Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Most Federal Agencies Unable To Spot Cyber-Attacks - OMB

From: InfoSec News <isn () c4i org>
Date: Fri, 15 Feb 2002 04:03:27 -0600 (CST)
http://www.newsbytes.com/news/02/174514.html

By Brian Krebs, Newsbytes
WASHINGTON, D.C., U.S.A.,
14 Feb 2002, 1:06 PM CST

Most federal agencies do not manage their information technology
resources well enough to detect or defeat computer viruses and hacker
attacks, the White House said in a report released Wednesday.

Far too many agencies have virtually no meaningful system to test or
monitor system activity and therefore are unable to detect intrusions,
suspected intrusions, or virus infections, the OMB said.
 
In its analysis of security audits conducted at 50 federal agencies
the OMB identified six government-wide security problems, including a
lack of policies and programs in place to detect, report or share
information on security vulnerabilities or attacks.

The report also notes that most employees lack basic awareness or
education about computer security. In addition, few agencies routinely
ensure that contractors meet minimum security requirements and
background checks, the OMB said.

The OMB report found no correlation between the amount each agency
spent on IT security and its overall performance in that arena.

At this point, there is no evidence that poor security is a result of
a lack of money, the OMB said.

Last year, the federal government spent $2.7 billion on computer
security, out of a total $48 billion in IT investments. This year, the
OMB expects federal agencies will spend roughly double that amount -
$4.2 billion out of a total IT budget of $52 billion.

Under the Government Information Security Reform Act of 2000, agencies
are required to assess and test the security of their non-classified
information systems.

Agencies are graded on the results of penetration testing and overall
security, and the reports are tied to each agency's budget request.

Last year's round of penetration tests showed nearly all federal
agencies earned a grade of D or lower for computer security,
prompting the OMB to pledge it would soon begin to kill funding for
projects that consistently fail to meet minimum security requirements.

The lone exception cited in the OMB report was the Department of
Defense, which maintained a consistent record of training employees
and screening IT security contractors, the agency said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: