11-3.10 Conducting Vulnerability Scans, Intrusion Detection, Penetration Tests

Only personnel authorized by the CISO are permitted to conduct network scanning, intrusion detection, penetration testing, and vulnerability scans of Postal Service information resources. During audits and investigations, the OIG may conduct scanning, penetration testing, and vulnerability scans as deemed appropriate. The OIG has the authority to scan and conduct penetration testing and vulnerability scans on his or her own network and IT infrastructure. Reports resulting from these vulnerability actions are sent to the program managers with a copy to the Corporate Information Security Office/ISSO for each system. The ISSOs will include these vulnerabilities into Risk Mitigation Plans for each system or Risk Register.

11-3.10.1 Vulnerability Scans

Vulnerability scans are required to systematically examine an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. Requests for vulnerability scans must be directed to the manager, CISO ISS, for approval. Vulnerability scans are conducted on Postal Service information resources by CISO ISS or their designee.

11-3.10.2 Intrusion Detection and Protection

Intrusion detection is required to monitor network and/or system activities for malicious activity. The main functions of intrusion detection/prevention are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. All policy configurations will be managed by CISO ISS.

Requests for intrusion detection must be directed to the manager, CISO ISS, for approval. Intrusion detection is conducted for Postal Service networks by CISO ISS or their designee. The OIG conducts intrusion detection at its discretion.

The intrusion detection process consists of the following:

  1. Monitor the network for suspicious traffic.
  2. Examine network traffic to identify threats.
  3. Utilize one of three detection methods:
    1. Signature-based detection.
    2. Statistical anomaly-based detection.
    3. Stateful protocol analysis detection.
    4. Dynamic analysis.
  4. Take appropriate actions to mitigate the detected threats. This includes, but is not limited to, the following:
    1. Produce alert.
    2. Reset current session with/without alerts.
    3. Drop current session with/without alerts.

11-3.10.3 Penetration Testing

Penetration testing is required to determine the effectiveness of security of an information resource configuration. Requests for penetration testing must be directed to the manager, CISO ISS, for approval. Penetration testing is conducted for Postal Service networks by the CISO ISS or its designee. The OIG conducts penetration testing on Postal Service networks at its discretion.