Weak security policies and practices in nearly all 24 major federal agencies in 2008 have resulted in exposing personally identifiable information of Americans, according to a new report from the Government Accountability Office (GAO).
To get security news and tips delivered to your inbox,
"An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," according to the GAO report, issued Monday. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."
Federal agencies have reported some progress, providing awareness training for employees and testing system contingency plans, the GAO said. Still, employees with significant security responsibilities are not getting enough security training and known vulnerabilities remain wide open.
The GAO conducts a periodic review of information security policies and procedures at federal agencies. Inspectors general review agency conformity to the Federal Information Security Management Act of 2002 (FISMA) and report their findings to Congress.
announces creation of cybersecurity coordinator position:
The president promised to treat critical infrastructure as a strategic national asset.
Group identifies top 20 security controls to thwart cyberattacks: Experts said the latest list could help government agencies address FISMA compliance by prioritizing cybersecurity initiatives to block the latest attack vectors.
Amit Yoran on DHS, federal cybersecurity: In this podcast, Amit Yoran, former cybersecurity czar at DHS and a veteran security pro, discusses the Obama admin's security priorities and why information sharing hasn't worked.
The number of security incidents reported by federal agencies to the United States Computer Emergency Readiness Team (US-CERT) rose over 200% over the past 3 years, increasing from 5,503 incidents reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008.
Incidents continue in 2009, according to the report, as a wide range of issues have been reported to US-CERT involving data loss or theft, computer intrusions and privacy breaches. The three most prevalent types of incidents reported to US-CERT during fiscal years 2006 through 2008 were unauthorized access (gaining logical or physical access without permission to a federal agency's network, system, application, data or other resource), improper usage (violations of acceptable usage policies), and investigation (potentially malicious activity.)
Inadequate security policies played a large role in the incidents, according to the GAO. Twenty of the 24 agencies indicated that inadequate information security controls were either a material weakness or a significant deficiency. Inspectors general identified deficiencies in both financial and nonfinancial systems, including vulnerabilities in critical federal systems.
Agencies are also calling information security a "major management challenge," for their organization. The report cites ongoing weaknesses at the Securities and Exchange Commission, the Internal Revenue Service, the Los Alamos National Laboratory and the Department of Homeland Security. The agencies continue to struggle with inadequate access controls, configuration management issues to remove unauthorized software programs, segregation of duties, continuity of operations planning, and maintaining an adequate information security program.
For example, the SEC has not made progress on 16 vulnerabilities identified earlier this year. The agency hasn't been consistent in enforcing strong controls to authenticate users, and is not consistently encrypting network services or auditing its databases for unauthorized activity, the GAO said.
The GAO also took issue with The DHS U.S. Visitor and Immigrant Status Technology (US-VISIT) program, which continues to be plagued with ineffective security controls that could enable an unauthorized user to gain access and modify sensitive information.
Nearly half of information security control weaknesses pertained to access controls, according to the GAO review of reported incidents. Many agencies are also granting too many rights or permissions to users. In one agency, "1,100 users had access to mainframe system management utilities although such access was not necessarily required to perform their jobs." The permission gave them the ability to alter hardware configurations supporting the production environment.
Another agency gave a contractor full-system access, making the agency vulnerable to incidents on the contractor's network. Other agencies gave users of an application full access to its source code.
Inspectors general also identified a lack of specialized security training for personnel with critical IT responsibilities. The GAO tracked decreases in training over the last several years as agencies shifted focus on providing more general security awareness training to employees.
The latest GAO report also recommends stronger reporting instructions to give inspectors general a better view of contractor operations and specialized security training. It requests enhanced reporting instructions and urges the director of the Office of Management and Budget to take action on reviewing and approving agency information security programs.
Some progress is being made. In February, a group public and private sector security experts identified 20 security controls to help government agencies prioritize ways to address security deficiencies. The 20 important security controls provide specific audit guidelines used by the Federal government to ensure a minimum standard of security controls are in place for agency systems and their civilian contractors. Several agencies are currently pilot testing the guidelines.