Roadmap to Exploitation: The OIG Imperative to Publish or Perish

Monday, January 23, 2012


Physical operational security (OPSEC) measures in the military are absolute. It is a required function of all soldiers to review, understand, establish and maintain OPSEC practices at all levels. 

When soldiers establish a forward operating post, they do so with careful consideration for avenues of approach, housing, power, proximity to support resources, roads, rail, aviation, fuel, water, sanitation, logistics, and medical to name a few. 

Forward operating bases are established in hostile areas based upon the spectrum of conflict as defined in Figure 1. Forward operating bases are inherently in harm’s way.  The facility requirements factors for the forward operating base are many and detailed:

  • Mission and operational objectives
  • Total force structure to be supported
  • Expected duration of force deployment
  • Types of equipment to be employed
  • Number of days of supply to be stocked in the operational area
  • Standards of construction
  • Operational area medical policy
  • Operational area climatic conditions
  • Time-phasing of force deployment
  • Force protection (for example, AT/FP standoff distances)
  • Hazardous material management and waste disposal
  • Proximity to lines of communications
  • Utility requirements
  • Availability and suitability of existing HN infrastructure
  • Real property factors
  • Environmental restrictions
  • Cultural and historic sites and sensitive natural resources
  • Safety requirements (for example, explosive safety distances, airfield clearance, fire prevention)

There is much to consider just establishing a base that is functional much less providing adequate physical security to protect the base.  Base layout and diagrams are critical to planning of most any type. Soldiers need to know where the base weaknesses are and how to shore them up during an attack. They need to understand methods of support and response during times of trouble.

Base commanders participate in the preparation of base defense plans while providing staff with instructions on how to operate base defense facilities in accordance with base defense plans. They ensure individual and unit training to ensure readiness for assigned defense tasks. Some of the commander’s initial physical security guidance may be to:

  • Identify and prioritize highest risk threats
  • Establish/take handoff or perimeter security and access control
  • Maximize dispersion to mitigate frag/blast effects
  • Establish/confirm full-height sidewall protection against frag/blast in high troop concentration facilities and sleeping areas
  • Compartmentalize areas with high troop concentrations
  • Provide overhead cover and pre-detonation screens for facilities with high troop concentrations

Threats under consideration include adversary-controlled agents or sympathizers, terrorism, demonstrations, civil disturbances, guerrilla units, unconventional forces, small tactical units, air or missile attacks, and nuclear, biological, and chemical (NBC) weapons.

This is all based upon a risk assessment of the area that is continuous. One that starts before deployment to help determine need and one that continues well after based creation. The information gathered during these assessments is highly sensitive and classified. Falling into the hands of the adversary ensures death and destruction.

Tests are run to ensure fields of fire are accurate and effective. Passage of lines is tight and practiced. Call for fire is critical to the survival of the base. All these operational aspects are assessed for effectiveness and weaknesses. Nothing is shared with the adversary. It would be ludicrous to think otherwise. It is asinine to consider such an act. The Uniform Code of Military Justice (UCMJ) would view such an action as traitorous. Lives are at stake.

So when it comes to cyber security, why is it that the Office of Inspectors General of most all federal agencies feels it appropriate to publish the weaknesses of the agency’s cyber defenses?

I examined several non-DoD agencies looking at the OIG section of each website. What I found is both astonishing and commonplace. Astonishing from the aspect that the auditors feel it is appropriate to let our adversaries know exactly where our cyber weaknesses are.

Commonplace from the perspective that it seems to be an almost universal thought process (when questioned why they would post such material, one of the answers is always “Everyone else is doing the same thing and besides, I can find some of this information on your site already!” So that makes it okay.

Some years ago, The Washington Post's Style Invitational asked readers to take any word from the dictionary, alter it by adding, subtracting, or changing one letter, and supply a new definition. The one that comes to mind here is "ignoranus".

If the auditors were to find information of a sensitive nature on the target website or system, then they should immediately notify the owners for removal of said sensitive information instead of publishing it for the whole world to see.  The crime of giving aid to the enemies of one's government is called what?

OIG audit findings provide a roadmap for exploitation. The definition of security control weaknesses in the public domain provide our adversaries the ammunition needed to quickly and effectively exploit the weaknesses, penetrate the site(s) and exfiltrate the target data. The OIG organizations I examined are below.

AGENCIES and the Corresponding OIG Reports on Cyber Security:

United States Department of Agriculture

United States Department of Commerce

1-10 of about 96 results

  • FISMA Eval USPTO Patent Cooperation Treaty Search Recordation System PTOC-018-00.pdf - Acquisition and IT Security SUBJECT: FISMA Evaluation of USPTO's Patent Cooperation Treaty… meet our FY 2009 reporting requirements under FISMA. Because of these two issues, we have…
  • FISMA 2004 Reporting Guidance - enter data in allowed fields, use password: fisma A.1. By bureau (or major agency operating… secure and meet the requirements of FISMA, OMB policy and NIST guidelines, national security …
  • USPTO FISMA job announcement - for Audit and Evaluation SUBJECT: FISMA Evaluation ofUSPTO's Enterprise Remote Access system …
  • FY 2009 FISMA Assessment of Bureau Export Control - 2009 BUREAU OF INDUSTRY AND SECURITY FY 2009 FISMA Assessment of Bureau Export Control Cybe … and bringing it into conformance with both FISMA and departmental requirements. We are also …
  • FY 2009 FISMA Assessment of BIS Information - BUREAU OF INDUSTRY AND SECURITY FY 2009 FISMA Assessment of BIS Information Technology (IT… of the entity’s compliance with FISMA and applicable requirements. This review covers our…
  • FY 2009 FISMA Assessment of Enterprise UNIX Services System (EUS) (PTOI-010-00) - Patent and Trademark Office FY 2009 FISMA Assessment of Enterprise UNIX Services System (EUS… to communicate the plan as required by FISMA. We appreciate the cooperation and courtesies…
  • FY 09 FISMA Assessment of Field Data Collection Automation System (CEN22) - exterior U.S. Census Bureau FY 2009 FISMA Assessment of the Field Data Collection Automation… to our recommendations. As required by FISMA, a plan of action and milestones should be used …
  • FY 2009 FISMA Assessment of BIS IT Infrastructure (BI) (BIS002) OSE-19574 - and Security Operations, BIS OIG FY 2009 FISMA Assessment Listing of Abbreviated Terms and… Page 3 OIG FY 2009 FISMA Assessment Introduction BI provides headquarters and 11 field…
  • FISMA Audit Identified Significant Issues Requiring Management Attention - November 15, 2010, Final Report OIG-11-012-A… 3 I. Significant Vulnerabilities in Commerce… Security Management Act of 2002 (FISMA) requires agencies to secure systems through the use…
  • FISMA Audit Identified Significant Issues Requiring Management Attention - November 15, 2010, Final Report OIG-11-012-A… Security Management Act of 2002 (FISMA) requires agencies to secure their information…

United States Department of Defense

United States Department of Education

United States Department of Energy

United States Department of Health and Human Services

United States Department of Homeland Security

United States Department of the Interior

United States Department of Justice

United States Department of Labor - Federal Information Security Management Act Audit of EBSA’s Technical Assistance and Inquiry System

  • Report No. 23-11-026-12-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of ETA's E-Grants System and Unemployment Insurance Database Management System
  • Report No. 23-11-027-03-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of the OCFO PeoplePower and New Core Financial Management System
  • Report No. 23-11-028-13-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of OASAM E-Procurement System and Employee Computer Network/Departmental Computer Network
  • Report No. 23-11-029-07-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted Federal Information Security Management Act Audit of OCIO Entity-wide IT Security Controls
  • Report No. 23-11-030-07-001 (September 30, 2011) - This report contains Sensitive Information and will not be posted

United States Department of State

  • Stopped publishing after 2006 -     ***OIG reports on this site may be redacted. To request a full copy without redactions or a report not listed in this library, please click here to visit our FOIA site.
  • Office of Inspector General (OIG) reports are posted on OIG's Web sites in accordance with section 8L of The Inspector General Act of 1978 (5 U.S.C. App.), as amended. All reports are reviewed, and redacted when appropriate, in accordance with the Freedom of Information Act (5 U.S.C. § 552), and related statues/regulations, plus the President's memorandum on "Transparency and Open Government", dated January 21, 2009, and the Attorney General's FOIA guidelines dated March 19, 2009.

United States Department of Transportation

United States Department of the Treasury

United States Department of Veterans Affairs

National Aeronautics and Space Administration

I actually found some organizations that practice prudent and effective security practices. Some stopped publishing cyber security control weaknesses several years ago. Others require a freedom of information act (FOIA) request to get the information and then it is redacted for sensitive information. Others provide it outright but again, it is redacted.

Regardless, the majority of OIG organizations publish this highly sensitive information as if they were actually assisting the target agency. Just the opposite. They are ensuring a more rapid penetration of agency cyber defenses. Whose side of the equation here are you on?  Why does this need to be public information?

I even found one enterprising ID ten T who took one OIG audit report and is now selling it on Amazon for $12.95.  Let’s add insult to injury.

Where is Congress in all this? The bluster and billow about hacking, cyber warfare, and cyber espionage but they do not address the foundational elements associated with online OPSEC. I invite anyone who reads this to contact their representative (Congress and/or Senate) and let them know of this practice. It needs to stop.

Mission statements from several OIG sites are as follows:

  • To be an agent of positive change, striving for continuous improvement in management and program operations.
  • Office of Inspector General's (OIG) mission is to protect the integrity of agency programs.
  • Promotes the integrity, efficiency and effectiveness of agency programs and operations to assist the Department in meeting its mission.
  • Detects and prevents waste, fraud, and abuse
  • Seeks administrative sanctions, civil recoveries and/ or criminal prosecution of those responsible for waste, fraud and abuse in agency programs and operations. (should look in the mirror)
  • To promote the efficiency, effectiveness, and integrity of the Department's programs and operations, we conduct independent and objective audits, investigations, inspections, and other activities.

Then we publish this information for all adversaries to see.  Having worked in the federal sector, I find many OIG departments who do not practice what they preach. The systems they own and operate within these agencies can be suspect to say the least.

CISOs are afraid to go after them to correct the issues much less openly identify them for fear that more will be publically exposed. Most all provide a hotline. I think we should contact them using the hotline email and phone lines with identified abuse.

No CISO would publically publish their threat and vulnerability assessments, vulnerability scans, penetration tests, or assessments of any type. To do so would result in termination (and it has), a betrayal of trust.

Even CIOs understand the ramifications of this type of information exposure. Some recommendations for the CISOs and CIOs of these organizations:

  • Classify your security program and all that is in it (at a minimum) as sensitive but unclassified (SBU) - This includes metrics, reports, assessments, security technology stack diagrams, procedures, etc.
  • Write a policy or enhance an existing policy to state that the above is critical to the security posture of the agency and therefore, cannot be disclosed in any shape, form, format or medium.
  • Communicate this change and gain buy in from the agency administrator since his or her information is also at stake.
  • Talk to your peer CISOs and CIOs and create a united front against the OIG’s poor practices.

In the words of Chris Berman: C’mon man. Wake up and change your ineffective practices.  We are already under siege at the cyber level. Why give them a leg up. Stop being an ignoranus.

About the Author:  Jeff Bardin is currently Chief Intelligence Officer for Treadstone 71. In 2007 he was awarded the RSA Conference award for Excellence in the Field of Security Practices. The Bardin-led security team from Hanover Insurance also won the 2007 SC Magazine Award – Best Security Team competing against such organizations as Barclays Global and the Department of State. Jeff sits on the Board of Directors, Boston Infragard; Content Raven, Wisegate, was a founding member of the Cloud Security Alliance; is a member of the Cyber Security Forum Initiative, the RSA Conference Submission Selection Committee and formerly on the Customer Advisory Board for Chosen Security. Jeff published The Illusion of Due Diligence in 2010 and was a co-author for the Computer and Information Security Handbook, Understanding Computers, and has published articles for magazines such as The Intelligencer, CSO, and SC Magazine. Jeff served in the USAF as a cryptologic linguist, and in the USANG as an officer.  He has BA in Special Studies - Middle East Studies & Arabic Language from Trinity College as well as a MS in Information Assurance from Norwich University.  He is also a professor of masters programs in cyber intelligence, counterintelligence, cybercrime and cyber terrorism at Utica College. Jeff also holds the CISSP, CISM, C|CISO and NSA-IAM certifications.

Possibly Related Articles:
Government Cyber Security FISMA Network Security National Security Information Security Cyber Warfare Intelligence FOIA Federal OpSec Jeff Bardin OIG
Post Rating I Like this!
Bill Ross Jeff Is absolutely correct. As a retired Intellgnece Officer, I would shake my head in disbelief at how easy it is to reverse engineer FISMA, OIG, and many other type audit reports into a viable attack plan. And "Anonymous" marches on.
Jeffrey Carr There's probably room for improvement on what goes into the OIG unclassified report however there is still benefit to be derived from them. What I don't understand, Jeff, is that while railing against how OIG is providing a roadmap to cyber adversaries, you've provided those same adversaries with a convenient selection of reports sorted by Department. You could have made your point without providing bad guys with a library of documents to choose from. Instead you've done precisely what you accuse the OIG of doing.
Probably room for improvement? You read the whole article and that is the only comment I can get as a stance against the ridiculous process of auditors across government OIGs?

I thought long and hard about posting this already public information but, if you don't provide auditors evidence of your findings, then you in fact have no findings. I provided a random sampling of publicly available reports as a method to demonstrate the issue. There are dozens of other agencies/sub-agencies I did not reference.

I ask you, what method of identification to prove the point would you have recommended? I have a rule when employees come into my office:
- If you are going to vent, let me know it is a vent and we'll do it together.
- If you are going to critique, do so with at least three recommendations for how to solve the issue(s) brought to the table.

I expected comments such as yours but not coming from someone like you. I have seen this many times before. The messenger brings major issues to the table. Someone else understates the real issue while shooting the messenger only to deflect away from the real issues at hand.

Out of the whole article this is your only issue? Quite surprised at your response? I would ask: With your influence in the federal government, what are you going to do to shutdown the practice by the OIG? Or is it just a minor issue that 'probably' could use some improvement?
Jeffrey Carr What you're railing against is the core of information security practices that occurs in hundreds of B-sides, Defcons, Schoomcons, and other hacker conferences every year. I view that as a far worse problem than than the typical OIG report. My recommendation for any report is to contain enough information to raise public awareness about the problem while avoiding sharing specifics that can be used by an adversary.

Problems have to be prioritized. Considering all of the issues pertaining to cyber security that exist today, an OIG report is not even close to being at the top of the pile, in my opinion. There's no denying that it belong in the pile and there's lots of room for improvement but I don't see it as taking priority away from other, more pressing issues like the utter failure of our current network security model.
So you will do nothing...
Annika Moje The OIG report that individual agencies are referencing is from the reporting tool CyberScope, used by all agencies, at least the CFO24. I was a former developer on this product. In it, are the three report - the CIO report, the Statement of Privacy, and the OIG report. There is nothing in the OIG report that is confidential or sensitive in nature. It is the OIGs independent report on their specific agencies compliance with certain aspects of FISMA. Although areas of improvement are noted - they are very generic nature. Keep in mind the questions that are asked of an agency on each report are derived by DHS and OMB.

Last year, OMB/DHS mandated that agencies send on a monthly basis three pieces of information a) An agencies dinstinct instances of CPEs b) An agencies CVE's and a count and c) Items configured contrary to USGSS/FDCC reccommendations reported by CVE. Again, this informaiton is summated and generic - Not really specific. TO determie the impact on "increased" threats due to the nature of reporting (open tranparency as well) is minimal.
I ask that all who wish to comment actually read the material at the links provided. These are not CyberScope quarterly reports.
Annika Moje I ask that those that actually wrote the article actually read the material and reports provided in the links as well and then come up with something specific in any of those reports that increases risks to an organization in the CyberSecurity space. An OIG reviews THE PROGRAM not the contents of the program (e.g. the results of a vulnerability scan or an CPE inventory listing) nor do they release any evidence or artifact that served as the basis of their finding(s). An OIG reviews an organizations ability to comply with FISMA and makes sure the level of C&A performed through the enterprise of applications is commensurate with the risk associated with the system.

FYI - If you read Education's report (per your links) and Interior's you can clearly see the actual CyberScope report filed with Congress for the OIG section. Furthermore, Cyberscope reporting is monthly, quarterly, and annually and all IG's have to complete the section. Additionally, if you read DOJs, the JSOC report and their dashboard of output, which is the result-set of a BigFix feed, is published. This is all -post and after the fact -detection where CyberSecurity tasks should preventive and proactive.

So, just curious, what content in any of your links INCREASES risks to CyberSecurity? My guess is the author is a security junkie that has no audit or internal control experience.
Annika Moje "I examined several non-DoD agencies looking at the OIG section of each website. What I found is both astonishing and commonplace. Astonishing from the aspect that the auditors feel it is appropriate to let our adversaries know exactly where our cyber weaknesses are."

BE SPECIFIC - which report and what weaknesses?? The fact that an agency might not even have an information security program or basic information security policy doesn't make them any more or less prone to an attack in the real world.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.