A Summary of GAO’s Review of Information Security Controls

over Financial Systems

Naba Barkakati, Ph.D.Chief Technologist

U.S. Government Accountability Office (GAO)441 G St NW, Washington, DC 20548

Email: barkakatin@gao.govPhone: 202-512-4499

Outline

• Overview of GAO• Methodology for information security controls

reviews• Common information security control weaknesses• Summary / Q&A

About GAO - investigative arm of CongressU.S. Government Accountability Office (GAO)• Non-partisan, independent agency• “Congressional Watchdog”• Assist Congress in carrying out its

constitutional responsibilities• Investigate all matters relating to the

receipt, disbursement, and application of public funds

• Headed by Comptroller General (15 year term)

• 13 teams carry out the audit work related to GAO’s strategic goals

• Matrix management of “engagements”• About 3,200 full-time-equivalent staff• Washington DC + 11 field offices

GAO Web site: http://www.gao.gov

GAO’s Organization and Work

Oversight – preventing and detecting fraud, waste, abuse, and mismanagement Insight – making government more efficient and effective Foresight – identifying emerging issuesAdjudication – resolving bid protests and providing legal opinions

Assessing Information Security ControlsPart of Financial Audits at FDIC, SEC, IRS, …

• GAO reviews the information security controls over key financial systems at a number of agencies.

• The team uses the Federal Information System Controls Audit Manual* (FISCAM) for these reviews.

* See http://www.gao.gov/new.items/d09232g.pdf (Feb 2009)

FISCAM Control Categories

• Security Management – the foundation of security control structure & a reflection of senior managements commitment to addressing security risks

• Access Controls – provide reasonable assurance that computer resources are protected against unauthorized modification, disclosure, loss or impairment

• Configuration Management – changes to hardware and software are authorized and systems are configured and operated securely and as intended

• Segregation of Duties – so that one individual does not control all critical stages of a process

• Contingency Planning – when unexpected events occur that critical operations continue and critical and sensitive data are protected

Overall Approach for FISCAM audits

1. Understand the environment recognizing that information systems are similar but also very unique to each agency.

2. Identify high value networks and systems.3. Test and verify that key (individual and collective)

controls are operating as intended.4. Assess identified vulnerabilities in context of overall

control environment and their potential impact on the organization’s mission.

Testing Access Controls

• Boundary protection

• Identification and authentication

• Authorization

• Cryptography

• Audit and monitoring, incident handling

• Physical security

Typical Logical Access Control WeaknessesAssessing vulnerabilities in context

- Access lists not applied- Unencrypted mgmt protocols

- Ineffective with encrypted traffic- Full data capture not performed- Default installations

- OS, DBMS & app servers not patched & vulnerable- Unnecessary & vulnerable services- Weak certificate management- Weak session management- Clear text passwords- Application input not effectively validated- Logging & monitoring ineffective

See #9

- OS & DBMS not patched & vulnerable- Unnecessary & vulnerable services- Poorly configured services- Outdated & vulnerable applications- Default & easily guessed passwords- Excessive directory & file permissions- Unencrypted or weak protocols

See #9

- Unpatched & vulnerable services- Default SNMP Read/Write strings- Network not segmented- Access lists not applied- Unencrypted mgmt protocols

- Unencrypted protocols- Unauthorized wireless access points- Terminates on internal network

- Excessive rules

(in/out)

- Excessive rules (in/out)- Unpatched & vulnerable FW & OS

6

2

5

3

4

7

8

9

1

10

11

Common Information Security Control Weaknesses for Financial Systems

• Inadequate password management for properly identifying and authenticating users (sharing passwords, passwords not adequately encrypted)

• Not sufficiently restricting user access to systems, including access to personally identifiable information

• Not using encryption to protect sensitive data and not using encrypted network protocols

• Lack of audit and monitoring of security-relevant events for databases

• Not effectively managing changes to software and hardware• Inadequate physical protection of computer resources

Key Reasons for Weaknesses

• Not fully implementing an agencywide information security program to ensure that controls are appropriately designed and operating effectively. Typical examples include:

• No senior agency information security officer• No annual review of risk assessments for systems • No comprehensive testing the controls• Not validating the effectiveness of remedial actions• Not conducting the certification and accreditation (C&A)

of key intermediary subsystems such as local spreadsheets and databases used in financial reporting

Summary

• Despite continued progress, information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial information

• Agencies typically did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information

• A key reason for these weaknesses is that each agency had not yet fully implemented its information security program to ensure that controls are appropriately designed and operating as intended