The General Accounting Office (GAO) criticized the Bureau of the Fiscal Service, which is part of the U.S. Department of the Treasury, over new and old cybersecurity problems in a new audit.

The GAO found several new and unresolved deficiencies related to information system general controls in the areas of security management, access controls, and configuration management.

The issues were raised in the GAO’s 2018 Financial Audit of the Bureau of the Fiscal Services are listed under a section named “Significant Deficiency in Information System Controls.” The report does not name the deficiencies in question, but notes “these general control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations.”

Other problems with prior problems pointed out by the GAO were even when a cybersecurity issue was resolved the action only fixed the problem superficially and did not adequately resolved the underlying causes.

“Specifically, we found that Fiscal Service either had not adequately enhanced its policies and procedures or had not developed and implemented processes to reasonably assure compliance with such policies and procedures. As a result, many of the previously reported information system control deficiencies that Fiscal Service informed us it had addressed continued to be present,” the report stated.

The GAO also found problem with how Fiscal Service’s corrective action plan citing it did not include include descriptions of the problems along with detailed planned corrective actions so allow for a common understanding of the problems or the steps and resources needed to fully resolve them. Specifically, the report found ongoing instances where mainframe security controls were not employed in accordance with the concept of least privilege, some of which represent potentially significant security exposures.

“We also identified new deficiencies, such as Fiscal Service’s use of a tool for identifying changes to key mainframe data sets that was not properly configured to send alerts to the organizational unit responsible for monitoring such changes,” the report said.

“It’s great that an audit found this key vulnerability. However, well-designed network security systems should already employ both internal and external protective technologies to prevent successful attackers from stealing data.  These new protective systems, such as Threat Intelligence Gateways, can protect the enterprise from yet unknown vulnerabilities, long before an audit finally discovers them,” Steven Rogers, CEO of Centripetal.

Rogers added that all the systems should employ advanced intelligence in their security stacks such as external threat intelligence-based and internal rule-based systems that will detect an issue before it is exposed.

“They shouldn’t wait for a vulnerability to be exposed before doing anything.  With the aforementioned technologies in place, the practical effect of a vulnerability would be mitigated. The agency should still find and fix potential vulnerabilities, but if these protective systems are in place, the attacker will be stopped anyway,” Rogers said.