An inspector general (IG) report publicly released this week identified weaknesses in the Federal Deposit Insurance Corporation’s (FDIC’s) network firewalls and security information and event management (SIEM) tools.
The vulnerabilities the IG found were mostly firewall weaknesses due to administrative faults, such as inadequate firewall policies, ineffective review processes, and insufficient action in reviewing firewall rules.
“The firewall support team conducted manual reviews of the network firewall rules on a quarterly basis,” the IG said. “However, the firewall support team did not use an automated tool to facilitate these reviews. The firewall administrator subsequently explained that the large number of rules in the network firewalls did not allow for the firewall support team to review the vast majority of rules each quarter.”
Although the IG found that FDIC properly set up its SIEM tool to collect audit log data from critical network IT devices and that the tool effectively formatted the respective data to enable potential cyber threat analysis, FDIC didn’t have a written process to identify, prioritize, implement, maintain, or retire use cases for the SIEM tool.
The IG issued 10 recommendations in light of its findings. Although the public report had redacted portions, the available recommendations said that FDIC should:
- Require all existing firewall rules be documented with an approval and a mission or business need, including the duration of the need;
- Establish and implement firewall policy compliant with National Institute of Standards and Technology guidance;
- Establish and implement a procedure to conduct reviews of firewall rules by individuals who aren’t part of the firewall administration process;
- Require firewall administrators to document quarterly reviews of firewall rules;
- Create a requirement for regular review of the National Checklist Repository, update FDIC’s baseline configurations for network firewalls, and document the review results;
- Review all firewalls and remove any local accounts that aren’t permitted by approved baseline configuration;
- Document, approve, and implement a structured process to identify, develop, prioritize, deploy, maintain, and retire use cases for the SIEM tool; and
- Document, approve, and implement a process to test and update use cases periodically to ensure they can properly operate.
These suggestions are accompanied by the fact that between October 2014 and 2017, FDIC reported 985 total IT security incidents – 12 of which were major incidents that involved the personally identifiable information (PII) of more than 120,000 people, as well as business proprietary and sensitive data of financial institutions, as previous IG reports disclosed.
FDIC heavily relies on information systems to conduct its work, and these systems contain PII including names, social security numbers, and bank account numbers of FDIC employees and “depositors of failed financial institutions; confidential bank examination information, including supervisory ratings; and sensitive financial data, including credit card numbers.”