http://blog.washingtonpost.com/securityfix/2006/03/omb_modest_improvement_in_fede.html By Brian Krebs March 7, 2006 Federal government agencies have improved their overall computer and network security over the past year, but many agencies are still not doing enough to secure their systems against viruses and other cyber attacks, according to an annual report released by The White House last week. The White House's Office of Management and Budget issued the findings as part of its yearly review of how well agencies are meeting the standards set forth in the Federal Information Security Management Act (FISMA), which establishes specific requirements for information security programs at federal agencies. Lawmakers in the U.S. House have used OMB's findings for the past several years to issue "computer security report cards" to federal agencies. Last year, the House Government Reform Committee awarded federal agencies a combined grade of "D-plus" for security in 2004, up from a "D" in 2003. Another round of report cards are likely to be issued later this month. Among the improvements in 2005, the OMB cited a 32 percent increase in the number of federal systems that were certified and accredited as secure, a 28 percent increase in the number of systems tested with cyber attack contingency plans, and "modest" increases in the development of agencywide plans to address persistent computer security problems. However, the OMB also pointed to continued weaknesses in several key areas, including the oversight of work done by outside contractors. According to the report, at least six of the 24 agencies reviewed said they only "rarely" or "sometimes" reviewed whether work done by contractors met the government's minimum security requirements. The report also cited a 4 percent drop in the number of systems tested annually for computer security weaknesses. The OMB found that federal agencies spent $5 billion securing government systems -- or 8 percent of the total federal information-technology budget of $62 billion. During this period, the total number of reported computer systems increased by 19 percent to 10,289. The Department of Homeland Security, which is trying to keep track of digital attacks against federal civilian systems, tracked 3,569 reported security "incidents" in 2005. These ranged from infections by computer viruses and worms to distributed denial-of-service attacks, which use thousands of hacked PCs to overwhelm a Web site with so much traffic that legitimate users are shut out. Of those incidents, 1,806 involved some type of malware and 31 were distinct DDOS attacks. Another 304 were related to some form of unauthorized access. But according to OMB, those numbers almost surely mask a much larger number of attacks: "DHS continues to find sporadic reporting by some agencies and unusually low levels of reporting by others. Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event, e.g., the widespread propagation of an Internet worm." OMB said that in an effort to address this problem, DHS has installed at three agencies (and has funding to install at six others) an automated tool that "monitors network flow information and ... transmits data to DHS." The White House didn't elaborate on what kind of monitoring that "tool" does exactly, but it probably warrants closer scrutiny. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Mar 07 2006 - 23:17:43 PST