[ISN] Government still suffers from information insecurity

From: InfoSec News (alerts@private)
Date: Tue Feb 19 2008 - 01:02:25 PST


http://www.govexec.com/dailyfed/0208/021508j1.htm

By Jill R. Aitoro  
Govexec.com  
February 15, 2008

Federal agencies continue to struggle with information security, 
according to a new report from the Government Accountability Office. 
Weak access controls, network device configuration, and management 
procedures leave systems vulnerable to malicious attacks and data at 
risk of exposure.

The report (GAO-08-496) [1], which GAO presented to Congress during a 
hearing Thursday, summarized agency progress in performing key control 
activities, the effectiveness of information security efforts, and 
opportunities to strengthen security, based upon prior audits, federal 
policies, and inspectors general reports.

"Significant weaknesses continue to threaten the confidentiality, 
integrity, and availability of critical information and information 
systems used to support the operations, assets and personnel of federal 
agencies," the report said. In their fiscal 2007 performance and 
accountability reports, 20 of 24 major agencies indicated that 
inadequate information security controls were either a significant 
deficiency or a material weakness. GAO audits returned similar findings 
for financial and non-financial systems.

Such weaknesses resulted in a number of reported breaches by agencies, 
and an increase in security incidents reported to the U.S. Computer 
Emergency Readiness Team (US-CERT) from 3,634 in fiscal 2005 to 13,029 
in fiscal 2007.

GAO organized the most significant information security weaknesses 
facing agencies into five categories: access controls that ensure only 
authorized users can view and alter data; software configuration 
management controls; separation of duties, which offers checks and 
balances over users' network activities; continuity of operations 
planning to minimize risk of system outages in emergencies, and 
agencywide information security programs that meet the requirements of 
the 2002 Federal Information Security Management Act by properly 
assessing risk and defining policies for preventing data breaches.

In the area of access controls, GAO found that 19 of 24 major agencies 
reported weaknesses, including failure to identify and authenticate 
users, enforce measures to ensure access is appropriate, encrypt 
sensitive data on networks and mobile devices, and monitor network 
activities.

GAO pointed to failure to implement security programs as a primary cause 
of information security weaknesses. In one case, an agency assessed its 
security risk without any inventory of interconnections between systems. 
In another, an agency overlooked a number of vulnerabilities that GAO 
later identified. Program guidelines and testing are often insufficient 
or out of date, and training of employees on protocols for ensuring 
information security lacking, auditors found.

Some progress in information security has been made. According to the 
Bush administration's proposed fiscal 2009 budget, the percentage of 
certified and accredited systems rose from 88 percent to 92 percent in 
2007, and testing of security controls increased from 88 percent to 95 
percent of systems. Contingency plan testing increased from 77 percent 
to 86 percent, and 76 percent of agencies had an effective process in 
place for identifying and correcting weaknesses using management 
processes.

"The government has made progress in writing reports, but no progress in 
improving the [aspects of] security that matter -- keeping the wrong 
people out," said Alan Paller, director of research at the SANS 
Institute, a nonprofit cybersecurity research organization in Bethesda, 
Md. Paller also testified at the hearing, arguing that FISMA 
requirements laid out by the National Institute of Standards and 
Technology need to be prioritized.

Currently, agencies receive a list of standards required for FISMA 
compliance, and are scored according to the percentage met. "When you 
have children, there will be a time where you want them to do homework 
along with 10 other things," Paller said. "If you score them on the 
percentage of what they complete, and the homework is hard, they'll do 
all the other stuff that matters a whole lot less because it's easy."

Another way to improve information security in the federal government is 
to have vendors "bake it in with every procurement," Paller said. He 
pointed to a mandate from the Office of Management and Budget requiring 
agencies that run, or plan to run, Windows XP or Vista to adopt a 
specific security configuration. The guidelines include recommended 
language for use in bids for technology to ensure contractors 
incorporate the proper security configurations with procured systems.

"It's brilliant," Paller said. "It's the best thing at a high level 
going on in government to promote information security."

[1] http://www.gao.gov/new.items/d08496t.pdf


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Feb 19 2008 - 01:28:42 PST