Audit identifies ‘ineffective’ active directory security controls at FDIC

An investigation found privileged users at the agency were replicating passwords across multiple accounts.
The entrance to the Federal Deposit Insurance Corporation (FDIC). (Photo by George Rose/Getty Images)

An audit of cybersecurity measures at the Federal Deposit Insurance Corp. has identified multiple “ineffective” controls within the agency’s active directory.

In a report published on Thursday commissioned by the FDIC’s inspector general, examiners set out seven separate weaknesses found during a probe of the department’s systems.

According to the investigation, multiple privileged system users reused their passwords and shared passwords across multiple accounts. Other privileged users at the agency violated security protocols by failing to change passwords for over a year, auditors found.

In addition, the probe identified incorrect account configurations and found that in over 900 cases the accounts of users were not removed after they exceeded the required thresholds for account inactivity.


The report also found that three FDIC IT account users held privileged access for almost a year after the access was no longer required for their positions.

Microsoft’s Windows Active Directory is used by the agency for the central management of all IT system user credentials.

As a result of the audit findings, the FDIC IG has made 15 recommendations to the agency for improving security controls, which include providing password training and the removal of unnecessarily elevated domain privileges.

Details of the cybersecurity concerns come as the financial regulator receives heightened attention following the failure of Silicon Valley Bank.

The audit also follows a report published last month by its Office of Inspector General, which found that the FDIC is not doing enough to monitor cyber risks within the institutions it regulates.


At the time, the watchdog found that information used in FDIC’s cyber risk assessment program, known as InTREx, was outdated and that in some cases agency examiners were not completing tests.

The FDIC agreed with the audit findings and said it plans to take corrective actions in response to the concerns by March 31 next year.

Latest Podcasts