[ISN] GAO: Feds miss mark on security reporting

From: InfoSec News (isn@private)
Date: Tue Jun 14 2005 - 09:48:42 PDT


http://www.fcw.com/article89234-06-13-05-Web

By Florence Olsen
June. 13, 2005 

Federal agencies need more detailed instructions to handle and report 
computer security threats, such as phishing, spyware and hacking, 
government auditors said in a report released today. 

Government Accountability Office auditors have found that most federal 
officials do not understand which computer security incidents they 
should report or how and to whom they should report them, even though 
such reporting is mandatory under the Federal Information Security 
Management Act.

As a result, the Homeland Security Department's U.S. Computer 
Emergency Readiness Team, which handles incident reporting, is unable 
to coordinate and respond to cyberthreats that target multiple federal 
agencies. 

To remedy the lack of accurate and comprehensive reporting, the 
auditors recommended that Office of Management and Budget officials 
increase their oversight of agencies' efforts to detect, report and 
respond to emerging cybersecurity threats. 

The report identifies the perpetrators of such threats as hackers, 
insiders, phishers, spammers and botnet operators. Botnet operators 
control computers infected with "bot" viruses, which the operators use 
in denial-of-service attacks against targeted Web sites.

The auditors also asked OMB officials, in coordination with DHS 
cybersecurity experts and the U.S. attorney general, to develop 
governmentwide guidelines on how to deal with such threats and how to 
report them to DHS and law enforcement agencies.

In their response to the report, OMB officials agreed to expand their 
FISMA reporting requirements to include agencies' response to emerging 
threats. They also plan to issue a document this summer that will 
define computer incident terms and clarify the roles and 
responsibilities of federal agencies for reporting computer security 
incidents.

The additional guidelines are needed, the auditors said, because most 
agencies have not fully addressed the risks of new cybersecurity 
threats as part of their agencywide information security programs.
 


_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Tue Jun 14 2005 - 10:05:34 PDT