Postal Service IG examines cyber incident data

USPS handles large volumes of financial transactions, which makes it an attractive target for cyber criminals.

The inspector general of the U.S. Postal Service is auditing a database that tracks USPS cyber incidents to determine whether the information it has been collecting is reliable, said agency officials in the Office of the Inspector General.

The review, which the IG's office launched on Nov. 22, comes at a time when officials are increasingly concerned about a new computer worm, Stuxnet, that has the power to cripple industrial operations on a global scale. For the Postal Service, which has a role in virtually every citizen's life, a systemwide outage could undermine the economic viability of the country, as well as public confidence, security experts said.

"What the Postal Service does is really central to the U.S. economy, as well as to the transportation system," said Pat Burke, a senior vice president in the national security sector at consulting firm SRA. USPS handles large volumes of financial transactions and sensitive material, such as passport applications, which makes it an attractive target for cyber criminals, he said.

Its reliance on highly automated distribution and scheduling systems for air mail, truck delivery and rail transport make cybersecurity a critical issue for the agency, Burke said.

IG officials said they decided to audit USPS incident data in the wake of the White House's call for all agencies and the public to better defend against the growing cyberthreat to national security. Cybersecurity is a top priority for the Obama administration, said USOIG spokeswoman Agapi Doulaveris, adding audits can last anywhere from three to six months.

Burke said the audit is a sound practice to minimize security risks. Key to reducing vulnerabilities is linking intelligence on current threats with internal monitoring of networks via sensors and software that identifies anomalies.

The IG is taking questions and comments on the audit through a new website that resembles a blog. In line with the administration's push for public participation in government, people can interact with the managers in charge of ongoing audits to suggest areas of investigation.

The audit project site states: "The objective of our review is to determine if the incident information stored within the computer incident tracking database is sufficiently reliable."

According to the site, hackers could steal money or data, degrade or deny services, damage the Postal Service's reputation, and hurt the productivity of both workers and customers.

A July audit report found that an information sharing system at the agency lacked security safeguards. The so-called electronic data distribution infrastructure access controls "are not effective," the auditors wrote. The absence of strong protections "makes it difficult for administrators to identify individuals who perform unauthorized modifications to servers or its data."

The system -- a series of computers that exchange files -- helps manage address data, sorting and software updates for mail processing and handling equipment nationwide, according to the report. Access controls are intended to prevent intruders from changing or disabling the data and systems the Postal Service needs to deliver mail efficiently, the auditors noted.

The report listed a set of redacted recommendations for bolstering security, which the Postal Service has since implemented, IG officials said on Wednesday.

Other cybersecurity specialists said the auditors should make sure all incidents are logged, including the minor ones. "Sometimes small events are not considered significant enough to be officially reported which can lead to lingering compromises if the incident has not been identified correctly," said Johannes Ullrich, chief research officer at the SANS Technology Institute, a security training center.

Reliable data would include accurate documentation of each step taken during the response -- from preparation down to lessons learned, in particular how the incident was identified, contained and eradicated, he added. "Any errors in the response," such as a failure to contain the problem, "need to be documented to avoid repeating the same mistake."