Federal Election Commission Faces Serious Security Failings, with Few Plans to Remedy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/view/36296/federal-election-commission-faces-serious-security-failings-with-few-plans-to-remedy

Just weeks after the US Department of Energy was shown to have disregarded
proper cybersecurity measures, the Federal Election Commission (FEC) is
facing what an independent auditor calls “significant deficiencies” when it
comes to its cybersecurity posture.

The FEC in fact remained at “high risk for future network intrusions”.
However, the electoral watchdog said that it has little interest in
implementing even minimum IT security controls.

The audit firm, Leon Snead & Co., said in the audit that the FEC’s IT
security program does not meet government-wide best practice minimum
requirements in many areas. That includes carrying out due diligence
information as part of an organization-wide risk management program, using
the risk management tools and techniques to implement and maintain modern
safeguards and countermeasures, and ensuring the necessary resilience to
support ongoing federal responsibilities, critical infrastructure
applications and continuity of government in the event of an attack.

The firm also found that risk analysis was not completed before the FEC
rejected even minimum IT security controls. And, the agency has a history
of this: independent evaluations performed since fiscal year 2004 have
continually reported significant weaknesses and noncompliance with IT best
practice standards within FEC’s IT security program areas reviewed.

At main issue is the fact that the FEC is exempt from the Federal
Information Security Management Act (FISMA), which requires certain
cybersecurity measures. But unlike other FISMA-exempt agencies, FEC has
refused to adopt as the agency’s IT security standard the IT security
controls and techniques released by the National Institute of Standards and
Technology (NIST).

FEC officials have said that the agency follows NIST best practices “where
applicable to their operations.” However, a security control assessment
report issued to FEC by an independent contractor in December 2008 found
that 40% of the IT security controls applicable to FEC’s IT environment had
been only partially implemented, or not implemented at all.

The decision to eschew the cybersecurity practices employed in other areas
of government is one that has already had significant ramifications. FEC
has experienced several serious data intrusions and information breaches in
the last few years. Leon Snead obtained information on two intrusions and
information data breaches, which, if FEC had implemented government-wide
minimum best practice IT security controls, may have prevented and/or
detected them in a more timely manner.

In May 2012, the FEC was a victim of a network intrusion by an advanced
persistent threat (APT) that compromised several FEC systems and a
commissioner’s user account. For approximately eight months, the
Commissioner’s computer contained malware with the potential for a computer
hacker to access and obtain copies of matters under review by the agency,
including reports and briefs, and subpoenas, along with specific details on
the agency review processes and other sensitive FEC documentation and
sensitive personal identifiable information.

The agency hired a contractor to analyze this serious intrusion on FEC’s IT
systems, and to provide recommended solutions to eliminate any threat. The
contractor completed the analysis, and provided a report to FEC on October
5, 2012. However, almost one year after the report was issued, Leon Snead
was advised by FEC officials that the agency had not yet implemented any
significant portion of the contractor’s recommendations. It said that it is
now working on them.

A second intrusion occurred in August 2013, targeting the FEC’s website
(FEC.gov). The FEC had to disable use of certain features of the website to
conduct an analysis of the intrusion. But as FEC was working on remediating
the August 2013 intrusion, another intrusion was detected on the agency’s
website in early fiscal year 2014. The investigations continue.

“FEC will remain at high risk for intrusions and data breaches unless it
fundamentally changes its governance and management approach, and adopts a
risk-based IT security program that is based upon the federal government’s
IT security control standard – NIST best practices,” the auditors said.

It added, “Without a risk-based analysis and supporting evidence, FEC’s
critical IT security decisions are based upon whether the agency is exempt
from the legislative requirement, rather than assessing if the control
would provide an effective reduction of risks to the FEC’s information and
information systems.”

The firm made a number of recommendations, including formally adopting the
NIST IT security controls, and other applicable guidance that provides best
practice IT security control requirements. OCIO officials advised that its
IT security officer will review those for possible implementation in fiscal
year 2014. But, FEC said that it “does not agree to formally adopt NIST
guidelines.”

“While OCIO officials have advised that they will ‘review’ the NIST minimum
control requirements, they have again stated that they will not adopt the
federal government’s minimum IT security controls best practices,” the firm
said. “Until FEC adopts these minimum controls, as other federal agencies
have done that are also exempt, FEC will remain at high risk.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.