In wake of 2015-16 data breaches – and Senate concerns — agency presented with 10 ways to improve its systems

Ten recommendations intended to strengthen the effectiveness of anti-hacking measures and other cyber threats on the computer networks of the federal insurer of bank deposits – particularly firewalls — have been made by the agency’s office of inspector general.

The recommendations came after a series of data breach incidents at the agency in late 2015 and into the following year, and after the chairman of the Senate Banking Committee (Sen. Richard Shelby, R-Ala., at the time) raised concerns about security, according to the Federal Deposit Insurance Corp.’s (FDIC) Office of Inspector General (OIG). The OIG then conducted an audit from February 2017 to February 2019 (working with an outside contractor) of the agency’s systems to assess the effectiveness of its firewalls and its “security information and event management (SIEM)” tool in assuring security.

The 10 items recommended are:

  • All existing firewall rules be documented with an approval and mission/business need, including the duration of that need.
  • A firewall policy consistent with National Institute of Standards and Technology (NIST) guidance be established and implemented.
  • A procedure to conduct reviews of firewall rules by individuals who are not part of the firewall administration process be set up and used.
  • Quarterly reviews of firewall rules by firewall administrators be required and documented.
  • Requirements that: a review of the National Checklist Repository be completed on a regular basis; the agency update its baseline configurations for network firewalls; and the agency document the results of the review.
  • Certain firewalls be removed (specifics were redacted) and any local accounts that are not permitted be removed by the approved baseline configuration.
  • A documented analysis be performed make certain determinations (details of which were redacted).
  • Policies and procedures to define certain accounts that are required to be managed (details redacted) be clarified.
  • A structured process to document, approve, and implement for identifying, developing, prioritizing, deploying, maintaining, and retiring “Use Cases” (also known as reports of suspicious activity) for the SIEM tool be developed.
  • A process to test and update “Use Cases” periodically be developed and used in order to ensure they operate as intended.

The OIG report stated that the recommendations were made to address the key findings of its audit, which included:

  • Many firewall rules lacked a documented justification, and the majority of firewall rules (information redacted) were unnecessary. “Several factors contributed to these weaknesses, including an inadequate firewall policy and supporting procedures, and an ineffective process for periodically reviewing firewall rules to ensure their continued need,” the report stated.
  • Firewalls did not comply with the FDIC’s minimally acceptable system configuration requirements. The OIG said that, In addition, the FDIC did not update its minimum configuration requirements in a timely manner to address new security configuration recommendations approved by the National Institute of Standards and Technology.
  • The FDIC did not always require administrators to uniquely identify and authenticate when they accessed network firewalls. (Additional information redacted.)

FDIC OIG Audit Report: Preventing and Detecting Cyber Threats