By Tim Wilson
July 20, 2009
Virtually all of the U.S. federal government's key civilian agencies are
still falling short of the security marks they have been asked to meet,
according to the Government Accountability Office (GAO).
In a report (PDF) issued earlier today, the GAO says of the 24 agencies
reviewed, almost all had deficiencies in security controls and
management, "leaving them vulnerable to attack or compromise." The GAO
says it has made "hundreds" of recommendations to the agencies, yet many
have not been addressed.
During the past three years, the number of incidents reported by federal
agencies to U.S.-CERT has increased by almost 200 percent -- from 5,503
in 2006 to 16,843 in 2008, according to the report. More than one-third
of the incidents are still under investigation, and the sources of the
compromises are not yet known.
Of the incidents in which the sources are known, approximately 22
percent were caused by improper use of computers by authorized users,
the report states. Eighteen percent of the compromises were caused by
unauthorized access, and 14 percent were caused by malicious code. About
12 percent of the breaches were caused by scans, probes, or attempted
access by external attackers, the report says.
Of the 24 agencies reviewed, 13 reported "significant deficiencies" in
information security, the GAO says. Seven agencies reported "material
weaknesses" that still have not been repaired. Only four agencies
reported "no significant weakness," the report states.
Attend Black Hat USA, July 25-30 in Las Vegas,
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com