this federal housing finance agency (FHFA) The Office of Inspector General (OIG) is warning the agency that it has serious cybersecurity flaws that leave its computer systems vulnerable to hackers, according to “penetration testing” conducted by the Office of Inspector General. This is according to a report issued by the FHFA OIG itself.
Tests revealed “critical vulnerabilities” that increased the likelihood of successful hacking by bad actors, and the 38-page report details some instances in which the tests successfully breached FHFA’s computer security systems.
“In one instance, we gained access to a privileged user account that allowed us to view, edit, or save files on the local drive of any user’s laptop or desktop, including FHFA’s highest-level administrators,” the report states. “We were also able to promote the standard user account to domain administrator and gain full control over FHFA’s network. We had essentially unrestricted access to the agency’s information technology (IT) infrastructure.”
The report concluded that the security flaws were serious due to the sensitive nature of FHFA’s computer records.
“FHFA’s network and systems host a variety of data and information, such as financial reports and information from Fannie Mae and Freddie Mac, Universal Securitization Solutions LLCthis federal home loan bank,as well as Finance Officeas well as personally identifiable information of FHFA employees,” the report states. “Effective configuration and control are therefore important to prevent unauthorized access to systems and information.”
But the report explained that the extent to which testers penetrated the agency’s computer systems showed that the security vulnerabilities discovered required immediate attention.
“The breadth, depth, and potential impact of the cybersecurity deficiencies are serious concerns and require immediate corrective action by FHFA management,” the report states. “Accordingly, we are reporting eight findings related to the control deficiencies that were identified.”
Some potential consequences could include compromising the “confidentiality, integrity, and availability of FHFA’s sensitive information,” including obtaining personally identifiable information, extracting, deleting, or modifying sensitive agency information, and discovering that compromise of credential systems, including usernames and passwords, may Impede FHFA’s ability to accomplish its mission.
At the conclusion of the report, FHFA management responded to each specific finding and proposed planned corrective actions. The OIG considers all planned corrective actions to achieve the objectives of its recommendations.
“Overall, we believe that FHFA management has responded to the recommendations in this report,” the OIG said. “These recommendations will remain open until we confirm that corrective actions have been fully implemented. Full text of FHFA’s written response […]”.
FHFA Chief Information Officer Luis Campudoni detailed the agency’s response to the report.
“I have tasked the Office of Technology and Information Management (OTIM) to develop and implement a comprehensive plan to correct these recommendations,” Campodoni wrote in a letter to the OIG. “I am committed to addressing the report’s underlying findings, and OTIM has initiated several remedial actions to address these recommendations.”
