[ISN] Most Federal Agencies Unable To Spot Cyber-Attacks - OMB

From: InfoSec News (isnat_private)
Date: Fri Feb 15 2002 - 02:03:27 PST

  • Next message: InfoSec News: "Re: [ISN] Irony: Inmate's hacking through jail computers comes to an end"

    By Brian Krebs, Newsbytes
    14 Feb 2002, 1:06 PM CST
    Most federal agencies do not manage their information technology
    resources well enough to detect or defeat computer viruses and hacker
    attacks, the White House said in a report released Wednesday.
    Far too many agencies have virtually no meaningful system to test or
    monitor system activity and therefore are unable to detect intrusions,
    suspected intrusions, or virus infections, the OMB said.
    In its analysis of security audits conducted at 50 federal agencies
    the OMB identified six government-wide security problems, including a
    lack of policies and programs in place to detect, report or share
    information on security vulnerabilities or attacks.
    The report also notes that most employees lack basic awareness or
    education about computer security. In addition, few agencies routinely
    ensure that contractors meet minimum security requirements and
    background checks, the OMB said.
    The OMB report found no correlation between the amount each agency
    spent on IT security and its overall performance in that arena.
    At this point, there is no evidence that poor security is a result of
    a lack of money, the OMB said.
    Last year, the federal government spent $2.7 billion on computer
    security, out of a total $48 billion in IT investments. This year, the
    OMB expects federal agencies will spend roughly double that amount -
    $4.2 billion out of a total IT budget of $52 billion.
    Under the Government Information Security Reform Act of 2000, agencies
    are required to assess and test the security of their non-classified
    information systems.
    Agencies are graded on the results of penetration testing and overall
    security, and the reports are tied to each agency's budget request.
    Last year's round of penetration tests showed nearly all federal
    agencies earned a grade of D or lower for computer security,
    prompting the OMB to pledge it would soon begin to kill funding for
    projects that consistently fail to meet minimum security requirements.
    The lone exception cited in the OMB report was the Department of
    Defense, which maintained a consistent record of training employees
    and screening IT security contractors, the agency said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 05:01:45 PST