An inspector general report on a Federal Reserve audit raises more questions than it answers regarding the security risks facing one of the Fed's systems.
See Also: Rethinking Endpoint Security
The Office of the Inspector General for the Board of Governors of the Federal Reserve System and Consumer Financial Protection Bureau recently issued an executive summary of the audit, which focuses on the Fed's Statistics and Reserve System, or STAR. It recommends the Fed strengthen information controls related to planning; security assessment and authorization; contingency planning; auditing; access control; risk assessment; and system and information integrity.
"Given that this system is classified as a moderately critical system, we must appreciate that it will be targeted for intrusion and corruption."
STAR is a mainframe system developed in 1998 that supports the statistics and reserves functions at the Federal Reserve's Board and banks. The system collects and edits more than 75 periodic statistical reports that are received from financial institutions, according to OIG. In addition, the system manages financial institutions' reserve requirements and term deposits.
The system, which is being modernized to a Web-based application, is deemed a moderate-risk system, meaning a breach could place the agency at a significant disadvantage or result in major damage, requiring extensive repairs to assets or resources.
The IG says it did not publish the full audit - even a redacted version - "given the sensitivity of information security review work."
Spokespeople for the Federal Reserve and the IG declined to comment on whether the STAR system itself is at risk or whether it poses vulnerabilities for related Federal Reserve IT systems. A Fed spokesman says the organization will comply with the six recommendations the IG offered.
Although audits provide guidance to agencies to strengthen their systems, they also educate other agencies and the public about information security vulnerabilities. It's unfortunate the IG did not produce a redacted version of the audit that would have at least given some insight into the potential risks the Fed's system faces. Other agencies have protected details on security audits by blacking out sensitive areas while still furnishing insights on risks that need to be mitigated.
Sizing Up the Risk
To help assess whether the Fed system is at risk, I turned to IT security expert Tom Kellermann, chief cybersecurity officer at security provider Trend Micro. He says it's apparently possible that weaknesses in the STAR system could make other Fed systems vulnerable. "Watering hole attacks and integrity attacks are flourishing in the wild, and these pose the most severe threats to STAR," Kellermann says. And he sees as worrisome the IG's call for stronger controls to manage access, assess risk and strengthen information integrity.
Attacks against Web applications "metastasized" in 2015 with the availability of numerous hacker tools and exploit kits, Kellerman says. "Given that this system is classified as a moderately critical system, we must appreciate that it will be targeted for intrusion and corruption," he says. "Sophisticated hackers could leverage a watering hole attack wherein the STAR web application is polluted so that all users of STAR become compromised."
Data in the STAR system also could be at risk of being manipulated by intruders, Kellerman says. "We have seen Russian and Brazilian cybercriminals focus their attacks on the financial sector and have leveraged cyber conspiracies, which manipulated market data."
Kellerman's concerns might be justified. Then again, we don't know for sure, because of the dearth of information about this audit. IGs need to find a way to describe in all their audits more details on how to address IT security weaknesses while protecting sensitive information.