Report: 4 in 10 Government Security Breaches Go Undetected

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://freebeacon.com/report-4-in-10-government-security-breaches-go-undetected/

A new report by Sen. Tom Coburn (R., Okla.) details widespread
cybersecurity breaches in the federal government, despite billions in
spending to secure the nation's most sensitive information.

The report, released on Tuesday, found that approximately 40 percent of
breaches go undetected, and highlighted "serious vulnerabilities in the
government's efforts to protect its own civilian computers and networks."

"In the past few years, we have seen significant breaches in cybersecurity
which could affect critical U.S. infrastructure," the report said. "Data on
the nation's weakest dams, including those which could kill Americans if
they failed, were stolen by a malicious intruder. Nuclear plants'
confidential cybersecurity plans have been left unprotected. Blueprints for
the technology undergirding the New York Stock Exchange were exposed to
hackers."

Nearly every agency has been attacked, including the Departments of
Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce.
NASA, the EPA, the FDA, the U.S. Copyright Office, and the National Weather
Service have also been hacked or had personal information stolen.

In one example, hackers breached the national Emergency Broadcast System in
February 2013 to broadcast "zombie attack warnings" in several midwestern
states.

"Civil authorities in your area have reported that the bodies of the dead
are rising from their graves and attacking the living," the message said.
"Do not attempt to approach or apprehend these bodies as they are
considered extremely dangerous."

"These are just hacks whose details became known to the public, often
because the hackers themselves announced their exploits," the report said.
"Largely invisible to the public and policymakers are over 48,000 other
cyber 'incidents' involving government systems which agencies detected and
reported to DHS in FY 2012."

Even worse, nearly four in 10 intrusions into major civilian agencies go
undetected, according to the report.

"Weaknesses in the federal government's own cybersecurity have put at risk
the electrical grid, our financial markets, our emergency response systems,
and our citizens' personal information," Coburn, ranking member of the
Homeland Security and Governmental Affairs Committee, said in a statement.
"While politicians like to propose complex new regulations, massive new
programs, and billions in new spending to improve cybersecurity, there are
very basic--and critically important--precautions that could protect our
infrastructure and our citizens' private information that we simply aren't
doing."

The report places much of the blame on basic "lapses by the federal
government," including failures to address routine security, such as
changing passwords and installing anti-virus software.

Based on more than 40 audits by agency watchdogs, the report takes a closer
look at the worst offenders, including the departments of Homeland
Security, Energy, Education, the Securities and Exchange Commission, and
the IRS.

Each year the Government Accountability Office (GAO) identifies roughly 100
cybersecurity weaknesses within the IRS, whose computers "hold more
sensitive data on more Americans than those of perhaps any other federal
component."

IRS computers had over 7,000 "potential vulnerabilities" as of March 2012,
due to the failure to install "critical" security software, a problem the
agency said would be fixed within 72 hours. Instead, it took an average of
55 days to install the patches.

Vulnerabilities at the agency leave vast amounts of personal information at
risk, since the IRS collects Americans' "credit card transactions, eBay
activities, Facebook posts, and other online behavior," according to the
report.

DHS, which was put in charge of government cybersecurity in July 2010, also
has hundreds of security flaws, including "failures to update basic
software like Microsoft applications, Adobe Acrobat, and Java, the sort of
basic security measure just about any American with a computer has
performed."

Only 72 percent of DHS Internet traffic passes through Trusted Internet
Connections (TICs), and the agency has failed to install security patches
on servers that contain intelligence from the U.S. Secret Service.

The Nuclear Regulatory Commission, which contains volumes of information on
the nation's nuclear facilities, "regularly experiences unauthorized
disclosures of sensitive information," according to the report.

The agency has "no official process for reporting" breaches, cannot keep
track of how many laptops it has, and kept information on its own
cybersecurity programs, and its commissioner's "passport photo, credit card
image, home address, and phone number," on an unsecure shared drive.

The Department of Education is also a concern since it manages $948 billion
in student loans made to more than 30 million borrowers. The agency's
computers contain "volumes of information on those borrowers," including
loan applications, credit checks, and repayment records.

The department's Federal Student Aid (FSA) office reported 819 compromised
accounts in 2011 and 2012, and the agency only reviewed 17 percent of those
accounts to determine if malicious activity occurred.

The report notes that federal efforts have failed to improve the
government's cybersecurity. The Federal Information Security Management Act
of 2002 requires agencies to implement security safeguards, and the
government has spent $65 billion on IT security since 2006, though breaches
remain widespread.

"More than a decade ago, Congress passed a law making the White House
responsible for securing agency systems," Coburn said. "It's still not
happening."

"They need to step up to the job, and Congress needs to hold the White
House and its agencies accountable," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!