The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

SSA Has Weaknesses to Address to Prevent, Detect Malicious Activity

by Chris Brook on Wednesday December 11, 2019

Contact Us
Free Demo
Chat

Deficiencies in the Social Security Administration's ability to protect sensitive data could impact the confidentiality and integrity of its systems and personally identifiable information, a new report says.

Between Social Security reform, never-ending scams targeting retired seniors, and the usual financial security threats, the Social Security Administration no doubt has enough on its plate this holiday season.

Judging by a recent Federal Information Security Management Act (FISMA) audit, the agency has a number of outstanding cybersecurity issues it needs to pay attention to as well.

According to the audit, carried out by auditor Grant Thornton, the SSA has made good on achieving a number of requirements stipulated by FISMA, the Office of Management and Budget, and the National Institute of Standards and Technology - but several weaknesses remain.

In particular, the SSA needs to improve how it prevents and detects malicious activity. It's not that controls don't exist - they do - they're just not designed or implemented as intended, according to the auditor. That could open the agency, its network, and its devices up to data loss, the report warns.

While the audit, which was requested by the SSA’s Office of Inspector General, isn’t public, a summary of the audit was made public last week.

In it, Grant Thornton acknowledges the agency has no shortage of policies, procedures, and technical controls - it's just that they aren't fine tuned to handle today's threats.

“Without appropriate security, SSA may not be able to protect its mission-critical assets adequately,” the report summary reads, “Additionally, some deficiencies could negatively affect the confidentiality, integrity, and availability of the Agency’s systems and personally identifiable information.”

Specifically, the audit asked the auditor to test the SSA’s controls around malware introduced by phishing emails, mainly how they handle identifying, logging, analyzing, blocking, containing, and reporting malicious activity. Once a threat is sniffed out, the auditors were also interested in seeing how the agency handles data exfiltration attempts and command-and-control payloads.

The findings echo a report issued by the U.S. Senate's Committee on Homeland Security and Governmental Affairs earlier this summer that found that many federal agencies are unprepared to "confront the dynamic cyber threats of today."

In that report, the subcommittee also worked with Grant Thornton to find that while the SSA's information security program was consistent with FISMA requirements, it was ineffective in all five NIST security functions. Patches weren't applied in a timely fashion, the SSA failed to keep an adequate inventory of its IT assets, and its identity and access management hygiene was severely lacking, according to the report (.PDF).

It's not like the SSA hasn't been taking steps towards fortifying its security; it just sounds like the agency has been working harder at fighting fraud. It partnered with its Inspector General last month to announce a new online reporting form for imposter scam calls. Earlier this year it worked with the OIG to debut a new anti-fraud unit - an entity that complemented a public service announcement campaign it launched in March to combat fake phone calls from criminals pretending to be SSA employees.

According to the summary of last week's report, SSA officials agreed with Grant Thornton's recommendations - also not disclosed in the summary report - and will make the necessary moves to address its findings.

Social Security card image via frankieleon's Flickr photostream, Creative Commons

Tags: Government

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.