server as an image or copy and installed on new laptops prior to the computers being placed into operation. For the 256 laptops tested, 40 (16 percent) were not running the Microsoft Windows 2000 operating system.

These 40 laptops were running seven different operating systems, including Windows 3.1, Windows 95, Windows 98, Windows ME, Windows NT, Windows XP, and Linux. Four of these laptops also allowed dual booting into different operating systems, such as Linux/Windows ME or Windows 98/Windows XP. For the 216 laptops that were running the model operating system, 125 (58 percent) had configuration vulnerabilities not found on the model system. In addition, ----------------- --------------------------------------------- ----------------------------- ------------------------------------------------------ --- Table 1 illustrates the number of laptops running a non-standard operating system or having additional high and medium risk configuration vulnerabilities, listed by site and by type of laptop.6 6 The tools that the OIG audit team employs assess a risk rating to each of the identified vulnerabilities.

These ratings are interpretive and are derived from measures of their probability of occurrence and ease of execution, how well known they are, and the ease of addressing them. We provided the test results related to low risk vulnerabilities to the CBP CIO, but we do not include them in this report due to their low level of significance. Improved Administration Can Enhance CBP Laptop Computer Security Table 1: Additional Configuration Vulnerabilities Identified Site/Type Number of Laptops Tested Number Running Model System OS Number Matching Model System(a) Number of Laptops with Additional High or Medium Risk Configuration Weaknesses 1-3 Weaknesses 4 - 6 Weaknesses 7 or More Weaknesses Total With 1 or More Weaknesses Total 256 216 (84%) 71 (28%) 51 (24%) 41 (19%) 33 (15%) 125 (58%) Total Air/Marine Operations Border Patrol Office of Field Operations Office of Strategic Trade California Florida Puerto Rico --- --- ----- --- ----- --- --- Weaknesses by CBP Component Office -- -------- --- -------- ----- -------- --- --------- --- -------- --- -------- --- -------- - - - --- - ---- - ---- - - -- -- -- -------- --- -------- --- -------- -- Weaknesses by Region - ---- - ---- - ---- -- ------ -- -------- --- -------- -- -- -- -- -------- -- -------- --- -------- -- -------- --- -------- -- -------- --- -------- - --- -------- -- ------ --- ------- --- -------- -- ------ -- ------ - ---- - ---- - ---- - ---- - ---- - ---- - ---- -- -- - - -- -- - (a) Numbers and percentages do not include laptops included in the review that we were unable to test due to software or hardware conflicts. Source: OIG table based on the results of technical testing and interviews with CBP personnel.

In addition, for the 75 SBU laptops included in our manual review, -------------------------------- ------ -------- ---------- --------------------------- ------------ ------------------- ------------ ------------------------------------ --------------------------------------- For the 122 laptops included in our password strength analysis, ----------------------------------------------- ------------------- ---- ----------------------------------------------- ---------------------------------------------- ------------------------------- Improved Administration Can Enhance CBP Laptop Computer Security Further, of the 69 laptops included in our detailed technical testing ------------------------------ -------------- ------------------------------------- -- In addition, --------------------- -------------------------------------------------- - --- Finally, ----------------------- ------------------------------------------------------------- ------------------------------------------ -- ----------------------------------- - -- According to CBP IT officials, the laptops that were either running a non-standard operating system or deviated significantly from the model system were largely the result of: • Border Patrol sites not being connected to the CBP network. According to CBP, the component has not implemented the standard configuration for laptop computers at certain Border Patrol locations because they have not been connected to the CBP network. For example, the Border Patrol Sector Headquarters in San Diego, California is connected to the U.S. Immigration and Customs Enforcement (ICE) network, rather than the CBP network. According to IT officials, ---------------------------- --------- - ---------------------------------- CBP officials use locally created software images to configure laptop computers at the site.

According to CBP, once these locations are connected to the CBP network the laptops will be converted to the standard configuration. • Laptops placed into operation without being configured by CBP IT personnel. According to CBP IT officials, laptops purchased by local property officers (LPOs) are supposed to be turned over to IT personnel for configuration prior to use, but there is no process in place to enforce this requirement or ensure that IT personnel are notified when new laptops are purchased. The Office of Field Operations in Puerto Rico has implemented an informal process to mitigate this risk by notifying IT officials of computer equipment purchase orders, but this practice has not been established as a formal requirement and does not ensure that newly purchased equipment is provided to IT officials for configuration prior to being placed into operation. • Special units that were not configured by CBP. Specifically, ICE provided several laptops used ---------------- -------------------- , but the laptops were not reviewed or configured by CBP IT officials prior to being placed into operation.

According to CBP, these laptops have unique software and configuration requirements, and the use of these laptops is being documented and will be included in all future C&A packages for all regional local area networks. Improved Administration Can Enhance CBP Laptop Computer Security Page 8 • Laptops running an older version of the CBP model system. For example, 14 of 20 laptops at the San Juan Airport in Puerto Rico were not running the current version of the CBP model system. These laptops were not updated because CBP IT officials are not granted access to the official CBP laptop inventory.

As a result, IT officials do not have procedures to track the version number of the image installed on issued laptops. Further, CBP IT officials cannot ensure that all laptops are updated appropriately when a new version of the image is released. According to CBP, the component has recognized this problem and is currently working on an automated process to ensure that the laptops connecting to its infrastructure meet minimum configuration requirements through modifications to the component’s patch management software. Once the modifications are complete, the software will update any out-of-date laptops that connect to the CBP network.

CBP intends to have these modifications implemented by the end of calendar year 2006. This process will not address laptops that do not regularly connect to the CBP network. • Hardware limitations for older laptops. According to CBP officials, some of the laptops included in our review are no longer in use. The information contained on these laptops ---------------------------- -------------------------------------------------------------------------- DHS policy requires that components establish, implement, and enforce change management and configuration management controls on all IT systems and networks.

The DHS IT Security Architecture Guidance also advises that each fully supported operating system have a standard configuration from which every instance is built. According to NIST SP 800-40, standardized configurations reduce the labor involved in identifying, testing, and applying patches; and ensure a higher level of consistency, which leads to improved security. DHS and federal configuration guidelines also establish requirements related to security parameter settings, including account policy settings, access permissions, and renaming administrator and guest accounts. As a result of CBP not ensuring that all laptop computers are configured appropriately,------- ----------------------------------------------- ---------------------------------------------- --------- - -- - -------------- -------------------------------------------- 7 7 -- -- -- ----------- ----- ----- - ---- --- ------ - - - - --- --- --- --- -- --- --- - ---- - --- - - -- ----------- ----------------- - -- - - ---- -- -- ----- ----- ------ ----- -- - -- Improved Administration Can Enhance CBP Laptop Computer Security Improved Patch Management Will Increase Security CBP has not established effective procedures to patch and update its laptop computers.

We reviewed the CBP laptop model system to determine if all of the applicable operating system and application patches were installed. In addition, we conducted vulnerability assessment scans on a sample of 217 laptop computers to determine if all patches had been applied.8 CBP has procedures to patch laptops prior to being placed into operation by including patches and updates as part of the model system installation process. For laptop and desktop computers in operation, patches and updates are distributed through the CBP network by patch management software. There were patches and updates related to high and medium risk vulnerabilities that had not been applied.

Specifically, ----------- - ----- ----------------------- ---------------------------------------- ------ -------------------------- - ------------- --------------------------- ------------------- --------------------------------------------- ----------------------------------- ---------------------------------- Table 2 illustrates the number of missing high and medium risk patches and updates on CBP laptops listed by site and by type of laptop. 8 Although total of 256 laptops were tested, we were not able to obtain vulnerability assessment information for 39 laptops due to a software conflict. Improved Administration Can Enhance CBP Laptop Computer Security Table 2: Missing Patches and Updates Number of Laptops with Missing Patches or Updates(a) 11 - 20 Patches 21 - 30 Patches 31 or More Patches Site/Type Number of Laptops Tested Total Air/Marine Operations Border Patrol Office of Field Operations Office of Strategic Trade California Florida Puerto Rico 217 -- --- ----- --- --- --- --- 3 or Fewer Patches 84 (39%) 4 - 10 Patches Total 24 (11%) 18 (8%) Weaknesses by CBP Component Office -- -- -------- --- -------- -- -- -- -------- --- -------- -- Weaknesses by Region --- -------- --- -------- --- -------- --- -------- -- -------- -- ------ -- -- ------ --- ------- -- ------ -- ------ -- ------ --- ------- 23 (11%) -- -------- -- ------ --- -------- -- -- ------ -- ------ --- -------- 47 (22%) -- ------- - --- ------- - --- ------- --- ------- - --- ------- - -- ------- - -- ------- - (a) Does not include laptops included in the review that we were unable to test due to software or hardware conflicts. Source: OIG table based on the results of technical testing and interviews with CBP personnel.

Further, for 66 of the 75 laptops included in our manual reviews that had -------------- ------------------------------ ------------------------------------------- --------------------------------- --------------------------------------------------------- Patches and updates were missing because most of the CBP laptops included in our review are used as secondary or shared laptops that do not regularly connect to the CBP network. Specifically, for the 217 laptops included in our vulnerability assessments scans, only six laptops in Puerto Rico are assigned as a user’s primary workstation. In addition, CBP offices in Puerto Rico were not able to rely on the component’s patch management software because frequent lapses in connectivity to its network disrupted the software. Further, certain Border Patrol sites are connected to the ICE network, rather than the CBP Improved Administration Can Enhance CBP Laptop Computer Security Page 11 network, and thus are not linked to CBP’s patch management software.

CBP has not implemented adequate procedures for laptops that do not connect to the network. For example, CBP IT officials in Puerto Rico have created a CD-based process to patch laptop computers. Nonetheless, we found -- ------------ --- ------------ ----------- --------------- -------------- --------------------------- DHS policy requires that IT security patches be installed in accordance with configuration management plans or direction from DHS CSIRC. According to NIST SP 800-40, patching is critical to maintaining the operational availability, confidentiality, and integrity of information technology systems.

NIST SP 800-40 recommends that organizations have a systematic, accountable, and documented process for managing exposure to vulnerabilities through the timely deployment of patches. Because CBP had not applied all relevant patches and updates to its laptops, the computers were vulnerable to --------------------------------------------------------- ---- ---- 9 For example, by-------------------- ------------------------------------------ ------------------- - ----------------- --- - -------------------------------------------------- ------------------------------------------------ ------------------------------ --------------------------------------------------- ------ - --- ---- - ------------- --------- ------------ ----------- Enhanced Inventory Management Is Needed For Property Accountability CBP has not established effective inventory management procedures for its laptop computers. We evaluated CBP procedures for maintaining an accurate laptop inventory, returning equipment upon employee exit or transfer, handling lost or stolen laptops, clearing or sanitizing laptops before reuse or disposal, and the proper labeling of laptop computers. Also, we reviewed laptop physical security measures, and assessed the CBP laptop inventory by analyzing the integrity of inventory data and conducting verification tests on the 75 laptop computers included in our manual reviews. ------- - ---- ---- --- --- -- 9 -- ---------------- -- - - -- ----------- -- ----- ----- - -- ------ ------- -- ------ - ------------- ------------- -------- ----------- - --- --- - - ---- - - - -- - ---------- ----- ------------- ---------- - ----- - - -------------- ----- - ---- --- - -- ------------ - --- ------- - --- ---------------- -- - - ----- ------ ---------- -- ---------- ------------- - - ----- --- - -- --- ------------ --- - -------------- - -- - - ----- -- ----- - ----- ------ --- - - ------------ - ----- --- --- - - - - --- -- ---- ------ -- ------- ---- - - - ---- - -- - - --- ----- Improved Administration Can Enhance CBP Laptop Computer Security CBP has procedures to ensure that laptops are returned upon employee removal or transfer, as well as adequate laptop physical security measures.

CBP has not implemented several critical inventory management controls. Specifically, CBP has not (1) maintained an accurate inventory; (2) ----------------------- --------------------------------------- ------------------------------------ (3) appropriately labeled its SBU laptops; or (4) ensured that lost or stolen laptops were reported to the appropriate officials. As a result of the weaknesses in CBP’s inventory procedures, there is greater risk that laptop computers will not be configured and secured adequately. Further, access to classified and sensitive information may not be restricted appropriately.

Laptop Inventory Is Not Accurate Although CBP has an inventory of its SBU laptops, it has not established procedures to ensure that inventory records are accurate. For example, 49 of 105 laptops at the Border Patrol facility in El Centro, California, had been locked in a storage room pending disposal. The status codes for the laptops in the CBP inventory indicate that the laptops are currently in use. Further, for the 75 laptops included in our manual review, 21 laptops had an incorrect or missing asset tag, serial number, and/or manufacturer information listed in the inventory.

In addition, six laptops at the Border Patrol Sector Headquarters in Pembroke Pines, Florida, and two laptops at the Mayaguez Port in Puerto Rico were in use but not included in the CBP laptop inventory. According to CBP officials, these discrepancies were largely the result of the component not: • Managing effectively the transition of Border Patrol laptop computers from the ICE inventory to the CBP inventory. According to CBP officials, a number of errors were created in the CBP laptop computer inventory when laptops from the Border Patrol Sector Headquarters in Pembroke Pines, Florida were transferred to the CBP inventory in August 2005. Inventory records were not retained at the site following the transition, and the transfer of some property items to ICE was not properly recorded.

CBP officials stated they do not have an official property officer, and the priority since the transition has been on resolving issues related to desktop computers and network connectivity. • Conducting adequate inventory reviews. Although CBP requires that physical inventory reviews be conducted annually, these reviews do not include all laptop computers or an examination of installed software. The LPO stated that he has served in the position for four years but has Improved Administration Can Enhance CBP Laptop Computer Security Page 13 not received formal training in property management and performs the LPO function as a collateral duty. DHS policy requires that components develop and maintain a property inventory of all portable electronic devices (PED), such as laptops.

This inventory is to include serial numbers and/or seat numbers, user names, use, and location of all PEDs for accountability purposes.10 Also, each DHS-owned PED is to have an asset tag, and asset tag numbers are to be included in the inventory. In addition, DHS policy requires that components conduct reviews, at least semiannually, of all equipment and software to ensure that only government-licensed software and equipment are being used, and that appropriate exceptions have been documented. As a result of these weaknesses in the CBP inventory, there is greater risk that laptop computers will not be configured and secured adequately. Laptops Are Not --------------- --- - -------------------------- - CBP has not implemented procedures to ensure that sensitive data is ----------- ---------------------- --------------------------------------- of its SBU laptop computers.11 Specifically: • None of the sites using ----------------------------------- were periodically testing the equipment to verify that it is functioning properly. • Laptops scheduled for reuse are usually re-imaged,----------------------- -------------- • CBP allows laptops to be donated to an outside organization with the ----------- -------- -------------------------- -- • CBP Information Systems Security Policies and Procedures Handbook 1400-05B does not address the removal of all labels or markings prior to laptops being disposed.

According to CBP officials, the component plans to review its hardware clearing and disposal policies and procedures to ensure compliance with federal laws and regulations. In addition, ---- -------------------------------------------- 10 A seat, also referred to as a “node,” is an intelligent element like a processor that can communicate using interprocessor communications. A seat is where entities and ports reside. 11 Clearing a hard drive requires overwriting all locations with a pseudo-random pattern twice, overwriting all locations with a known pattern, and then verifying the procedure by randomly re-reading (a minimum of 1 percent recommended) the overwritten information.

Sanitizing a hard drive requires incineration or degaussing (see approved degausser list at http://www. nsa.gov/ia/government/mdg.cfm). Improved Administration Can Enhance CBP Laptop Computer Security Page 14 ------------------ in the upcoming revision of the CBP Information Systems Security Policies and Procedures Handbook 1400-05. DHS policy requires that components ensure that any information system’s storage medium containing sensitive information be --------------------------- ------------ - ---------------------------- within the organization. DHS policy also requires that components ensure that any information system’s storage medium containing sensitive information be -------------------------------------------- -- - -------------------------------------------- ------------------------ --------------------- ------ - ------ ---------------------------- ------------------- ----------- -- - ----------------------------- As a result of the weaknesses in the CBP process for ------------------------------------------------- there is greater risk that access to sensitive information may not be limited adequately.

For example,---------- ----------- ----------------------- --- ---------------------------------------------------------------- ------- ---- ------------------------------------------- ---------- Laptops Are Not Marked Appropriately CBP has not affixed external labels to its SBU laptops indicating that the laptops are not authorized for classified processing. According to CBP, the component’s Office of Information Technology is in the process of coordinating with the CBP Office of Finance/Property Management to research the feasibility of purchasing and affixing the necessary labels. DHS policy requires that all laptop computers not authorized to process classified information have a label affixed indicating, “This machine is not authorized for classified processing.” DHS policy also requires that all equipment be marked with the highest classification level of the information that has been processed or stored on the device. Because these laptops were not appropriately marked, there is greater risk that classified information may have been processed on an unclassified system.

Lost Or Stolen Laptops Are Not Reported Appropriately CBP has not ensured that lost or stolen laptops are reported to the DHS CSIRC. We identified five Border Patrol laptops from California and Florida that were lost or stolen during calendar year 2005. The laptop security incidents were investigated and reported to the Border Patrol Sector Headquarters, but were not reported to DHS CSIRC. CBP plans to issue a formal memorandum from the Assistant Commissioner, Office of Information Technology, addressing employee responsibilities for security incident reporting.

Improved Administration Can Enhance CBP Laptop Computer Security DHS policy requires that components report significant computer security incidents to the DHS CSIRC immediately upon identification and validation of incident occurrence. The DHS CSIRC is normally responsible for notifying appropriate law enforcement authorities of a security event, to pursue the investigation and recommend disciplinary action, if required. Because CBP had not reported these security incidents to the DHS CSIRC, senior DHS officials may not be aware of the extent or scope of laptop security issues at the department, and the appropriate corrective actions may not have been taken. Further, without an accurate and current inventory, CBP may be unaware of additional laptops that are missing.

Recommendations To secure CBP data stored on government-issued laptop computers, we recommend that the Commissioner of CBP instruct the CIO to: 1. Remedy the existing critical vulnerabilities in the standard configuration for laptops, based on DHS and federal configuration guidelines. Further, the CIO should confirm whether similar vulnerabilities and remediation are applicable to all government-issued computers within CBP. 2.

Establish procedures to ensure that model systems are configured to protect CBP data and verified prior to implementation. 3. Ensure that the updated model system is correctly implemented on all CBP laptop computers. 4.

Implement procedures to ensure that all CBP laptops are patched and updated in a timely manner, including those that do not regularly connect to the CBP network, as well as all CBP government-issued computers. 5. Implement appropriate inventory management controls to ensure that an accurate laptop inventory is maintained, including effective inventory reviews and adequately trained local property officers. 6. ---------------------------- ------------------------------ -------------, and ensure that SBU laptops are labeled appropriately, in accordance with DHS and federal guidelines.

Improved Administration Can Enhance CBP Laptop Computer Security Page 16 7. Report computer security incidents to DHS CSIRC in a timely manner to ensure that the incidents are investigated and appropriate corrective action is taken. Management Comments And OIG Analysis CBP concurs with recommendation 1. CBP has taken steps to remedy deviations with access privileges and password controls on its laptop computers.

By April 2007, CBP will implement a new certified and accredited model image. CBP’s Information Systems Security Officers will insure that all government-issued laptop computers adhere to DHS policy on access privileges and password controls. We accept CBP’s response to implement corrective action plans for the existing vulnerabilities and to correct the deficiencies in access privileges and password controls. CBP concurs with recommendation 2.

CBP has taken steps to remedy deviations from standard configurations on its laptops. All future model images will be routinely verified for compliance with the applicable certification and accreditation before being implemented. We accept CBP’s response to implement corrective action plans for the existing vulnerabilities in its standard configuration. CBP concurs with recommendation 3.

CBP has taken steps to ensure that the updated model systems are correctly implemented on all CBP laptop computers. CBP has distributed guidance on its web page and through email to all CBP personnel reminding them of their responsibilities associated with laptop computers. By January 2007, CBP will decide on a technique to verify compliance. CBP will then conduct self-assessments every six months to measure compliance and take remediation action as necessary.

We accept CBP’s response to ensure that the updated model systems are correctly implemented on all CBP laptop computers. CBP concurs with recommendation 4. CBP has taken steps to ensure that laptop computers are patched and updated. CBP has distributed guidance on its web page and through email to all CBP personnel reminding them of their Improved Administration Can Enhance CBP Laptop Computer Security Page 17 responsibilities associated with laptop computers.

This includes information necessary for receiving patches to the standard configuration. We accept CBP’s response to ensure that the updated model systems are correctly implemented on all CBP laptop computers. CBP concurs with recommendation 5. In November 2006, CBP began conducting laptop inventories semiannually.

Also, CBP will conduct mandatory quality assurance reviews during every site visit for laptop computers assigned to its location. Site visits will be prioritized based on overall property loss rates experienced during the FY06 inventory. We accept CBP’s response to implement appropriate controls to manage its inventory. However, we maintain that CBP should provide adequate training to its local property officers.

CBP concurs with recommendation 6. During its semiannual inventories and quality assurance reviews, CBP property specialists will ensure that the requirements in the CBP Personal Property Handbook regarding ----------------- ------- - -------------------------------- - - have been completed. In September 2006, the Department amended DHS 4300A to make labeling of SBU computers “recommended” rather than “required.” CBP has no plans to put labels on its computers at this time. We accept CBP’s response to ----------------------- -------- ------------------------ ------------- Further, although DHS 4300A no longer requires computer labeling, we maintain that because of CBP’s diverse and sensitive mission, CBP should consider applying labels to its laptop computers.

The use of warning banners serves as a reminder to all users that the computers that they are accessing are government computers used to process sensitive information and must be used in accordance with good security practices. CBP concurs with recommendation 7. CBP has already taken steps to remind all CBP personnel to report security incidents to Office of Information Technology and DHS CSIRC in a timely manner. In addition, a process will be developed so that the results of the laptop surveys performed by local property officers will be compared to reports received by DHS CSIRC.

We accept CBP’s response to report computer security incidents to DHS CSIRC in a timely manner to ensure that the incidents are investigated and appropriate corrective action is taken. Improved Administration Can Enhance CBP Laptop Computer Security Appendix A Purpose, Scope, and Methodology Purpose, Scope, and Methodology The objective of this audit was to determine whether CBP had implemented adequate and effective security policies and procedures related to the physical security of and logical access to its government-issued laptop computers. Specifically, we determined whether CBP had implemented adequate (1) policies and procedures for inventory management; (2) physical security measures; (3) logical access controls; and, (4) wireless security measures for sensitive data contained in its government-issued laptops. Our focus was to test the development and implementation of an adequate model system for the laptop computers processing and storing sensitive or classified DHS data, as well as the procedures used to patch and update laptops once placed into operation.

In addition, we obtained FISMA information required for the OIG’s annual independent evaluation. To identify sensitive laptop computers, we analyzed the CBP laptop computer inventory as of January 2006. Based on our review of the laptop inventory, we selected the following CBP sites for testing: CBP Testing Locations and Laptop Computers Region Air/Marine Operations Border Patrol Office of Field Operations Office of Strategic Trade Total 256 SBU Laptops (17 sites) California Florida Puerto Rico Total 10 Laptops (1 site) 56 Laptops (3 sites) 19 Laptops (1 site) 21 Laptops (2 sites) 106 Laptops (7 sites) - - 19 Laptops (1 site) 58 Laptops (3 sites) 8 Laptops (1 site) 65 Laptops (5 sites) - - 77 Laptops (4 sites) 73 Laptops (6 sites) 10 Laptops (1 site) 83 Laptops (5 site) 142 Laptops (9 site) 21 Laptops (2 sites) 256 Laptops (17 sites) We performed automated vulnerability assessment scans and port scanning of all 256 laptops to identify configuration weaknesses and missing patches; detailed technical testing for a subset of 69 laptops to confirm the automated testing results and determine account, audit, access privilege, and password parameter settings; password strength analysis on a subset of 122 laptops that do not regularly connect to the network; and manual reviews for a subset of Improved Administration Can Enhance CBP Laptop Computer Security Appendix A Purpose, Scope, and Methodology 75 laptops to verify the presence and configuration of installed software. Upon completion of the tests, we provided component officials with technical reports detailing the specific vulnerabilities detected on their system and the actions needed for remediation.

We conducted fieldwork at CBP facilities in Washington, DC; El Centro, Long Beach, and San Diego, CA; Fort Lauderdale, Miami, and Pembroke Pines, FL; Aguadilla, Mayaguez, and San Juan, PR; and the OIG Advanced Technology Laboratory (ATL).12 We conducted our audit from February to May 2006 under the authority of the Inspector General Act of 1978, as amended, and according to generally accepted government auditing standards. Major OIG contributors to the audit are identified in Appendix D. Our principal points of contact for the audit are Frank Deffer, Assistant Inspector General for Information Technology Audits at (202) 254-4100 and Edward G. Coleman, Director, Information Security Audit Division at (202) 254-5444. 12 The ATL supports our capability to perform effective and efficient technical assessments of DHS information systems in diverse operating environments. The ATL is a collection of hardware and software that allows the simulation, testing, and evaluation of the computing environments that are most commonly used within DHS.

Improved Administration Can Enhance CBP Laptop Computer Security Appendix A Purpose, Scope, and Methodology We used 10 testing tools to conduct internal security tests to evaluate the effectiveness of controls implemented for the systems: ------------------------------- ----------------------------------------- -------- ------------------------------------------- --------------- -------------- ----- -------------------------------------------------------------- --------- ------------------------------------ - - - ---------------------------- - ------------------------------- - ---------------------- -- --- -- ------- ----- ---------- - --------------------------------------------------- --------------- --------------------------------------------- - ---------- - ------------------ --------------- ------------------- -------------------------------------- - -- -- ---- ----- ---------------------- --- ----------------------------- - --------------- - ---- - -------- ----------------------------------------------------------------- ------ ----------------------------------------- --- -------------------- -------------------------- ---------------- --------- ----------------- --------- ---------------------- ------ -------------------------------------------- -------------- - - --------------------- ---------- -------------------------- - ------- ---------------- ------------------------- ---------------------------------------------------------------------------------------------- -------- --------- --- --- -- -------------------------------------------- --------------------------- ------- - --------------- ------------------- --- ----- ---------------- -------- ---------- ---------------- ---------------------- -------------- ------------------------- ------------ ------------ ------------------------ --------------------------------------------- --------- ----- - ---------------------------------------------------------------------- ---------- -- -------------------------------------- ----------------------------- -- ---------- ------------------------------------------------- -------------- ------------------------------- -- ---------------------- ------------- ---------------------------------------- ----------------------------------------------- ----- --------------- -------------------- -- ---------- -------------------------- - ------- ---------------- ------------------------- Improved Administration Can Enhance CBP Laptop Computer Security Appendix A Purpose, Scope, and Methodology Source: OIG auditors conducting security scans on laptop computers in Fort Lauderdale, Florida. Source: OIG auditors conducting security scans on laptop computers in Fort Lauderdale, Florida. Improved Administration Can Enhance CBP Laptop Computer Security Appendix A Purpose, Scope, and Methodology Source: CBP Vehicle and Cargo Inspection System (VACIS) vehicle. Source: CBP laptop computer mounted in VACIS vehicle.

Improved Administration Can Enhance CBP Laptop Computer Security Appendix B Management’s Response Improved Administration Can Enhance CBP Laptop Computer Security Appendix B Management’s Response Improved Administration Can Enhance CBP Laptop Computer Security Appendix B Management’s Response Improved Administration Can Enhance CBP Laptop Computer Security Appendix B Management’s Response Improved Administration Can Enhance CBP Laptop Computer Security Appendix B Management’s Response Improved Administration Can Enhance CBP Laptop Computer Security Appendix C FISMA Metrics FISMA Requirements Title III of the E-Government Act, entitled FISMA, provides a comprehensive framework to ensure the effectiveness of security controls over information resources that support federal operations and assets.13 The agency’s security program should provide security for the information as well as the systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. To comply with the Office of Management and Budget’s (OMB) FISMA reporting requirements, we evaluated the effectiveness of CBP’s information security program and practices as implemented for SBU laptop computers to determine whether DHS continues to make progress in implementing its agency-wide information security program. We collected information relative to C&A, system impact level determination, NIST SP 800-26 annual assessment, assessment of E-authentication risks, specialized security training, and Plan of Action and Milestones (POA&Ms).14 Our evaluation of the CBP laptop systems shows that the component has implemented many key security management practices into its information security program, as required by FISMA. 13 The E-Government Act of 2002 (Public Law 107-347), December 17, 2002.

14 As required by: OMB M-04-04, E-Authentication Guidance for Federal Agencies, and NIST 800-63, Electronic Authentication Guideline. Improved Administration Can Enhance CBP Laptop Computer Security Appendix C FISMA Metrics Table 4: FISMA Compliance Metrics FISMA Reporting Requirements Does the system have a complete and current C&A? Has the system’s impact level been determined according to Federal Information Processing Standard Publication 199 criteria? Does the system have a complete and current NIST SP 800-26 annual assessment?

Does the system have a security plan and risk assessment? Were the system’s security controls tested and evaluated in the last year? Has a system contingency plan been established and tested? Has an assessment of E- Authentication risk been performed for the system?

Have personnel with significant security responsibilities obtained specialized security training? Have individuals involved in the administration of IT systems, or with significant security responsibilities, obtained specialized privacy training? Are POA&Ms created and managed for the system? NE Field LAN NW Field LAN SE Field LAN SW Field LAN Yes Yes Yes Yes Yes Yes Yes Yes Notes The systems were granted authority to operate (ATO) in April and May 2006.

Each system’s impact level was determined to be Moderate for confidentiality, integrity, and availability. Yes Yes Yes Yes Self-assessments were completed in September 2005. Yes Yes Yes Yes System security plans were completed on March 17, 2006, and risk assessments were completed in 2005. Yes Yes Yes Yes Each system completed a ST&E between March to May 2006.

No No No No N/A N/A N/A N/A Yes Yes Yes Yes The systems have contingency plans dated 2005, but the plans have not been tested within the past year. Remote users do not authenticate to the systems for the purposes of conducting government business electronically. As of May 13, 2006, 610 of the 637 personnel with significant security responsibilities had received specialized security training. N/A N/A N/A N/A According to CBP, the systems do not contain privacy data.

Yes Yes Yes Yes POA&Ms have been created and entered into the DHS FISMA reporting system for each of the systems. Source: OIG table based on interviews with CBP personnel and analysis of DHS FISMA reporting system data. Improved Administration Can Enhance CBP Laptop Computer Security Appendix D Major Contributors to this Report Information Security Audits Division Edward G. Coleman, Director Patrick Nadon, Audit Manager Jason Bakelar, Audit Team Leader William Matthews, Auditor Eugene Yu, Auditor Anthony Nicholson, Referencer Advanced Technology Division Chris Hablas, Senior Security Engineer Marcus Badley, Senior Security Engineer Improved Administration Can Enhance CBP Laptop Computer Security Appendix E Report Distribution Department of Homeland Security Secretary Deputy Secretary Chief of Staff Deputy Chief of Staff General Counsel Executive Secretariat Assistant Secretary for Policy DHS GAO/OIG Audit Liaison Assistant Secretary for Public Affairs Assistant Secretary for Legislative and Intergovernmental Affairs Chief Information Officer Deputy Chief Information Officer Chief Information Security Officer Director, Compliance and Oversight Program Chief Information Officer Audit Liaison Audit Liaison, U.S. Customs and Border Protection Chief Privacy Officer Office of Management and Budget Chief, Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Committees, as appropriate Improved Administration Can Enhance CBP Laptop Computer Security Additional Information and Copies To obtain additional copies of this report, call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at www.dhs.gov/oig. OIG Hotline To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations – Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax the complaint to (202) 254-4292; or e-mail [email protected].

The OIG seeks to protect the identity of each writer and caller.

Chat with this agency guidance using AI

Ask CiteLaw's AI Navigator anything about this agency guidance, verify citations, and research related authorities. Sign up for CiteLaw free today to get started.