GAO Report: FDIC Information Security is Inadequate

Wednesday, August 17, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

The Government Accountability Office (GAO) has released a report that is critical of the overall security of critical information systems at the Federal Deposit Insurance Corporation (FDIC).

The FDIC is an independent federal agency whose central mission is to provide regulatory stability for the nation's banking system and ensure depositors are protected against risky business practices by financial institutions.

The following is partial selection of some of the information provided in the GAO report:

What GAO Found

Although FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information.

FDIC has implemented controls to detect and change default user accounts and passwords in vendor-supplied software, restricted access to network management servers, developed and tested contingency plans for major systems, and improved mainframe logging controls.

However, the corporation had not always (1) required strong passwords on financial systems and databases; (2) reviewed user access to financial information in its document sharing system in accordance with policy; (3) encrypted financial information transmitted over and stored on its network; and (4) protected powerful database accounts and privileges from unauthorized use.

In addition, other weaknesses existed in FDIC’s controls that were intended to appropriately segregate incompatible duties, manage system configurations, and implement patches.

Background

Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission and is especially important for a government corporation such as FDIC, which has responsibilities to oversee the financial institutions that are entrusted with safeguarding the public’s money.

Cyber-based threats to information systems and cyber-related critical infrastructure can come from sources internal and external to the organization. Internal threats include errors as well as fraudulent or malevolent acts by employees or contractors working within an organization. External threats include the ever-growing number of cyber-based attacks that can come from a variety of sources such as hackers, criminals, and foreign nations.

Potential attackers have a variety of techniques at their disposal, which can vastly enhance the reach and impact of their actions. For example, cyber attackers do not need to be physically close to their targets, their attacks can easily cross state and national borders, and cyber attackers can preserve their anonymity.

Further, the interconnectivity among information systems presents increasing opportunities for such attacks. Indeed, reports of security incidents from federal agencies are on the rise, increasing by more than 650 percent from fiscal year 2006 to fiscal year 2010.

Specifically, the number of incidents reported by federal agencies to the United States Computer Emergency Readiness Team6 (US-CERT) has increased dramatically over the past 4 years: from 5,503 incidents reported in fiscal year 2006 to about 41,776 incidents in fiscal year 2010.

Compounding the growing number and kinds of threats are the deficiencies in security controls on the information systems at federal agencies, which have resulted in vulnerabilities in both financial and nonfinancial systems and information.

These deficiencies continue to place assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, and critical operations at risk of disruption.

Opportunities Exist for FDIC to Improve Information Security Controls

Although FDIC had implemented numerous controls over its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information.

A key reason for these weaknesses is that the corporation did not always fully implement key information security program activities, such as effectively developing and implementing security policies.

Although these weaknesses did not individually or collectively constitute a material weakness or significant deficiency in 2010, they still increase the risk that financial and other sensitive information could be disclosed or modified without authorization.

FDIC Had Not Always Protected System Boundaries

FDIC had not always controlled the logical and physical boundaries protecting its information and systems. Examples are as follows:

  • Certain network devices, servers, and workstations on FDIC’s internal network were not always configured to sufficiently restrict access or to fully secure connections.
  • Firewalls controlling traffic between segments of FDIC’s internal network did not sufficiently control certain types of network traffic.
  • Boundary protection controls were configured in a manner that limited the effectiveness of monitoring controls.

As a result of these deficiencies, FDIC faces an increased risk that individuals could gain unauthorized access to its financial systems and information.

Controls for Identifying and Authenticating Users Were Not Consistently Enforced

FDIC had not consistently enforced other identification and authentication user controls. Examples are as follows:

  • Passwords for certain privileged accounts on a system supporting financial processing were not configured in accordance with FDIC policy. Additionally, two of the accounts were using the same password.
  • Password settings for certain accounts on a system supporting the loss-share loss estimation process were not configured in accordance with FDIC policy.
  • Systems supporting financial processing were not always configured with sufficiently strong identification and authentication controls.

As a result of these deficiencies, FDIC is at an increased risk that an individual with malicious intentions could gain inappropriate access to its financial systems and information.

Sensitive Information Was Not Always Encrypted

FDIC had implemented controls to encrypt certain sensitive information on its systems. For example, it had restricted the use of unencrypted protocols on the mainframe and had required that sensitive information stored on user workstations or mobile devices be encrypted.

However, FDIC had not always ensured that sensitive financial information transmitted over and stored on its network was adequately encrypted. Specifically, FDIC had not always used sufficiently strong encryption on two systems supporting the loss-share loss estimation process and had not always strongly encrypted stored passwords on certain financial systems.

As a result of these deficiencies, FDIC is at an increased risk that an individual could capture information such as user IDs and passwords and use them to gain unauthorized access to data and system resources.

Critical Systems Were Not Always Fully Patched

FDIC had patched many of its systems and had ensured that much of its software was up-to-date. For example, it had retired critical network devices that were not supported by their manufacturers, updated patch levels for third-party software running on two UNIX servers, and removed an obsolete version of third-party software running on a Windows server.

However, FDIC had not consistently updated its financial systems and servers with critical patches or kept its software up-to-date, including systems supporting the loss-share loss estimation process.

For example, certain servers supporting financial processing were running a version of software that was unsupported for patch updates, and several workstations used in the loss-share loss estimation process were missing patches and were running software that was no longer supported by the manufacturer.

Additionally, certain workstations were missing operating system patches. As a result of these deficiencies, FDIC is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised.

The full GAO report can be found here:

Source:  http://www.gao.gov/new.items/d11708.pdf

Possibly Related Articles:
16091
Network->General
Government Regulation Banking Headlines report Network Security Financial Information Security GAO FDIC
Post Rating I Like this!
Default-avatar
Reglida Preser The Federal government targets payday cash advances. The Federal Deposit Insurance Corporation has just started a study into payday cash advances for the government. Whether the loans are started by banks or by particular payday advance businesses, the federal government will check them out. The government wants to make sure that payday loans are fair for all parties involved. Learn more at: Payday Loan
1339137058
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.