L21K0002 - Investigative Program Advisory Report (IPAR) Weaknesses in the Process for Handling Compromised Privileged Accounts - Date Issued: 09/24/2010 PDF (47K)

Published by the Department of Education, Office of Inspector General on 2010-09-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                      OFFICE OF INSPECTOR GENERAL

                                                  Information Technology Audits and Computer Crime Investigations

DATE:        September 24, 2010

TO:          Tony Miller
             Deputy Secretary

             William J. Taggart
             Chief Operating Officer
             Federal Student Aid

FROM:        Charles E. Coe Jr. /s/
             Assistant Inspector General
             Information Technology Audits and Computer Crime Investigations

SUBJECT: Investigative Program Advisory Report
         Weaknesses in the Process for Handling Compromised Privileged Accounts
         (09-220005) Control No. L21K0002

The Office of Inspector General (OIG) conducted an investigative project from February 1 to
June 30, 2010, to determine whether compromised privileged accounts were used by
unauthorized individuals and to evaluate the Department’s process for handling compromised
privileged accounts. During this project, OIG found that:

   •    FSA does not identify all individuals whose data were potentially compromised
   •    The Department and FSA failed to conduct adequate log reviews of compromised
        privileged accounts to identify unauthorized activity.
   •    FSA keeps inadequate records of its remediation efforts for compromised privileged
   •    Two-factor authentication has not yet been required for remote access to Department and
        FSA systems.

To ensure that compromised privileged Department and FSA accounts are properly identified
and analyzed and to prevent unauthorized access to Department systems, we made four

   1. Identify all potentially compromised PII by analyzing all account activity during the
      period that the privileged account was compromised.
   2. Revise current methodology used to identify suspicious activity that indicates
      unauthorized access into privileged accounts. Log reviews of account activity should
      include, at a minimum, an analysis of originating IP addresses, login times, and amount
      of activity. If suspicious activity is identified, the user should be contacted to determine
      whether the user was responsible for the activity. Suspected unauthorized access to

                                                 550 12th St SW, Suite 8000
                                                  Washington, DC 20202

                  The Department of Education's mission is to promote student achievement and preparation
                  for global competitiveness by fostering educational excellence and ensuring equal access.
Page 2 – IPAR: Weaknesses in the Process for Handling Compromised Privileged Accounts

       government systems should be immediately reported in accordance with Handbook
       OCIO-14, “Handbook for Information Security Incident Response and Reporting
    3. Track compromised accounts and PII and the date of compromise, account deactivations,
       owner/borrower notifications, and the date and results of the account log review.
    4. As recommended by OMB Memorandum M-06-16, implement two-factor authentication
       on any system where a user can log into a privileged account from the Internet, with an
       emphasis placed on financial systems and systems containing large volumes of PII.

Attached is the subject Investigative Program Advisory Report (IPAR) that covers our review of
Weaknesses in the Process for Handling Compromised Privileged Accounts.

Corrective actions proposed (resolution phase) and implemented by your office will be
monitored and tracked in the Audit Accountability and Resolution Tracking System (AARTS).
The Office of the Chief Information Officer will be responding on behalf of the Office of the
Deputy Secretary. ED policy requires that you develop a final corrective action plan (CAP) for
our review in the automated system within 45 days of the issuance of this report. The CAP
should set forth the specific action items, and targeted completion dates, necessary to implement
final corrective actions on the findings and recommendations contained in this IPAR.

If you have any questions concerning this IPAR, please contact Special Agent in Charge, Mark
A. Smith at (202) 245-7019.


cc: Danny Harris, Chief Information Officer (CIO)
    Richard Gordon, CIO, FSA
    Charles Rose, General Counsel
    Phillip Loranger, Chief Information Security Officer
    Robert Ingwalson, Computer Security Officer, FSA