FDIC #Fails Audit Regarding Active Directory Controls Within Their Organization

The FDIC is reporting disappointing results after the Office of Inspector General performed an audit of its controls for securing and managing its Microsoft Windows Active Directory which it uses for central management of all IT system user credentials.

According to auditors, privileged system users didn’t practice simple password hygiene such as:

  • Reusing their passwords 
  • Sharing passwords across multiple accounts
  • Failing to change passwords for over a year

In addition, the probe found that, in over 900 cases, the accounts of users were not removed after prolonged inactivity. They also found three FDIC IT accounts with privileged access that remained privileged for almost a year after the access was no longer required for their positions.

Since the audit findings, the FDIC IG has made 15 recommendations to the agency for improving security controls such as providing password training and the removal of unnecessary privileges. This brings into question what training may have been up until now for password and credential controls, and other widely-used cybersecurity issues such as phishing, for example. 

Details of the cybersecurity concerns come as the financial regulator headlines the SVB failure, and following another report published earlier this year also by the OIG, which found that the FDIC is not doing enough to monitor cyber risks within the institutions it regulates.

Oh boy.

I have there comments on this rather shambolic audit. The first is from

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this comment: 

   “The issues highlighted in the audit – password re-use, excessive account privileges, and the failure to deactivate stale accounts – are very serious and commonly exploited by threat actors. These issues make it easier for an attacker to compromise an account and then use that single account to take over many other accounts and elevate privileges, ultimately leading to full compromise of AD and all AD-managed assets.

   “The FDIC is not alone though. We see the same problems in many of the organizations we work with. And the problems can easily recur after being fixed once, as users join or leave an organization, or users change passwords. We recommend regular security assessments of Active Directory environments to identify issues and address them as soon as possible. 

Baber Amin, COO at Veridium had this to say:

This report highlights two fundamental problems.

  1. Reliance on knowledge based credentials and trusting that humans will not follow the path of least resistance. Training is important, but we now have the means to eliminate passwords for the most part. The report continues to focus on password quality rather than asking for removal of passwords. Strong passwords that are not shared or reused actually do not need to rotate or update often. There is ample evidence on this.
    • Multi factor authentication should also play a larger role than how it is treated in the report. This is the first line of defense.

Action:  Don’t put a training band aid, eliminate the problem, eliminate passwords.

  1. Orphan accounts and access, and overarching entitlements
    • I put these under the access umbrell  Organizations need to embrace the concept of least privileged access and grant only the minimal amount of access necessary for the minimal amount of time. We have multiple entitlement management products and services that can root out orphan accounts, access sprawl, and even unused or orphan access grants.  These tools need to be used on a regular basis.

Action: Limit access grants, use privileged access management tools to monitor privileged activity, use smart entitlements to limit overarching access, use smart monitoring to identify probes, and anomalies.

Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:

   “The fact that privileged users were found to be reusing passwords and sharing them across accounts, as well as failing to change passwords for extended periods, indicates a lack of awareness about the importance of good password hygiene practices.

   “Moreover, the incorrect account configurations, and the discovery that user accounts were not removed after prolonged inactivity, reveals a lack of oversight in managing user accounts. These are common weaknesses that leave agencies vulnerable to cyber attacks, particularly ransomware attacks, which have only increased year over year.

   “For all their potential resources, government agencies clearly need to prioritize cybersecurity best practices and implement robust security controls. This includes providing password training to users, regularly reviewing user accounts and privileges, and removing unnecessary elevated domain privileges.”

It’s bad enough that smaller businesses suffer from these sorts of issues. But for the FDIC to have these sorts of issues is insane. Hopefully this is the wake up call that they need to move them into a much better place. And everybody else should read this report and ensure that they don’t have any of these issues as well.

Leave a Reply

%d bloggers like this: