Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Preventing and Detecting Cyber Threats

Tuesday, May 28, 2019

The Office of Inspector General (OIG) at the Federal Deposit Insurance Corporation (FDIC) issued an audit report assessing the effectiveness of two security controls intended to prevent and detect cyber threats on the FDIC’s network: Firewalls; and the Security Information and Event Management (SIEM) tool. The FDIC’s firewalls and SIEM tool operate in concert with other network security controls as part of a defense-in-depth cybersecurity strategy.

The FDIC has deployed firewalls at the perimeter and interior of its network to control the flow of information into, within, and out of the network. These network firewalls use rules to enforce what traffic is permitted. The FDIC’s SIEM tool operates to analyze network activity and detect indications of potential cyber threats that may have bypassed the firewalls and other security controls. The tool runs automated queries (known as “Use Cases”) to identify events or patterns of activity that may indicate a cyber attack.

We identified weaknesses that limited the effectiveness of the FDIC’s network firewalls and SIEM tool in preventing and detecting cyber threats, including:

  • The majority of firewall rules were unnecessary. Also, many firewall rules did not have sufficient justification. Several factors contributed to these weaknesses, including an inadequate firewall policy and supporting procedures, and an ineffective process for periodically reviewing firewall rules to ensure their continued need.

 

  • Firewalls did not comply with the FDIC’s minimally acceptable system configuration requirements. In addition, the FDIC did not update its minimum configuration requirements in a timely manner to address new security configuration recommendations by the National Institute of Standards and Technology (NIST).

 

  • The FDIC did not always require administrators to uniquely identify and authenticate when they accessed network firewalls.

We found that the FDIC properly set up the SIEM tool to collect audit log data from key network IT devices. In addition, the SIEM tool effectively formatted the data to allow for analysis of potential cyber threats. However, the FDIC did not have a written process to manage the ongoing identification, development, implementation, maintenance, and retirement of Use Cases for the SIEM tool.

We made 10 recommendations intended to strengthen the effectiveness of the FDIC’s network firewalls and SIEM tool in preventing and detecting cyber threats. The FDIC concurred with our recommendations.

PDF Report: 
Print Print
Close