PENETRATION TESTING 2001 - AN UPDATE (2001-18/23148-2)

The OIG engaged the PricewaterhouseCoopers Technology Security group to conduct a penetration retest of PBGC's network security. This testing, which focused on gaining access to PBGC systems and resources and escalating privileges on those systems, was a follow-up on computer security testing we conducted in 1999. At that time, we found significant computer security vulnerabilities and notified PBGC that we would retest the identified weaknesses.

The penetration retest found that PBGC significantly improved security over network resources used to provide protection from malicious external and insider attacks. We did find that not all PBGC accounts had strong passwords and instances where unauthorized personnel were allowed access to PBGC office areas. In addition to the publicly available report, we also produced a detailed report for responsible PBGC officials (OIG Report 2001-10/23148) which is restricted because it contains sensitive and proprietary data.