Upload
naba-barkakati
View
207
Download
1
Tags:
Embed Size (px)
Citation preview
A Summary of GAO’s Review of Information Security Controls
over Financial Systems
Naba Barkakati, Ph.D.Chief Technologist
U.S. Government Accountability Office (GAO)441 G St NW, Washington, DC 20548
Email: [email protected]: 202-512-4499
Outline
• Overview of GAO• Methodology for information security controls
reviews• Common information security control weaknesses• Summary / Q&A
About GAO - investigative arm of CongressU.S. Government Accountability Office (GAO)• Non-partisan, independent agency• “Congressional Watchdog”• Assist Congress in carrying out its
constitutional responsibilities• Investigate all matters relating to the
receipt, disbursement, and application of public funds
• Headed by Comptroller General (15 year term)
• 13 teams carry out the audit work related to GAO’s strategic goals
• Matrix management of “engagements”• About 3,200 full-time-equivalent staff• Washington DC + 11 field offices
GAO Web site: http://www.gao.gov
GAO’s Organization and Work
Oversight – preventing and detecting fraud, waste, abuse, and mismanagement Insight – making government more efficient and effective Foresight – identifying emerging issuesAdjudication – resolving bid protests and providing legal opinions
Assessing Information Security ControlsPart of Financial Audits at FDIC, SEC, IRS, …
• GAO reviews the information security controls over key financial systems at a number of agencies.
• The team uses the Federal Information System Controls Audit Manual* (FISCAM) for these reviews.
* See http://www.gao.gov/new.items/d09232g.pdf (Feb 2009)
FISCAM Control Categories
• Security Management – the foundation of security control structure & a reflection of senior managements commitment to addressing security risks
• Access Controls – provide reasonable assurance that computer resources are protected against unauthorized modification, disclosure, loss or impairment
• Configuration Management – changes to hardware and software are authorized and systems are configured and operated securely and as intended
• Segregation of Duties – so that one individual does not control all critical stages of a process
• Contingency Planning – when unexpected events occur that critical operations continue and critical and sensitive data are protected
Overall Approach for FISCAM audits
1. Understand the environment recognizing that information systems are similar but also very unique to each agency.
2. Identify high value networks and systems.3. Test and verify that key (individual and collective)
controls are operating as intended.4. Assess identified vulnerabilities in context of overall
control environment and their potential impact on the organization’s mission.
Testing Access Controls
• Boundary protection
• Identification and authentication
• Authorization
• Cryptography
• Audit and monitoring, incident handling
• Physical security
Typical Logical Access Control WeaknessesAssessing vulnerabilities in context
- Access lists not applied- Unencrypted mgmt protocols
- Ineffective with encrypted traffic- Full data capture not performed- Default installations
- OS, DBMS & app servers not patched & vulnerable- Unnecessary & vulnerable services- Weak certificate management- Weak session management- Clear text passwords- Application input not effectively validated- Logging & monitoring ineffective
See #9
- OS & DBMS not patched & vulnerable- Unnecessary & vulnerable services- Poorly configured services- Outdated & vulnerable applications- Default & easily guessed passwords- Excessive directory & file permissions- Unencrypted or weak protocols
See #9
- Unpatched & vulnerable services- Default SNMP Read/Write strings- Network not segmented- Access lists not applied- Unencrypted mgmt protocols
- Unencrypted protocols- Unauthorized wireless access points- Terminates on internal network
- Excessive rules
(in/out)
- Excessive rules (in/out)- Unpatched & vulnerable FW & OS
6
2
5
3
4
7
8
9
1
10
11
Common Information Security Control Weaknesses for Financial Systems
• Inadequate password management for properly identifying and authenticating users (sharing passwords, passwords not adequately encrypted)
• Not sufficiently restricting user access to systems, including access to personally identifiable information
• Not using encryption to protect sensitive data and not using encrypted network protocols
• Lack of audit and monitoring of security-relevant events for databases
• Not effectively managing changes to software and hardware• Inadequate physical protection of computer resources
Key Reasons for Weaknesses
• Not fully implementing an agencywide information security program to ensure that controls are appropriately designed and operating effectively. Typical examples include:
• No senior agency information security officer• No annual review of risk assessments for systems • No comprehensive testing the controls• Not validating the effectiveness of remedial actions• Not conducting the certification and accreditation (C&A)
of key intermediary subsystems such as local spreadsheets and databases used in financial reporting
Summary
• Despite continued progress, information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial information
• Agencies typically did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information
• A key reason for these weaknesses is that each agency had not yet fully implemented its information security program to ensure that controls are appropriately designed and operating as intended