The Federal Housing Finance Agency (FHFA) Office of the Inspector General (OIG) has warned the agency that it has serious network security deficiencies that leave its computer systems vulnerable to hacking, based on “penetration testing” the OIG performed. This is according to a report issued by the FHFA OIG itself.
The testing revealed “serious vulnerabilities” that increase the likelihood of successful hacking attempts by bad actors, and the 38-page report detailed some of the instances in which the testing successfully breached FHFA computer security systems.
“In one instance, we gained access to a privileged user account that allowed us to view, edit, or save files on the local drives of any user’s laptop or desktop, including FHFA executives at the highest levels,” the report said. “We were also able to elevate a standard user account to a domain administrator and take full control of FHFA’s network. We essentially had unfettered access to the agency’s information technology (IT) infrastructure.”
The report characterizes the security deficiencies as gravely serious due to the sensitive nature of FHFA computer records.
“FHFA’s network and systems host a variety of data and information such as financial reports and data from Fannie Mae and Freddie Mac, Common Securitization Solutions, LLC, the Federal Home Loan Banks, and the Office of Finance, as well as FHFA employees’ personally identifiable information,” the report describes. “As such, it is important that the configurations and controls in place are effective to prevent unauthorized access to systems and information.”
But the degree to which the testers were able to infiltrate the agency’s computer systems shows that the identified security vulnerabilities require immediate attention, the report explained.
“The breadth, depth, and potential impact of the network security deficiencies are serious matters that require prompt corrective action by FHFA management,” the report said. “Accordingly, we are reporting eight findings related to the identified control deficiencies.”
Some of the potential outcomes could include compromising “the confidentiality, integrity, and availability of FHFA’s sensitive information,” including the attainment of personally identifiable information, the extraction, deletion or modification of sensitive agency data, discovery of credentials including usernames and passwords as well as compromises of systems that could impede FHFA’s ability to accomplish its mission.
At the conclusion of the report, FHFA management responded to each of the individualized findings and offered corrective actions it plans to take. The OIG considered all planned corrective actions to meet the intents of its recommendations.
“Overall, we consider FHFA management responsive to the recommendations in this report,” the OIG said. “These recommendations will remain open until we confirm that corrective actions have been fully implemented. FHFA’s written response, in its entirety […].”
Luis Campudoni, FHFA’s chief information officer, detailed the response of the agency to the report.
“I have tasked the Office of Technology and Information Management (OTIM) with developing and implementing a comprehensive plan to remediate the recommendations,” Campudoni wrote to the OIG. “I am committed to addressing the underlying report findings, and OTIM has already initiated several remediation actions to address the recommendations.”