• I 61 fil & £ "f £ cr:d(J: Cu{@::r:ctic:r Sample Counterfeit Badge Cl:'.

0 C:

0

-=-

z z

0

• 10 =--

u I~

=

=

u

~z

~

IU

=

!!!!!!!!I

!!!!!!!!I

ivi '\ ) ~*)°:*ii

• • • • • ~ =

C I

l C) w 0

1-z a:

l tu

~ a:

"'0a.

Illustration 11: Badge Information gathering at local restaurants allowed the SE Team to identify specific information about badges. This information allowed the team to duplicate the badge to a high level of detail. Having a badge visible in public whether attached to clothing or some other item, allows others to photograph or obtain enough details about the badge to duplicate the physical appearance. The illustration above is rendering of a NRC contractor badge using a rather simple drawing application. This badge may be used to gafo access to facilities then use other techniques such as "piggy backing" to gain access to other sensitive areas.

P"ge 29 of30 tiff"

• r H " & :f *,- :f *) rI ,*

CONSOLIDATED LIST OF RECOMMENDATIONS

1. Additional information should be required to verify the identity of the user before making changes to system accounts (e.g., the resetting of passwords).

2. A temporary random password should be generated as opposed to using a standard default.

3. NRC should eliminate any open points of connectivity inside the PDR, as it could allow unauthorized users to access the NRC exchange.

4. The NRC Help Desk should be required to identify users, particularly after receiving notification of overt hacking attempts, before making changes to account information.

5. NRC should take steps to ensure that hackers are not able to establi sh "attack profiles,"

which generally consist of any information that allows the hacker to establish credibility or pose as an identified target.

6. Access from within the PDR should be restricted only to ADAMS, the NRC's retrievable records system. Internet access should be restricted to only those sites trusted and required to obtain authorized documents.

7. Strict controls should be implemented on PDR systems to prevent malicious users from downloading new viruses, worms, malware, or hacking software from within the PDR.

8. Laptops and other computer equipment taken into the NRC PDR should not be a llowed access NRC networks. PDR should place restrictions and other mitigating controls on all internet and network access points.

9. The NRC should enforce existing policy to prohibit employees or visitors from bringing any electronic devices capable of capturing images of the NRC White Flint 1 and 2 faci lities.

10. Security should verify visitors' login information and visitors' identity with valid photo identification.

P"ge 30of30 P,.)IC:n: esc @ha) &::s:u;c &rn :,t, ; .,1in ,.

0FFl81JI.L U0E 8HLY S!lfSl,iYI!! 31!!Gt,"l,-i IIQFOMOIA 11014 May 21 , 2008 MEMORANDUM TO: R. William Borchardt Executive Director for Operations FROM: Stephen D. Dingbaum /RA/

Assistant Inspector General for Audits

SUBJECT:

MEMORANDUM REPORT: AUDIT OF NRC'S CONTINUITY OF OPERATIONS PLAN (OIG-08-A-10)

This memorandum reports on the results of our audit of the U.S. Nuclear Regulatory Commission's (NRC) continuity of operations plan (COOP) as related to COOP facilities. NRC does not satisfy Federal or internal agency guidance for security surveys of COOP facilities. Specifically, NRC does not conduct the required annual security surveys of its continuity facilities, and does not systematically document the results of the surveys because the staff appeared unfamiliar with the requirements. As a result, NRC lacks assurance as to the security status of the continuity facilities and may not have information needed to identify and remedy vulnerabilities.

BACKGROUND Federal Law Requires NRC To Develop and Implement a Continuity of Operations Program Overall, the NRC's mission is to license and regulate the Nation's civilian use of byproduct, source, and special nuclear materials to ensure adequate protection of public health and safety. Should a natural disaster, technological failure, or hostile action threaten NRC's ability to perform or manage this mission from its headquarters facility, agency officials may determine or may be directed that emergency conditions warrant COOP activation. Once the decision has been made to activate COOP, the agency must be prepared to perform essential functions as soon as possible with

OFFIGI ,k UGE &Uk/ &EU&lilil\CE &E8UA1ifi¥ IUF8AMlltfl6f~

Audit of NRC's Continuity of Operations Plan minimal disruption of operations, but in all cases within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of activation and until normal business activities can be reconstituted. The agency's priority mission essential functions - threat assessment, incident response, and emergency communications -

must commence in less than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The secondary mission essential functions -

licensing, inspection, enforcement, and communication with the general public - must commence within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Federal law mandates that Federal agencies develop and implement policies, plans, and readiness measures to mobilize for, respond to, and recover from a national security emergency. Together, these policies, plans, and measures form the basis of an agency's COOP. The Department of Homeland Security has overall responsibility for developing Federal COOP guidelines, and issued Federal Preparedness Circular (FPC) 651 as guidance to Federal Executive Branch departments and agencies for contingency plans and programs. The National Security Presidential Directive-51 /Homeland Security Presidential Directive-202 establishes a comprehensive national policy on the continuity of operations within the Federal Government. This directive also defines minimum communications requirements for Federal agencies' designated COOP facilities.

The Executive Director for Operations approved the agency's COOP in August 2007.

This plan was designed as a stand-alone document with 16 annexes. These annexes form the basis of COOP and can be updated and approved by program office directors, as necessary.

The Office of Nuclear Security and Incident Response (NSIR) develops NRC's COOP, and would coordinate agency operations during a COOP event. However, responsibility for managing the agency's COOP infrastructure and assets lies with other NRC organizations. For instance, the Office of Administration's Division of Facilities and Security is responsible for evaluating headquarters, regional continuity facilities, and other regional response centers and ensuring that these facilities meet agency standards for safeguarding NRC personnel and protecting sensitive information.

1 Federal Preparedness Circular 65, "Federal Executive Branch Continuity of Operations," June 15, 2004.

In February 2008, the Department of Homeland Security issued Federal Continuity Directive 1, "Federal Executive Branch National Continuity Program and Requirements," which supersedes FPC 65. Federal Continuity Directive 1 includes facility requirements that are similar to those of FPC 65.

2 National Security Presidential Directive-51 and Homeland Security Presidential Directive-20, May 9, 2007.

2 8FFl81"L UOE 8UL¥ OEUOlifilYE OE8UAlifi¥ IUF8AMilcifilOU

Audit of NRC's Continuity of Operations Plan PURPOSE This audit's initial objective was to determine if NRC's COOP enables the agency to maintain essential functions durin~ an emergency and adhere to Federal continuity of operations criteria and guidelines. However, the objective was subsequently narrowed to assess NRC's compliance with requirements for security surveys of COOP facilities.

FINDING Federal and NRC Guidance Require Evaluation of COOP Facilities (b)(7)(F) 3

OFFIGI Ck I IGE &Ubl! 8EH81'Pl't1! 3!CtJ"I I I IIQFURMA I ION Audit of NRC's Continuity of Operations Plan NRC Does Not Conduct Required Security Surveys of COOP Facilities NRC does not conduct required annual surveys of headquarters or its regional continuity facilities, and does not systematically document results of security surveys.

Despite Department of Homeland Security and internal agency guidance requiring annual security surveys of facilities that provide the agency with essential COOP capabilities, responsible Division of Facilities and Security staff told OIG auditors that their office aims to conduct security surveys of high-priority sites in 36-month cycles.

When asked for documentation of these surveys, agency staff provided reports from a broad range of dates that reflect neither annual nor 36-month survey cycles. In fact, one report for a regional facility captured work performed in 1982. Moreover, only two of these reports specifically mentioned regional Incident Response Centers. Table 1 shows the distribution and date range of security survey reports provided to OIG auditors.

Dates and Locations of NRC Facilities Security Surveys February 2005 Region I January 2007 April 1982 August 1997 May 2004 Headquarters Region IV Region II Region Ill 1982 1990 2000 2008 Table 1: Security surveys performed at NRC headquarters and regional facilities, by survey year.

The inconsistency of records on file and the wide date range of security surveys indicate that NRC is not adequately managing documentation needed to provide agency staff with timely information regarding the security status of the continuity facilities.

Key Staff Lack Understanding of Security Evaluation Requirements NRC does not conduct annual security assessments of its continuity facilities because staff are unfamiliar with both Federal and internal agency requirements. For example, when questioned about the basis for conducting site security surveys in 36-month 4

OFF181"t U8E OHLY 8EH81iJiln,*t 81!8UPUfY IHFOMMlltflOf~

Audit of NRC's Continuity of Operations Plan cycles rather than annual cycles, Division of Facilities and Security staff told auditors that this was an "office goal." In addition, the agency official responsible for overseeing the security survey program was uncertain whether headquarters, the regional continuity facilities, and the other regional response centers had been properly assessed because he was new to the job. Although NSIR has overall responsibility for NRC's COOP program, agency guidance assigns primary responsibility to the Division of Facilities and Security for ensuring that NRC facilities-including essential continuity sites- meet basic requirements for information and physical security.

NRC Lacks Assurance of the Security Status of the COOP Facilities Without conducting required annual security surveys of agency continuity facilities and appropriate documentation of survey results, NRC may not be able to identify and correct potential security vulnerabilities and technical shortfalls that could compromise operations.

RECOMMENDATIONS (ll)(/)(t.)

AGENCY COMMENTS (b)\O) 5 OFFIGI OI I 16[ OUliM iE.lililil)([ iiQlal~lili¥ IHFQRMAilCm

Audit of NRC's Continuity of Operations Plan SCOPE AND METHODOLOGY To accomplish the audit's objective, auditors evaluated NRC's COOP to assess NRC's compliance with requirements for security surveys of COOP facilities.

Auditors interviewed staff at headquarters and offices in NRC Regions I and IV to learn their roles and responsibilities as they pertain to the development, implementation, and management of the COOP and the supporting infrastructure. Also, auditors toured the Mount Weather Emergency Operations Center to observe the benefits this location could provide to the agency's COOP program.

Auditors reviewed applicable Federal directives and reports establishing the policy and procedures for the COOP Program. Those documents included the National Security Presidential Directive-51/Homeland Security Presidential Directive-20, the Federal Preparedness Circular-65, the National Security Communications Directive 3/10, and the United States Public Law 106-346 - Federal Telecommuting Program. NRC documents reviewed included the COOP and its annexes, Management Directive and Handbook 12.1, physical security survey reports, and the Network Continuity of Operations Plan.

This work was conducted from May 2007 through December 2007, in accordance with generally accepted Government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The work was conducted by Beth Serepca, Team Leader; Shyrl Coker, Audit Manager; and David Ditto, Senior Management Analyst.

Attachment:

As stated:

cc: Chairman Klein Commissioner Jaczko Commissioner Lyons Commissioner Svinicki 6

OFFIGI Ck UGE OUkM &EH&lilil'Ji &i&W~liJi¥ IUF8~MftiflOU

OFF181"t U8E OHLY 8EH81iJiln,*t 81!8UPUfY IHFOMMlltflOf~

Audit of NRC's Continuity of Operations Plan Electronic Distribution Frank P. Gillespie, Executive Director, Advisory Committee on Reactor Safeguards/Advisory Committee on Nuclear Waste E. Roy Hawkens, Chief Administrative Judge, Atomic Safety and Licensing Board Panel Karen D. Cyr, General Counsel John F. Cordes, Jr., Director, Office of Commission Appellate Adjudication Jim E. Dyer, Chief Financial Officer Margaret M. Doane, Director, Office of International Programs Rebecca L. Schmidt, Director, Office of Congressional Affairs Eliot B. Brenner, Director, Office of Public Affairs Annette Vietti-Cook, Secretary of the Commission Bruce S. Mallett, Deputy Executive Director for Reactor and Preparedness Programs, OEDO Martin J. Virgilio, Deputy Executive Director for Materials, Waste, Research, State, Tribal, and Compliance Programs, OEDO Darren B. Ash, Deputy Executive Director for Information Services and Chief Information Officer, OEDO Vonna L. Ordaz, Assistant for Operations, OEDO Timothy F. Hagan, Director, Office of Administration Cynthia A. Carpenter, Director, Office of Enforcement Charles L. Miller, Director, Office of Federal and State Materials and Environmental Management Programs Guy P. Caputo, Director, Office of Investigations Thomas M. Boyce, Director, Office of Information Services James F. McDermott, Director, Office of Human Resources Michael R. Johnson, Director, Office of New Reactors Michael F. Weber, Director, Office of Nuclear Material Safety and Safeguards Eric J. Leeds, Acting Director, Office of Nuclear Reactor Regulation Brian W. Sheron, Director, Office of Nuclear Regulatory Research Corenthis B. Kelley, Director, Office of Small Business and Civil Rights Roy P. Zimmerman, Director, Office of Nuclear Security and Incident Response Samuel J. Collins, Regional Administrator, Region I Victor M. McCree, Acting Regional Administrator, Region II James L. Caldwell, Regional Administrator, Region 111 Elmo E. Collins, Jr. , Regional Administrator, Region IV 7

OFFl81"L USE OULV 8EU81iflYE 8EOUAlifV IUFOAMilciflOU

Instructions for Responding to OIG Report Recommendations Instructions for Action Offices Action offices should provide a written response on each recommendation within 30 days of the date of the transmittal memorandum or letter accompanying the report. The concurrence or clearance of appropriate offices should be shown on the response. After the initial response, responses to subsequent OIG correspondence should be sent on a schedule agreed to with OIG.

Please ensure the response includes:

1. The report number and title, followed by each recommendation. List the recommendations by number, repeating its text verbatim.

2. A management decision for each recommendation indicating agreement or disagreement with the recommended action.

a. For agreement. include corrective actions taken or planned, and actual or target dates for completion.

b. For disagreement, include reasons for disagreement, and any alternative proposals for corrective action.

c. If questioned or unsupported costs are identified, state the amount that is determined to be disallowed and the plan to collect the disallowed funds.

d. If funds put to better use are identified, then state the amount that can be put to better use (if t hese amounts differ from OIG's, state the reasons).

OIG Evaluation of Responses If OIG concurs with a response to a recommendation, it will (1) note that a management decision has been made, (2) identify the recommendation as resolved, and (3) track the action office's implementation measures until final action is accomplished and the recommendation is closed.

If OIG does not concur with the action office's proposed corrective action, or if the action office fails to respond to a recommendation or rejects it, OIG will identify the recommendation as unresolved (no management decision). OIG will attempt to resolve the disagreement at the action office level. However, if OIG determines that an impasse has been reached, it will refer the matter for adjudication to the Chairman.

Semiannual Report to Congress In accordance with the Inspector General Act of 1978, as amended, OIG is required to report to Congress semiannually on April 1 and October 1 of each year, a summary of each OIG report issued for which no management decision was made during the previous 6-month period.

Heads of agencies are required to report to Congress on significant recommendations from previous OIG reports where final action has not been taken for more than one year from the date of management decision, together with an explanation of delays.

EVALUATION REPORT OFFICIAL USE ONLY Social Engineering Assessment Report OIG-10-A-11 March 16, 2010 All publicly available OIG reports are accessible through NRC's Web site at http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/

8FFl8IIL WDli IHL. 81!0UIII* l<L&IED IIIFORIUIAIION UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL March 16, 2010 MEMORANDUM TO: R. William Borchardt Executive Director for Operations FROM: Stephen D. Dingbaum /RA/

Assistant Inspector General for Audits

SUBJECT:

SOCIAL ENGINEERING ASSESSMENT REPORT (OIG-1 0-A-11)

Attached is the Office of the Inspector General's (OIG) Social Engineering Assessment Report.

The report presents the results of the subject report. Agency comments provided during and subsequent to a January 26, 2010, exit conference have been incorporated, as appropriate, into this report.

Please provide information on actions taken or planned on each of the recommendations within 30 days of the date of this memorandum. Actions taken or planned are subject to OIG followup as stated in Management Directive 6.1 .

We appreciate the cooperation extended to us by members of your staff during the audit. If you have an uestions or comments about our report, please contact me at 415-5915 or (b)(?J(cJ

Attachment:

As stated OFFICIAL USC Jilt I - SCCUiti I I l<ELJll*EB 11*re11M111*1eH

Electronic Distribution Edwin M. Hackett, Executive Director, Advisory Committee on Reactor Safeguards E. Roy Hawkens, Chief Administrative Judge, Atomic Safety and Licensing Board Panel Stephen G. Burns, General Counsel Brooke D. Poole, Jr., Director, Office of Commission Appellate Adjudication James E. Dyer, Chief Financial Officer Margaret M. Doane, Director, Office of International Programs Rebecca L. Schmidt, Director, Office of Congressional Affairs Eliot B. Brenner, Director, Office of Public Affairs Annette Vietti-Cook, Secretary of the Commission R. William Borchardt, Executive Director for Operations Bruce S. Mallett, Deputy Executive Director for Reactor and Preparedness Programs, OEDO Martin J. Virgilio, Deputy Executive Director for Materials, Waste, Research, State, Tribal, and Compliance Programs, OEDO Darren B. Ash, Deputy Executive Director for Corporate Management and Chief Information Officer, OEDO Nader L. Mamish, Assistant for Operations, OEDO Kathryn 0. Greene, Director, Office of Administration Patrick D. Howard, Director, Computer Security Officer Roy P. Zimmerman, Director, Office of Enforcement Charles L. Miller, Director, Office of Federal and State Materials and Environmental Management Programs Cheryl A. Mccrary, Director, Office of Investigations Thomas M. Boyce, Director, Office of Information Services James F. McDermott, Director, Office of Human Resources Michael R. Johnson, Director, Office of New Reactors Michael F. Weber, Director, Office of Nuclear Material Safety and Safeguards Eric J. Leeds, Director, Office of Nuclear Reactor Regulation Brian W. Sheron, Director, Office of Nuclear Regulatory Research Corenthis B. Kelley, Director, Office of Small Business and Civil Rights James T. Wiggins, Director, Office of Nuclear Security and Incident Response Samuel J. Collins, Regional Administrator, Region I Luis A. Reyes, Regional Administrator, Region II Mark A. Satorius, Regional Administrator, Region Ill Elmo E. Collins, Jr., Regional Administrator, Region IV

U.S. Nuclear Regulatory Commission Office of the Inspector General (OIG)

Social Engineering Assessment Report March 2010 err1e1Ptt eec @mt: 61!6l!!lfllT: Fll!b tTl!8 lliFOlithl:P:lilOII This information has been prepared solely for the use and benefit of the NRC and the U.S. Government and is not intended for reliance by any other person

Table of Contents Section Page

2. Background ........................................................................................................................................... 2

3. Methodology and Approach ................................................................................................................ 3 3.1. Planning ..................................................................................................................................................3 3.2. Reconnaissance ................... ........................................................................... ........ ............................... 3 3.3. Attack ................................................................................................ ........ ............................................... 3 3.4. Reporting ................ ................................................................................................................................. 6

4. Social Engineering Assessment Results ........................................................................................... 7 4.1. Reconnaissance .....................................................................................................................................7 4.2. Dumpster/Recycle Bin Diving and Workspace Walkthrough ............................ ................................. 8 4.3. Physical Access Assessment .............................. ................................................................................. 9 4.4. Baiting ................................................................................................................................................... 10 4.5. E-mail Phishing ......................................................... ............ ................... ........ ........ .... ......... ...... .......... 10 4.6. Phone Call Assessment ............ ........................................................................................................... 11

5. Recommendations .............................................................................................................................. 13

6. A 15 (b)(7)(E)

Ur rlVl/""\L UVC:: ~I'll- I - ~~~u;-,,-;- I ;-,~LM-;-~;:, ;;.,.;--~~;v~~-;-;c;J This information has been prepared solely for the use and benefit of the NRC and the U S Government and 1s not intended for reliance by any other person .

1. Executive Summary nd th Between July 22 , 2009 and November 9 , 2009, the U.S. Nuclear Regulatory Commission (NRC) Office of Inspector General (OIG), with the support of PricewaterhouseCoopers, LLP (PwC), assessed the (b)(?)(E) effectiveness of Agency security controls designed to mitigate t he risk of social engineering attacks.

assessment included reconnaissance, dumpster/recycle bin diving and workspace walkthroughs, phy...s-,c-a"T"'""_....

access assessment, baiting, phone calls, and e-mail phishing.

Through these activities, the assessment team demonstrated that the NRC established effective controls in certain areas and addressed weaknesses identified in a prior assessment completed on November 30th, 2006 (OIG-07-A-04). Specifically, the testing team noted the following improvements:

• Employees protected badges when leaving the NRC campus, preventing the assessors from successfully obtaining clear photographs or capturing badge numbers and bar codes.

• Individuals that detected social engineering attacks reported such incidents to the NRC Computer Incident Response Team (CIRT).

• Internal security assessment activities were detected by the Office of Information Systems (OIS) and reported to the appropriate points of contact.

• Controls designed to secure the Public Document Room (PDR) had been enhanced to address previously identified weaknesses, which prevented the assessors from accessing the Internet and the internal NRC local area network (LAN) from PDR workstations.

• PDR personnel were alert and prevented the assessors from connecting laptops or removing network cabling.

However, the assessment also revealed additional areas where NRC can further strengthen the controls necessary to protect against social engineering attacks. Specifically, the following high-level weaknesses were identified:

• NRC employees and contractors were susceptible to social engineering attacks, and provided usernames, passwords, and badge numbers to the assessment team.

• NRC employees and contractors improperly stored and discarded sensitive documents, information, and other materials.

• NRC employees and contractors failed to prevent unauthorized access to controlled locations within the One White Flint North (OWFN) building.

• Technical security controls failed to prevent unauthorized access to internal and external information systems.

• Information that was used to facilitate social engineering attacks was accessible via the NRC public website.

This report includes 12 detailed recommendations designed to help NRC address the identified gaps.

These recommendations, listed in Section 5, include enhancing security awareness training, strengthening facility security policies and procedures, implementing and maintaining enhanced technical security controls to mitigate social engineering attacks, and limiting publicly accessible data to reduce the availability of information that may be leveraged to conduct social engineering attacks. At the exit conference for the assessment, NRC management concurred with the findings, and requested that we consolidate some of the recommendations in the draft report. NRC management officials also noted that current security awareness training addresses user responsibilities related to many of the areas covered by the assessment, and that they intend to focus on augmenting the training with other awareness techniques and periodically evaluating its effectiveness.

-:~~'.:'..\:... ._-:: ~~ ~:_...., ::::..::-::-:-',' :-:::_,..~-:-:::: ;; ~:-~~;.~,:;;-;:,; ~ 1 This information has been prepared solely for the use and benefit of the NRC and the U.S. Government and 1s not intended for reliance by any other person.

VI I IVll'"'\L UVL. Vl'IIL. I - VL.VUI '" I I l'\L.L.M I L.U 11'111 Vl'\IVII'"'\ I I V l 'II

2. Background Social engineering is the practice of obtaining confidential information by manipulation of legitimate users.

Social engineers will commonly use the telephone or Internet to trick a person into revealing sensitive information or getting them to do something that is against typical policies, exploiting the natural tendency of individuals to trust others. A contemporary example of a social engineering attack is the use of e-mail attachments that contain malicious payloads (that, for instance, use the victim's machine to send massive quantities of spam). After earlier malicious e-mails led software vendors to disable automatic execution of attachments, users now have to explicitly activate attachments for this to occur. Many users, however, will blindly click on any attachments they receive, thus allowing the attack to work.

The NRC OIG had a need for assessing the effectiveness of the security policies and control measures protecting sensitive information technology systems against a social engineering attack. To assist in this effort, the OIG selected PwC to execute an assessment of NRC security controls designed to prevent and respond to social engineering attacks. The results of this assessment are detailed within this report and are organized into the following sections:

• Methodology and approach

• Assessment results and recommendations

• Appendices Contractor services were performed and this report was developed in accordance with our contract GS-35F-0263P and Task Order Number 040921366 dated 7/22/2009, and are subject to the terms and conditions included therein.

Contractor services were performed in accordance with Standards for Consulting Services established by the American Institute of Certified Public Accountants (AICPA). Accordingly, we are providing no opinion, attestation, or other form of assurance with respect to our work and we did not verify or audit any information provided to us.

Contractor work was limited to the specific procedures and analysis described herein and was based only on the information made available through November 9th, 2009. Accordingly, changes in circumstances after this date could affect the findings outlined in this report.

This information has been prepared solely for the use and benefit of, and pursuant to a client relationship exclusively with, the NRC and the U.S. Government. PwC LLC disclaims any contractual or other responsibility to others based on its use and, accordingly, this information may not be relied upon by anyone other than NRC and the U.S. Government. The report may be subject to release under the U.S.

Freedom of Information Act ("the Act"). Unless required by the Act, neither the report nor its content may be distributed to, discussed with or otherwise disclosed to any T hird Party without the prior written consent of PwC. If the report is requested under the Act, NRC has agreed to promptly notify PwC of such request as required by federal law.

-=-~~'.:'..A.~ *_ *:: -=-~ ~:_'.' ~~:*_*~~:':' ~~~-A.:~:' ~~~:,:;~~-~.A.:~,:;~~ 2 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

urrlVlf-\L u ~ c Ul'IL 1 - UC:.V'Ur\11 1 r\C.Lf-\ I c u 11~1 v1,1v11""\ I IVI~

(DJ\! )\t:)

-:~~'.:'..A.:.. *_*:: -:~~:...\.*I ~::*_*~~:':' ~:~. . :::' ~~ ~::-~~-~. . .:~:-~ ~ 3 This 1nformat1on has been prepared solely for the use and benefit of the NRC and the U S Government and 1s not intended for reliance by any other person

VI I I V l l'"'\L U V L . '-Jl'IIL.. I - VL.\,J'UI ,1 I I 1,L-L..F""'\ I L.LJ I I 'fl .._,, , ,1v11 \ 1 1.._,,, ,.

\D)l l )\I:)

!'"'.C C!!"'! .A.!  ! ! C'~ ~ t. * ~ , , ~=~ *- *n11v n=~ I\ T = ~ ~~~:"':'~~-~-r..":~ ':'~~ 4 This information has been prepared solely for the use and benefit of the NRG and the U S. Government and 1s not intended for reliance by any other person.

(b)(7)(E)

-* , *- u ,___ ._ '-'l '1 ' - t .._,.._.._,\J I ,1 I I I , ._._,'\ I 1,_i.., 11'11 ._, , , 1v 1r,- 1 l'-..1 1'1 5 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

\D)(/ )\t.)

n~~!(""'Lf1l l :~~ n~,! ! ..._, cc:r1 IDITV DC:I ATC:r'\ lt\lCf"'\D~AJ\Tl f""\f\\ 6 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

(b)(7)(E)

-:~~'.:'..\:... ._-:: ~~ ~:_...., ::::..::-::-:-',' :-:::_...~-:-:::: ;; ~:-~~;.:,..\7;:,; ~ 7 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

b)(7)(E)

'-'1 I IVlr\L.. V V L . .._,1"411_. I - V L . V V I '\.I I I I '\.L.L..r'\ I L.1.J 11"411 '.JI " V l r \ I l'-..11 "41 8 This information has been prepared solely for the use and benefit of the NRG and the U S. Government and 1s not intended for reliance by any other person.

(b)(7)(E)

-:~~'.::.\:... ._-:: ~~ ~:_...., ::::..::-::-:-',' :-:::_,..~-:-:::: ;; ~:-~~;.~,:;;-;:,; ~ 9 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

(D)(/ /\C/

!"""'.C!::!!""!.A.! ! !C'~ n~d! ..._, C'C:r'I IDITV DC:I ATC:r\ lt\lC:f""\Dru1J\Tlf"'\t\l 10 This information has been prepared solely for the use and benefit of the NRG and the U S. Government and 1s not intended for reliance by any other person.

(b)lf)(E)

.:,;-;-;,::,,/"\I... u.::i;::: -::,,~L, - vCvU"I, r "CL/-\ 1 cu ll'lrV"IVIA I IVl'I 11 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

urr1v 1t-\L u~c Ul'\IL T -

-::>CL,U"I I 1 l'\.L..LM I L..U II "fl \..II '\IVlr\ I 1"-' 1 '1 (b)(7)(E)

-~~'.:'..A.~ *_ *:: :-~ ~'._'.' ~:: *_* ~~:'\. ~:~.A.:::' '.~~:':'~~-~-A.:~':'~~ 12 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

5. Recommendations The following are the recommendations associated with the findings of the assessment.

Procedural Recommendations

1. Implement secure coding practices within the SDLC and continuously monitor web applications for security vulnerabilities:

a. Implement appropriate input validation mechanisms and integrate secure coding into the SDLC.

b. Perform web application security assessments (WASA) as part of the continuous monitoring process.

2. Review logs, identify suspicious events and flag for further investigations, and take actions to limit the impact of events determined to be the result of malicious activity.

3. Assess and continually monitor publicly facing information for sensitive or unnecessary information:

a. Continuously monitor publicly facing information and remove or limit sensitive information, such as potentially extraneous information included in the NRC Telephone Directory.

b. Determine if a publicly accessible NRC Telephone Directory is necessary to fulfill the mission of the agency. If not, remove the directory from the external website and ensure it is only visible internally. Alternatively, the NRC can also limit the amount of information provided in the directory, to mitigate the threat of social engineering attacks.

Technical Control Recommendations

4. Restrict systems from accepting anonymous connections and enforce strong authentication controls:

a. Discontinue the use of externally accessible, anonymous instances of Citrix in favor of a more secure enterprise application.

b. Disable null (anonymous) sessions on domain controllers and workstations within the NRC, where feasible.

c. Implement strong passwords and enforce the use of strong passwords for users in accordance with NRC policies and Federal guidance.

d. Limit use of local accounts and establish a mechanism to maintain and manage unique passwords for local accounts.

e. Require two factor authentication, such as HSPD-12 compliant badges or valid NRC certificates, on all Internet-facing applications, including Outlook Web Access.

5. Restrict the use of removeable storage media on NRC computers:

a. Configure workstations to only accept connections from USB drives approved by the NRC.

b. Improve controls around PDR computers by disabling USB access or enclosing PDR computers in a locked cabinet.

6. Implement controls to restrict NRC network access to authorized systems and restrict NRC computers from connecting to unauthorized systems:

a. Do not permit externally facing systems within the demilitarized zone (DMZ) to initiate communications with systems on the internal NRC network.

vrr1VI/-\LU,.::,cv1'\ILI -vL.vu r,1 11 l'\.L.L.t,.IL-1-'11*1 ....,,,,v,,,,,_,. 13 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

b. Establish mechanisms to validate that only authorized NRC systems may connect to the NRC network.

c. Configure PDR workstations to only access required systems, using specific ports and protocols.

7. Implement system controls to assist in identifying and limiting the impact of phishing e-mails and malicious files:

a. Configure the e-mail or anti-spam system to mark e-mails received from non-NRC e-mail addresses to allow employees and contractors to more easily identify external and potentially dangerous e-mails.

b. Implement technical controls including application whitelisting (configuring allowed applications), browser virtualization (launching browsers in an isolated virtual environment), and web proxies to limit the impact of malicious files or links, which users may inadvertently access.

Security Awareness and Training Recommendations

8. Review security awareness training to ensure it adequately educates users on their responsibilities to:

a. Protect sensitive media, while providing examples of types of sensitive data.

b. Properly dispose of sensitive information, while identifying the potential impact on the agency or person when media is not adequately secured in accordance with documented policies.

c. Understand the risks of connecting unauthorized USB drives to NRC workstations.

d. Recognize phishing attacks that arrive from non-NRC e-mail addresses and appropriately respond to contained links, attached files, and other malicious tactics leveraged by attackers.

e. Never provide their password to the Help Desk or any other NRC representative.

f. Understand that phone numbers can be 'spoofed' and provide instructions on how to identify potentially 'spoofed' phone numbers.

g. Understand their role in preventing 'piggybacking', as well as the risks associated with allowing unauthorized users to access secure NRC locations.

9. Distribute a message from leadership informing NRC employees and contractors of the threat of social engineering and reiterate that under no circumstances will anyone from the NRC ask for their password via phone or e-mail.

10. Assess the effectiveness of security awareness training, security policies and procedures, and technical controls on a periodic basis. Assessments should include proactive measures such as dumpster/recycle bin diving, workspace walkthroughs, phishing, or social engineering phone calls.

Physical Security Recommendations

11. Revise current policy to restrict visitors from leaving the lobby area without an escort.

12. Evaluate the feasibility of implementing security technologies such as access control turnstiles to limit "piggy-backing" into secure NRC locations.

-:~~'.:'..\:... ._-:: ~~ ~:_'.'  ::::...::-::7'.' :-:::_,..~-:-:::: ;; ~;-~~;..,;,;7;:,;~ 14 This information has been prepared solely for the use and benefit of the NRG and the U.S. Government and 1s not intended for reliance by any other person.

6. Appendices (b)(6),(b)(7)(C)

-:~~'.:'..A.:.. '_*:: :-~ ~~".' ~:,:*_*~~:'.' ~:~.A.::~ ~~~:':'~~-~.A.:~':'~~ 15 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the US Government and 1s not intended for reliance by any other person

vrrlVlf-\L u.:,c Vl'IL J - vc:.vun.11 J n.C:.L/-"\ I c u ll'il v1 *" v1n I IVl'i (b1101,\bJ(I J(t;J vrrlvl/-\L UvC Vl'IL r - vCvUl"\11 r !"\CL/-\ I c u ll'lrVl"\JVI/-\ 1 JVJ'I 16 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

VI I IVIML. U V L - \.JI '4~ I - VL-\..fUI ,1 I I

~

1,L-L..~ I L-LJ 11 'II - * '\.IWII, 1 * - * 'I (b)(6),(b)(7)(C) c;-;-;:,;;\~ :..;:::: ~: ~;_'_

1

..::-::7"/ :-:::..IA:-:-:: :~~~~:-:~*~*A*:~:'~~ 17 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

-.-,-1-I"' I I*-- -

• II '\, ---* *-*-"' --* ~ --- ** * - - -* * - -

-* , , _ , . u .. - - - - * .,_,, "---"-J'.JI ,1 1 r 1 " ' - ' - ~ I L...LJ 11 ... 1 \.JI '\IVI/""'\ I IVl'I (b)(6),(b)(()(C)

• '~~'. :'..A.:.. ,_1:: -:~ ~:...".' ~:':'_'~'.":'.' ~:~.A.:-:~ ~~ ~:,:;~~-~-A.:~':'\J 18 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

-.-..-1,....1 AI I 1,-..- -*** '\,t ,...,__, * - * - " ' - - * ~ ---

• * - - * * ** _ _ _ _ - * * - * - - - - * " ' * , 1*u... L..~1L...u 11\JrVr\lVI/-\IIVl'J (b)(6),(b)(7)(C)

-:~~:::,A.:.. ~:: ::~ ~:. . . ,., :::~~;-:-,' ~:;_,;-;-;:;:, 11"1;-~;--,;V;I"'\ 1 IVl'I 19 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

-*. ,_ .. *-I I*--

-.-,-1-1 A

--- -Ill.-* *-. ----* ......

II \.,/ ---*

__ .. -- ....Ir---**

1-l"'l'"'\.,I - -

• I\ _,.._f"'\. 1111.

A '"1"'1-111.1 b)(ti),(b)(7 )(C)

'-.II I I V lr'\L. V U L - '-,11 '4 1 v 1 - v v 1 ,11 I -L.r-\lL-LJ 11'1 1 \,,J l '1Vl r'\ l l '\Jl 'f 20 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

-...,, I l.._,11"\I.. ._,.._,~-*'I-, I

- - - - * " \ I I I I,_._,

1.1 - - lo** - * ,,,.,. o * *-* *

(b}(6},(b}(7)(C)

,::,;--;--,.::,,'"- u0c v1,aL r - ;:,c\..,UKI I r Kt:LA I t:U INrUKMA I ION 21 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

-*. ,_ .. *-I I*--

-.-,-1-1 A

--- -Ill.-* *-. ----* ......

II \.,/ ---*

__ .. -- ....Ir---**

1-l"'l'"'\.,I - -

• I\ _,.._f"'\. 1111.

A '"1"'1-111.1 bJ\OJ,\DJ\I J(C)

'-.II I I V lr'\L. V U L - '-,11 '4 1 v 1 - v v 1 ,11 I -L.r-\lL-LJ 11'1 1 \,,J l '1Vl r'\ l l '\Jl 'f 22 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

VI I IVIML. u ,...n_ Vl'IL I - Vl-VUl'\I I I l'\l-L.M I l-U 11'\il v1 *" v1M I IVl'i (bJ\OJ,(DJ\I )\v)

-:~~'.:'.,A.:.. ~:: ::~ ~:... ._,  ::::..::-::7"/ :-:::_,*,-;-:::::; :~~;-~~:.~,;7;c;~ 23 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

v , , 1v1ML. u0c Vl'IL. r - .:,c:vul"'\1 1 T l"'\C:LI-\ I c:u 11'\lrVKIVIA I IVl'J (b)(6),(b)(7)(C)

'-.II I 1'--'lr'\L. VUL- '--'1 'II $- I ._,.,_.._,V I '-1 I I I,.._._,'- f ._,._, , , ** - * ,.1,,0, \ 1 * - *

• 24 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

---*-* .. . *-- -* .. . . ---* *-*-*. -L..~

....,, 1 "*-'"

,i... ~....,~ \JI '4~ I - VL-\..fUI" I I

~ -

I L-LJ ll'il v1 *" v1n I IVl'i (b}(6),(b)(7)(C) c:-;-;:,;~~ ~.:: ~l~L I - ~:~U~I-;- I ~:1-~-;-~;:, 11'\lrV"IVII"\ 1 IVl'\I 25 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

....,, 1 "*-'"

,i... ~....,~ \JI '4~ I - VL-VUI" I I

~ -

' ' ' - L . . ~ I L-LJ ll'il v1 *" v1n I IVl'i (b)(6),(b)(7)(C)

\JI I IVlr'\L.. U U L - \.Jl'4~1 -vL-vu1,11 I -L..1'-IL-L.I 11'4 1 \.Jl'1Vlr\ll\.Jl'4 26 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

--- - a, **-- -*** ** ___ ,,_,_.,, __ , .,...,. _ _ l t . l r - - - .... A ' T " l - .. 1 VI I IVlf""\L. UVL- \.JI 'I~ I - "--"JI.JI"' 1 r 1 ,1-. ..., , , - - II"' - * ........ ., , , - * . ,

(b )(6),(b)(7)(C)

-:~~:::."'.:.. ~:: ::~ ~:_".' ::::..::-::7".' :-:::_,*,-:-:::::; :~ ~;-~~:.:,;7;c;~ 21 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

-.-,-1-I"' I I*-- -

• II '\, ---* *-*-"' --* ~ --- ** * - - -* - -

-* , , _ , , u .. - - - - * .,_,, "'--'JI.JI ,1 1 r 1 ,1...L.~ I L...LJ 11 ... 1 \.JI '\IYII"'\ I I V l ' I (b)(6),(b)(7)(C)

-:~~'.:'..A,:_ ~:: ::~ ~:..",'  ::::..::-::7"/ :-:::_,*,-;-:::::; :~ ~;-~~:..~,;7;c; ~ 28 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

,-,,...-,-1-1 A I I * - - -

• 11 '\, ,..,,,__, 1.-..1....-.,, - -

• I\.,,.._,.... 1* * - - - * *., - * - * *

- * * , _ ,. * - - - - - * 'I._ I - - - - * , , I I I,_._, 1. I -- II 'II .._,"'I l.._l'I (b)(6),(b)(7)(C) c;-;-;c;~;_ ~:,: ~1'4L I - :,:~U~I-;- I ~~L.~-;-~;:, 11'\l rVr\lVI/""\ I IVI" 29 This information has been prepared solely for the use and benefit of the NRC and the US Government and 1s not intended for reliance by any other person.

(b)(6),(b)(7)(C) vrrlvl/-\L UvC Vl'IL r - vCvUl"\11 r KCLA I cu 11\liUKIVIA I IUI\I 30 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

VI I IVl/""'\L.. U V L - \.JI '4L. I - VL-\..IUI ,1 I I

~ ,. *---* ... -*-*.

1,L-L.T,. I L-LJ 11 'II "- ,n111, 1 1"-'1 'I (b)(6),(b)(7)(C)

~* , *~*:*~ ~~~ ~- *~'-' ~~~~*", ','. *~~:.. ~~ .... ~* ....: .. *~*. 31 This information has been prepared solely for the use and benefit of the NRG and the US Government and 1s not intended for reliance by any other person.

VI I I V I M L U V L - \.JI '4L. I - VL..\..fUI ,1 I I

~

1,L..L.r\ I L..L.J 11 'II - * '\.IWII, 1 * - * 'I (b)(6),(b)(7)(C)

~:-:-: ::,a.:_ :..;:: ~~ ~:..',' ::::.::-::~',' :-:::_/'.~:: ~~~:,:;~~-~-A.:~,:;~~ 32 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the US Government and 1s not intended for reliance by any other person

-...,, I l.._,11"\I.. ._,.._,~-*'I-, I

- - - - * " \ I I I I,_._,

1.1 - - ** ** - * ,,,.,. o * * - * *

(0)(0),(D)(/ )(~)

'-.II I IVlr'\L. V U L - '-,11'41-1 - v 1 - v v 1 ,11 I -L.r-\lL-LJ 11'1 1 \,,Jl'1Vlr\ll'\Jl'f 33 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

"r-"r-1-1 A I I 1-- "II. II '\,/ ___ , 1,-,,1...-, I .,__, .. - - - ** * - - -* * * - -

_ -** *- - - - _,,._, _ _ _ _ , ,, , , ,,1...i...r,11...._, 11 ... 1 \../1'\IVlr'\IIVl'I (b)(6),(b)(7)(C)

-:~~'.:'.,A,:_ ~:: ::~ ~:..",'  ::::..::-::7'/ :-:::_,-,-;-:::::; :~ ~;-~~:I(~,;7;c; ~ 34 This 1nformat1on has been prepared solely for the use and benefit of the NRG and the U.S Government and 1s not intended for reliance by any other person

F9Fil: ©FFl©l;S.L l!J©E OfJLY e~r~BlifPo'E 114'FE~IQAE 11<11 ef<I0IA I IOIQ UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL November 6, 2019 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations FROM: Dr. Brett M. Baker /RA/

Assistant Inspector General for Audits

SUBJECT:

EVALUATION OF NUCLEAR REGULATORY COMMISSION VULNERABILITY ASSESSMENT AND PENETRATION TESTING (OIG-20-A-02)

The Office of the Inspector General (OIG) contracted RMA Associates, LLC to conduct an assessment of NRC's information technology vulnerabilities and perform penetration testing. Attached is OIG's audit report titled Evaluation of Nuclear Regulatory Commission Vulnerability Assessment and Penetration Testing. The objective of this evaluation was to assess the NRC's technical configuration and security controls by performing coordinated network and host-based security testing supporting the FISMA assessment. The findings and conclusions presented in this report are the responsibility of RMA. OIG's responsibility is to provide adequate oversight of the contractor's work in accordance with the Council of the Inspectors General on Integrity and Efficiency, Quality Standards for Inspection and Evaluation.

The report presents the results of the subject audit. Following the October 9, 2019, exit conference, agency staff indicated that they had no formal comments for inclusion in this report.

OIG identified observations that, if remediated, would strengthen NRC's security posture.

Specifically, improvements can be made in four general information systems control areas r b)(7)(E)

FQi;;t QFFIQl,9,L l!JQ[ 9Plbl/ 8EPJ81ifllu'E IPJife~rML lrJFORlelJl<iflel~

FOR Ci I ICIAL 0:31!! Olk I -' l!m!5 1'1'1VI! ll4'JiE111'1 4"'L 11 4f@)flfe1ft7Jil@) fd Please provide information on actions taken or planned on each of the recommendation(s) within 30 calendar days of the date of this memorandum. Actions taken or planned are subject to OIG followup as stated in Management Directive 6.1.

We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact me at (301) 415-5915 o q <b)(7)(El I

Attachment:

As stated FOr;t OFFIGhfl.b Isle !!: OP Jb~( e ePJ e l.l':'e IPJ. l!.RPJ:fl.b IP JFORP,4:fl** lOPJ

I GI, 81 I 16,AE 692 0142 I 321431I I 6L ii 4 I El Ci GAE I141 GI COIA I 1014 RMA IAssociates Auditors. Consultants. Advisors.

I005 N. Glebc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com Evaluation of NUCLEAR REGULATORY COMMISSION Vulnerability Assessment and Penetration Testing October 18, 2019 f5Qliil. OFF,011':L e'8E ~rntv 8EI 18,li,IJi[ ii lliERI h':L It JFQRP:V:liliP I

FOR OFFl8h':L 'a'8E e,1t1;r 8Eli8FJillJiE lldfEFUJJ tL IIJF@Mltlk l 1014 RMA I Associates Auditors. Consultants. Advisors.

I005 N. Glebc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com October 18, 2019 Mr. David Lee Deputy Inspector General Nuclear Regulatory Commission 11555 Rockville Pike Rockville, MD 20852 Re: Evaluation Report on Nuclear Regulatory Commission Vulnerability Assessment and Penetration Testing

Dear Mr. Lee:

RMA Associates, LLC (RMA) is pleased to submit the Evaluation Report on Nuclear Regulatory Commission (NRC) Vulnerability Assessment and Penetration Testing (VA/PT). RMA assessed NRC's information security by performing VA/PT in support of NRC's Federal Information Security Modernization Act of 20 14 (FISMA) assessment.

In terms of background, although NRC has a robust security program in place, continuous cybersecurity improvement must be a top priority for NRC, and all Federal Government agencies.

While technology enables and enhances the ability to share information instantaneously among stakeholders through computers and networks, it also makes networks vulnerable to malicious activity and exploitation by internal and external sources. Insiders with malicious intent, recreational and institutional hackers, and attacks by foreign intelligence organizations are significant threats to NRC's critical systems.

Specifically, the U.S. Department of Homeland Security recognizes these threats:

"During the last several decades, advances in technology have fundamentally changed the world.

Substantial growth in Internet access, use of Internet-enabled devices, and the avai lability of high-speed information technology systems and large datasets have facilitated productivity, efficiencies, and capabilities across all major industries. The proliferation of technology also presents new cybersecurity challenges and leads to significant national risks. More than 20 billion devices are expected to be connected to the Internet by 2020. The risks introduced by the growing number and variety of such devices are substantial. ... Like every organization, no matter how big or small, we must minimize our organizational vulnerability to malicious cyber activity by protecting our own networks. 1" We based our assessment and penetration methodology on the signed Rules of Engagement (ROE),

which established RMA procedures for conducting electronic security tests for the NRC . The ROE 1

U.S. Department of Homeland Security, Cybersecurity Strategy May 15, 2018 Page i FOR OFFl8h'.L 'g18[ e,1t:.* 8!!1181lil1Ji!! IIJH!RIOtL llffekitlki 1014

I GI CGI I ICIAE USE OIQE I SEIQSI I IO 2 IIQ I ERIQAE IIQFORI0IA I IOIQ RMA I Associates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (57 1) 429-6600 www.rmafcd.com was based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-115, Technical Guide to Information Security Testing and Assessment.

The ROE documents the scope, objective, and methodology of the network security tests, the procedures to be performed, the rules to be followed, and points of contact. The ROE also provides NRC OIG's and NRC Management's authorization for RMA to conduct these tests. These specific rules were necessary to ensure we performed the testing in a manner that minimized operational impact while maximizing the usefulness value of the test.

We conducted the evaluation in accordance with the Council of Inspectors General on Integrity and Efficiency Quality Standards for Inspection and Evaluation.

Sincerely, Reza Mah bod, CPA. c 1sA, c GFM. c 1c A, CGMA, c oi:M President RMA Associates, LLC Enclosure Page ii f50iiil. Of5f51O 1ftb 'e18E ~rntv 8EI 18Fijiij1Ji[ 11 lifEAP h':L itff(jjiqf:VtiflQP I

I GI, 81 I 16,AE 692 0142 I 321431 I I 6L ii 4 I El Cl GAE I141 GI COIA I 1014 RMA I Associates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com Table of Contents I. EXECUTIVE

SUMMARY

1 II. OBJECTIVE 2 III. SCOPE & METHODOLOGY 2 IV. VULNERABILITY ASSESSMENT 3 (b)(7)(E)

D. Criteria 8 E. Reconunendations 10 V. INTERNAL PENETRATION TESTING 10 VI. INTERNAL PENETRATION TESTING RESULTS 11 (b)(7)(E)

Page iii FOR OFF,81:2:6 I Iii Qllb'f Oi&IO,iil'i illiiRtlPI IDIFORD?HIPDI

Hili. 'iFFl8l:P:L lg18E 8,lt\i 8EI J81iifil 1VI! It J'fiD\I O tl II Cfit!HUJIAI 1014 RMA IAssociates Auditors. Coo ultaot . Advisors.

I 005 . Glebe Road, Suite 6 I 0 Arlington, VA 2220 l Phone: (57 I) 429-6600 www.rmafed.com (b)(7)(E)

Page iv F'ili. 'ifflil:P:L WiiE iPILY iiEPlii liilil' :'E IPliiliEli.Wtb IPIFirn:1:2:ifliPI

FOR OFFli l SL lzsl8E e,1tv 8E,i8FfiPtT ln;ITRPhS;L IIW8f\fu1:'ifil81i RMA I Associates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com I. EXECUTIVE

SUMMARY

RMA Associates, LLC (RMA) conducted a V ulnerability Assessment and Penetration Testing (VA/PT) of the N uclear Regulatory Commission (NRC)'s information security in support of NRC's Federal Information Security Modernization Act of2014 (FISMA) assessment. The testing was based on the approved Rules of Engagement (ROE) between NRC, NRC Office of Inspector General (OIG), and RMA that required the use of National Institute of Standards and Technology (NIST) guidance.

We performed an assessment of NRC's network infrastructure, servers, workstations, applications, and routers in support of NRC's system that can be accessed internally from NRC's networks and accessed externally from the public Internet.

(b)(7)(E)

During our VA/PT, we identified observations that, if remediated, would help strengthen NRC's security posture. In summary, we have categorized our comments within this report into four general information systems control observations:

(b)(7)(E)

Page I 506 2551310 LI Iii Qllt,I;'. iiHi8FfiF/E l!lifEF\IJJ tl IIJFOICIOIAI 10,Q

I GI, 81 I 16,AE 692 0142 I 321431 I I 6L ii 4 I El Cl GAE I141 GI COIA I 1014 RMA I Associates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com To address these observations, we recommend NRC perfonn the follow ing:

1. Address security deficiencies identified during the assessments ofNRC's applications and network infrastructure, in accordance with CSO-STD-0020, Organization-D~fined Values for System Security and Privacy Controls.

2. For the vulnerabilities listed in this report, develop a plan and schedule for evaluating the vulnerabilities identified; determine the appropriate action to address the vulnerability

( e.g., mitigation, deviation, risk acceptance); and implement the remedial actions.

II. OBJECTIVE RMA was contracted by the NRC OIG to assess the NRC 's technical configuration and security controls by performing coordinated network and host-based security testing supporting t he FISMA assessment. Internal controls related to the evaluation objective were reviewed and analyzed.

Throughout the evaluation, we considered the possibility of fraud, waste, and abuse in the program.

(b)(7)(E)

Page2 FOR OFF,Oi:P;L 'a'O!i o,ibl;'. oe,iOFiJiil;f!i :msenrhP;L :nronr:1;2,iiJilOn

I GI, 81 r1e:, tl ~e!! e, RJ;f 8Eli8FJiilJiE IHifiERPl:S;t IIJF8fiilt Pifilitl RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (DJ\/ )\t.)

Page]

8Eli8IifiI1JiE "lifiEAll:'.L IIJF8fiill:1hifil8PJ

I GI, 81 I 16,AE 692 0142, 321431 I I 6L ii 4 I El Cl GAE I141 GI COIA I 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (D)(f)(t)

Page4 FOR OFF,81s\L ~81! 8,jtlJ @ll!!lt!"5fil oI!! Iii I LICIQAE 1141 OIC:O,Ai ,OIQ

FOR OFFICIAL USE 0142 I SEIQJI I ICE IIQ I EICICAE 1141 OICVIAI 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b )\IJ(E)

Page5 FOR OFFIOl:P:L 'a'O!i o,iLY oe,iOFJiP.t!i 1msenfh2:L HWORM;?,i!ilOn

FOil OFFIOl:\L ~Cl!! OIR, C!!!!I GC!l?I o!!! II Gf!!!llfh tL 1141 OICI0IA 11014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(?)(E)

Page 6 FOR OFFIOl:\L ~01! QljL, C!!!!I t"lfl oE!! II GI El Ci ME 1141 OIC:O,A I IOIQ

8Eli8FJillJiE lliifiERPl:S;t IIIF81ii:t Pifilitl RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page 7 F81ii: 8FFl81:2;t lelii illt,I;'. ilitlillifil' Iii ltlifiiiRtJ:9 I lt:F95ll :Oi519DI

FOil 0FFI0l:\L l!!J@!! OIR, @!!IGOl?I o!! IIGf!!llfh tL 1141 OICIOIAI 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (D)\l)(E)

Page8 I bl( bi I ICIAE use 614[ I SEIQJI I 102 114 I Ei<l4AE 1141 OICIOIAI IOI ~

I GI, 81 r1e:, tl ~e!! e, RJ;f 8Eli8FJiilJiE IHifiERPl:S;t IIJF8fiilt Pifilitl RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com lbJ(()(E)

Page 9 FOR OEFl 0 1"I l 125 ct 11 " 61iiit161i51l 'ii lllifiiintl:9:b HJF8~MNl'lelU

I GI, 81 I ,CIAE J@!! elR, @!!IG@l?I o!! IIGf!!lllG: .L IIW81lfuVili,OIJ RMA I Associates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 6 10 Arlington, VA 2220 I Phone: (57 1) 429-6600 www.rmafcd.com (DJ\l )(t)

E. Recommendations To address the vulnerabilities mentioned above, we recommend NRC perform the following:

1. Address security deficiencies identified during the assessments ofNRC' s applications and network infrastructure, in accordance with CSO-STD-0020, Organization-Defined Values f or System Security and Privacy Controls.

2. For the vulnerabilities listed in this report, develop a plan and schedule for evaluating the vulnerabi lities identified; determine the appropriate action to address the vulnerability (e.g., mitigation, deviation, risk acceptance); and implement the remedial actions.

b)(I )\t)

Page JO I CIC GI I ,Ch t[ ee!! l!rnt::* l!lDll!lFJiP Iii illifiiRt , 01 ltl[GRD10I:ODI

FOR OFFl8h':L 'a'8E e,1t1;r 8Eli815JillJiE 111fE!!!llfJJ tL ll1F@MIO:XI 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page I I FOR OFFICIAL use 014[ I 31!1491 I I UL 111f!!!ll14J tL ifW8~foVffilOPi

FOR OFFl8h':L 'g18[ e,1n 8El i815JillJiE 1!1fE!!!llfJJ tL IIJF@MI0:X I 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page 12 FOR OFFICIAL USE OIQE I SEIQSI I IV2 IIQI ERIQAE 1141bi<IVIA I IOI~

I GI, 81 I 16,AE 692 0142, 321431 I I 6L ii 4 I El Cl GAE I141 GI COIA I 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(?)(E)

Page /3 I 01( bi I 16,AE 63~ ernt 1 8Eli8PfiPo'E lliifi!RPJ:P;L ltffi~I t2:i5,QDI

I GI, GI I 16,AE 692 0142 I 321431 I I 6L ii 4 I El Cl GAE I141 GI COIA I 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(?)(E)

Page /4 I bl( bi I ICIAE USE 014[ I 321&31 I ICE 114 I Ei<l&AE 1141 bi<IVIAI 1014

FOR OFFIOl:\L el@!! OIR , @!!IGOl?I o!! IIGf!!llfh tL 1141 OICIOIAI 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(?)(E)

Page /5 FOR OFFIOl:P:L '001! Ol ltl;t Ol!liOliJill/1! 11 liJil!AI 1:\L II GFOAfeldl'IOI G

I GI, 81 I 16,AE 692 0142, 321431 I I 6L ii 4 I El Cl GAE I141 GI COIA I 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page /6 f"O~ Of"f",OIJ tt lSJE 0142 I SZ:1431I162114 I EIC:4AE 1141 bi<IVIAI 1014

I GI CGI I ICIAE USE 0142 t SEIQSI I IO 2 IIQ I ERIQAE IIQFORI0IA I IOIQ RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page /7 FOR OFFIOl:P:L 'a181! 8,ltl;t 81!1i81ifill/l! II lifil!AIJ:2:L II JF@Afeldl'l@f J

I 01, 81 I ,CIAE MH!! elR, @ll!!!IG@ll?I oI! IIGfl!!!llih :t IIJF81lfuVili,OIJ RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page /8 I bl( bl I ,CIAE 692 0142, @ll!!!IG@li?I oI! illifEllfJ:\L IIJF81lf:V,ililQPJ

I CIC 81 I 16,AE MH!! elR, @ll!!!IG@ll?I oI! IIGfl!!!lliG: .L IIW81lfuVili,OIJ RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page /9 I bl( bi I ICIAE USE 014[ I 321&31 I ICE 114 I Ei<l&AE 1141 bi<IVIAI 1014

FOR OFFli l eL lslii OPIL?'. i iPlillill 'i IPllii RPIS L IPIFORI PlilOPI RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(?)(E)

Page 20 FOR OFFIOl:P:L 'a'O!i OIILY 8!ill8FJiP.t!i lllifi!iRP J:P;L Ir IFORM/,ililOP I

FOR OFFli l eL lslii OPIL?'. i iPlillill 'i IPlliiRPIS L IPIFORI PlilOPI RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page 21 FOR OFFIOl:P:L 'a'O!i OIILY 8!ill8FiJiP.t!i lllif!iRP J:P;L Ir IFORM/,ililOP I

F0A 0FFI0l:\L ~OE o,jtJ;r 0EW!FJillJiE lljifi[Alh'.L HW0Af,lhifil0n RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (bJ\/ J\t)

Page 22 f"O~ Off"IOIJ tL 692 Olk I SZ:1431I162114 I EIC: 4AE 1141bi<IVIAI 1014

I GI, 81 I 16,AE 692 0142, 321431 I I 6L ii 4 I El Cl GAE I141 GI COIA I 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(l)(E)

Page 23 f"O~ Of"f",OIJ tt ~81! 8,ltl;t 81!118,iJiPo'I! :,1iJil!AIJ:2:L IIJF@fiqf:1;2,ililQPJ

FOR OFFli l SL W8E e,1tv ec,18Ffill;f[ ln;ITRPhS;L lfjf@l~f,VifilOIJ RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page 24 son OEFIOI 9LI Iii illt,I;'. iillilifil' Iii lllifiiiRPl:9:bs HW@nr:1;2,i!il@PJ

FOA OFFIOl:\L ~OE o,jtJ;r OEW!FJillJiE lljifi[Alh'.L HWOAf,lhifilOn RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page 25 FOR OFFIOl:P:L 'a'O!i o,iLY 8!iWffifiP.t!i 1msenfh2:L HWORM;?,iifilOn

8Ell8FJillJiE lllifiERPl:S;t IIJF8lilt Pifilitl RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (ll)(7)(E)

Page 26 8Eli8IifiI1JiE l!lifiEAll:':L IIJF8nr,1;2.ifil8PJ

F0A 0FFI0l:\L ~OE o,jtJ;r 0EW!FJillJiE lljifi[Alh'.L HW0Af,1hifil8'J RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page 27 f"O~ Off"IOIJ tL 692 Olk I SZ:1431I162114 I EIC: 4AE 1141bi<IVIAI 1014

595 9551011 I I Ii[ 2111 Jf iillillill 'i IPlliERPl:S;t IIJF81i~1'c1:'ililOIJ RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page 28 son 0EFI0I 1L I Iii illt.l;'. iillillill 'ii lllliiiRPl:9:bs IIJF8Rf:1:2,ilil8PI

FOR OFFl8h':L 'a'8E e,1t1;r 8Eli815JillJiE 1!1fE!!!llfJJ tL IIJF@MI0IAI 1014 RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b}{7)(E)

Page 29 F8R 8FFl81s\L ~81! 8,W, @JE!!!lt"lfl oE!!! 114 I E:CIQAE 1141 O:CI0IAI IOIQ

FOR 9FFl9h tl 692 0142, SEIQJI I IV L iiQ I ERIQAL IIQFORIOIA I IOIQ RMA IAssociates Auditors. Consultants. Advisors.

1005 N. Glcbc Road, Suite 610 Arlington, VA 2220 I Phone: (571) 429-6600 www.rmafcd.com (b)(7)(E)

Page JO Ol!liOliJiF/1!! ll4fl!!Rl4Jt21141 OICI0IAI IOIQ

'W " (([Q Sersitir a S *e *f ii NRC Webhosting Information Or~-, Beyond. The Nae.work Jurrcr 1.ca, Ina.

cn-0101 Addr*a : "

~zo Herndon Parnay A.ddl'eaa: Su 1 t;a, E c:1cy: JCer ndr:ffl

11ca1.*P1:ov: VA Po*11.a.1Codtr1 201.'?0 C:OU.ftlC.l["Yl 05 N'~r.R" lnfr"'I ,0  !...!.!!...!!!

ClDkl ll09,8,O.0/U N~L,.Name; J'N-l'fec:.~ne11*1 f PalC'enc 1 Nat.Typa1 P1reoc .1.1.J.oatu::100 N~e.rver: N'S.CA19.COl't N.-s-rvar: N9Z ,C:At:8.COR C11>n11***1C.I C0119N:!nt.1

• r vhot.a.ce.ifl,1.'let 1311 RtlQl>ait:c : 15J1il6-U:-18 UPd*~ect1 2004-U-U

()l::':(JNOCM11ndla r ~N~ =~ =

~gHOCN<<une; NOC OcQHOCPhona, + 1 -70:S-fi \*1 &~"1 01::QNOCr-111 uppo1.t.-* :au-tu e,...oae,i .a,o*

Ol:gTcCbUo.ncue:1 ,/IC 101 A.P.IN OcoT.ObNlomlll Ki.JI, .Jloon.

Ol:Q1'eghPhc;in 1 l*'703 -6Z 1-l9'H O.:gT.ah.:-11, 3k:1...eriocvo1ob&1 . c:D111 ii A.Rml UHOIS O.Ut,b111-. l* t. Ul)CWIUtl :.C006-0'1-l'7 19110

1. Eni;e,; ? toe- adcht.i.om1.l b.h.n,.,, on 1Hteu:c hihQ AR ft.' 1111 llft019 t'hlt.ab***

• Illustration 2: NRC Web information: The illustration above is the "whois" information provided by ARIN on network space for a hosting service used by the NRC.

The SE Team used this information to understand NRC partners and additional cyber resources.

Page 18 o/30

()fl . I if f ) F Pit' S 't 5 f t'

ti:P§G . Ill O.{j Be *:* B NRC Network Space QcqN. . . 1 llnieed St*t.1* Nwcl*er Jllll"l*tC'CV' Co.--ie tori 0ro101 Aod.i'e.111 l 1$45 llockvl 1 le PUt1

.i.a.uet11!1: OCJ0/ tTil>

.I.OO.¥'c:i:,1 Ball Str,i, T-l!!i P'15 ldd.l'HIJI OCJOl 11'U>

Adl1rl99l a.u ltcp T** P'l:i

<:ity: lt.oC'kv1Hc lk*t.1P'CCIVI all Poeli.*lC'oclG 1 20HI C'ou.D\."Cy: O::S Hetlll* ng* I 184 IS :II CJH,1 140.J.G4,0,0/l" Ptl.l:41!; 1 Nilt\.TY"*' lit.Ci. 1-119-at N!Wl!Server l IGATl,rUt.C,G(N

__,!l.,,~i,, :DtilJIIAl.l'Till .::11#.0Tl!t,NrT NIIIINell~IC"I llNHUnU,ITt,Gttt,NtT NaNIH'Vetl fttl,Z<iNI UIT,COA N&ft'lll81rv1c1 N'S3,ZONt: Jl:DIT'.COA Co--=nt.1 Aeqt*t.11 Ul~l*<J1*01 0,dl.t.adl 100J*0f*.U Jl'TC(lhM1111m1lc; SDV2- JJl:llil Jl'TNhN-1 VnQn, K£1nlF D, JtT~hl,lho,n-1 +1-:,0\*<l\1*'7211

irr-,~11 1 !IDlll8~a.aOY OC9'T1ci.Mal'lelhl 0r9TI0hHNM1 lfood, *t.*n11y o.

Or1JT,u;hPhc,r,~: 1*::101*415*7lll OcqT.cJhl:>>oll : :SDIIIIM'C,f/OY

, llttN VHOII do.tab--*, lHt. 1,11H,11U.J ioo,.. 07.. 1'7 1t1J.O 1, 1:l'iltl'C ? Loe ~1t10r-.1 fttut1 on *eer1:1lanq AJIIJN'1 'fflOll decMI-*.

Illustration 3: NRC network lookup This illustration is the "whois" information provided by ARJN on the NRC network space. The SE Team used this information to conduct network reconnaissance and identify potential targets.

Page 19oJ30 Q(Ycia(({se a & s *5 5 gfs. mads::