GAO: Fifty Percent of Feds Aren't Informed of Cyber Risks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cio-briefing/2013/09/gao-50-percent-feds-arent-informed-cyber-risks/70916/

Federal agencies for 15 years have been unable to move cybersecurity off a
list of the government's most imperiled programs, with a new audit
revealing a declining number of agencies -- half -- do not annually train
employees on security. Note to feds: National Cyber Security Awareness
Month starts on Tuesday.

Perennial weaknesses in government network security endanger national
security because of the pervasiveness of the Internet and evermore
sophisticated cyber threats, according to a Government Accountability
Office reportreleased on Thursday afternoon.

In fiscal 2012, 12 of the 24 major federal agencies provided annual
security awareness training to at least 90 percent of their network users,
compared with 22 of 24 agencies the prior year.

These and other “weaknesses show that information security continues to be
a major challenge for federal agencies," the audit states. "Until steps are
taken to address these persistent challenges, overall progress in improving
the nation’s cybersecurity posture is likely to remain limited."

The report does not break down findings by agency.

"We have identified the protection of federal information systems as a
governmentwide high-risk area since 1997," the audit continues. "Since that
time, we have issued numerous reports making recommendations to address
weaknesses in federal information security programs."

GAO officials described a mixed bag of results. More agencies have created
programs to manage information security risk. Specifically, 18 of 24
agencies in fiscal 2012 implemented such programs compared to 8 of 24 the
previous year. Most agencies document security policies and procedures, but
they often don't follow their own rules.

For example, requisite controls intended to limit access to data, hardware
and computer facilities were feeble at all but one agency. "Some users
shared accounts at one agency, and administrators shared accounts for
multiple systems at another agency . . . Other agencies had weak password
controls, including systems with passwords that had not been changed from
the easily guessable default passwords supplied by the vendor,” the report
states.

During the past six years, the number of cyber incidents reported by
federal agencies has increased from 5,503 to 48,562, a 782 percent
increase. It is unclear whether the increase is due to more attempted hacks
or better detection.

Most incidents reported during fiscal 2012 involved leaks of printed
personal information, data policy violations, or the presence of malicious
software, according to auditors.

The government's overall approach to minimizing cyber risks needs an
upgrade, the report suggests. Auditors complained the current strategy
focuses on check-the-box exercises to confirm controls are in place, rather
than checking that the controls are effective.

Responding to a draft report, federal officials pointed to a new potential
$6 billion contract aimed precisely at addressing this shortcoming. The
Homeland Security Department is paying to offer agencies packages of
sensors, risk-status displays and professional consulting that gauge, in
near real-time, whether controls are working.

With the advent of this technology, "the focus will shift to security
outcomes and prioritization of risks, whereas under the current compliance
framework, specific data as to the effectiveness of mitigations and the
true-cost of non-compliance remain limited," Jim Crumpacker, DHS director
of the GAO liaison office, wrote in a Sept. 13 letter.

Sen. Tom Coburn, R-Okla., ranking Republican on the Homeland Security and
Governmental Affairs Committee, said in a statement on Thursday, “Today’s
report confirms a disturbing fact: the federal government still has miles
to go to protect its own systems from cyber-attacks. It is Congress’ first
duty to protect these public systems, and I plan on working further with
Chairman [Sen. Tom Carper, D-Del.] on crafting legislation to safeguard
these networks.”

The current law governing agency cybersecurity, the 2002 Federal
Information Security and Management Act, is generally considered outdated.

Carper added, "I continue to work closely with my colleagues in the Senate
and House, especially Dr. Coburn, on bipartisan legislation that will
address the very serious cyber threats facing our country, including
updating our current FISMA framework to provide continuous, real-time
security.”

It is widely believed that cybersecurity measures are unlikely to pass any
time soon, given citizen concerns about government Internet surveillance,
industry opposition to new regulations, and higher legislative priorities,
such as funding the government.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.