11-3.10 Conducting Vulnerability Scans, Intrusion Detection, Penetration Tests

Only personnel authorized by the CISO are permitted to conduct network scanning, intrusion detection, penetration testing, and vulnerability scans of Postal Service information resources. During audits and investigations, the OIG may conduct scanning, penetration testing, and vulnerability scans as deemed appropriate. The OIG has the authority to scan and conduct penetration testing and vulnerability scans on his or her own network and IT infrastructure.

11-3.10.1 Vulnerability Scans

Vulnerability scans are required to systematically examine an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. Requests for vulnerability scans must be directed to the manager, CISO ISS, for approval. Vulnerability scans are conducted on Postal Service information resources by CISO ISS or their designee.

11-3.10.2 Intrusion Detection

Intrusion detection is required to monitor network and/or system activities for malicious activity. The main functions of intrusion detection/prevention are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. All policy configurations will be managed by CISO ISS.

Requests for intrusion detection must be directed to the manager, CISO ISS, for approval. Intrusion detection is conducted for Postal Service networks by CISO ISS or their designee. The OIG conducts intrusion detection at its discretion.

The intrusion detection process consists of the following:

  1. Monitor the network for suspicious traffic by analyzing protocol activity.
  2. Examine network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.
  3. Utilize one of three detection methods:
    1. Signature-based detection.
    2. Statistical anomaly-based detection.
    3. Stateful protocol analysis detection.
  4. Secure and synchronize configuration files/policies.
  5. Audit and monitor all services to detect intrusions or misuse.

11-3.10.3 Penetration Testing

Penetration testing is required to determine the effectiveness of security of an information resource configuration. Requests for penetration testing must be directed to the manager, CISO ISS, for approval. Penetration testing is conducted for Postal Service networks by the CISO ISS or its designee. The OIG conducts penetration testing on Postal Service networks at its discretion.