The Federal Deposit Insurance Corporation (FDIC) – which has been much in the news in recent weeks due to banking sector turmoil – has more work to do to improve security of its user identification and authentication technology, according to the agency’s inspector general.
The agency’s Office of Inspector General (OIG) said in a new report that FDIC has not fully “implemented effective controls” for its Microsoft Windows Active Directory (AD).
The AD system is used by the agency to “manage user identification, authentication, and authorization,” and can be a prime target area for cyber criminals, the OIG said.
The watchdog found in its audit that out of the 12 areas assessed, seven were judged to still need improvements.
Some of the areas found to need improvement included password management, privileged account management, and AD policies and procedures.
“The FDIC’s ineffective AD security controls could pose significant risks to FDIC data and systems,” the OIG warned.
The report gives recommendations for the FDIC chief information officer to “develop and implement procedures to regularly update the Active Directory Operations Manual to reflect the current structure and practices,” said the agency.
The FDIC concurred with the entire list of recommendations, which include:
- Provide additional training to emphasize password requirements for privileged account users and communicate the effect of poor password practices, including those identified in this report;
- Develop and implement controls to monitor and track password usage for privileged users and domain administrators to mitigate insecure password practices;
- Approve and maintain Secure Baseline Configuration Guide deviations for accounts in the identified domain, as appropriate;
- Develop and implement policies and procedures to automate the password creation and management process for privileged Active Directory accounts;
- Remove unnecessary elevated domain privileges for accounts across all FDIC domains;
- Develop and implement permission settings and configurations for privileged accounts that are aligned with the principle of least privilege;
- Develop and implement monitoring mechanisms to regularly review privileged account settings and configurations and remediate any misconfigured accounts;
- Identify inactive user accounts and disable or delete them in accordance with FDIC policy;
- Design and implement mitigating controls to address occurrences where the automated inactivity setting is inoperable;
- Develop and implement a process to regularly evaluate the roles to determine whether they are still needed or duplicative of other roles;
- Develop and implement a process to reconcile conflicting certification determinations for duplicative roles;
- Update and implement procedures to proactively update or replace operating systems before vendor support ends;
- Issue a current, updated Active Directory Operations Manual; and
- Develop and implement a process to monitor all domain controllers and ensure that any exceptions are addressed timely.