An audit of cybersecurity measures at the Federal Deposit Insurance Corp. has identified multiple “ineffective” controls within the agency’s active directory.
According to the investigation, multiple privileged system users reused their passwords and shared passwords across multiple accounts. Other privileged users at the agency violated security protocols by failing to change passwords for over a year, auditors found.
In addition, the probe identified incorrect account configurations and found that in over 900 cases the accounts of users were not removed after they exceeded the required thresholds for account inactivity.
The report also found that three FDIC IT account users held privileged access for almost a year after the access was no longer required for their positions.
Microsoft’s Windows Active Directory is used by the agency for the central management of all IT system user credentials.
As a result of the audit findings, the FDIC IG has made 15 recommendations to the agency for improving security controls, which include providing password training and the removal of unnecessarily elevated domain privileges.
Details of the cybersecurity concerns come as the financial regulator receives heightened attention following the failure of Silicon Valley Bank.
At the time, the watchdog found that information used in FDIC’s cyber risk assessment program, known as InTREx, was outdated and that in some cases agency examiners were not completing tests.
The FDIC agreed with the audit findings and said it plans to take corrective actions in response to the concerns by March 31 next year.