Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] GAO: Agencies not adequately addressing emerging cybersecurity thr

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] GAO: Agencies not adequately addressing emerging cybersecurity threats
Date: Wed, 15 Jun 2005 01:03:47 -0500 (CDT) 
Forwarded from: William Knowles <wk@c4i.org>

http://www.gcn.com/vol1_no1/daily-updates/36080-1.html

By William Jackson 
GCN Staff
06/14/05 

Federal cybersecurity programs run the risk of becoming static and
unresponsive in the face of emerging threats, according to the
findings of a study by the Government Accountability Office.

The study [1], titled "Emerging Cybersecurity Issues Threaten Federal
Information Systems," focused on three challenges that have evolved
rapidly in the last three years: spam, phishing and spyware. And the
Federal Information Security Management Act could become a Maginot
line against this blitzkrieg of new attacks.

"Many agencies have not fully addressed the risks of emerging
cybersecurity threats as part of their required agencywide information
security programs," GAO found.

Agencies are required to report all cybersecurity incidents, but there
is no governmentwide guidance on which incidents should be reported.  
The most recent guidance was issued in 2000, before the formation of
the U.S. Computer Emergency Readiness Team (US-CERT).

"Lacking the necessary guidance, agencies do not have a clear
understanding of which incidents they should be reporting, or how and
to whom they should report," GAO concluded.

As a result, government IT systems often remain exposed to
unrecognized threats. Some help may be on the way from the Office of
Management and Budget, charged with FISMA oversight, and the Homeland
Security Department.

OMB said it would begin incorporating new threats into its annual
agency FISMA reviews. Together with US-CERT, it is developing a
concept of operations and taxonomy for incident reporting, expected to
be released this summer.

Despite, or because of, the fact they are so common, spam, phishing
and spyware often are not perceived as security threats, GAO found.  
Only one of 24 major executive branch agencies surveyed recognized the
risk presented by spam for delivering malicious code or other attacks.  
Fourteen agencies reported that phishing had little or no impact,
despite the fact that the FBI, IRS and Federal Deposit Insurance Corp.  
have been targeted in phishing scams. Spyware was recognized as a
greater problem, with 11 agencies reporting some impact on
productivity caused by the intrusive programs.

Although a number of agencies have consumer awareness programs for
these threats, there are no programs to educate users within the
agencies.

GAO recommended that: 

* Agencies include emerging threats in their required risk assessments 
  and planning required under FISMA, and 

* OMB, DHS and the attorney general develop guidelines for 
  comprehensive incident reporting

[1] http://www.gao.gov/new.items/d05231.pdf


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] GAO: Agencies not adequately addressing emerging cybersecurity threats, InfoSec News <=
Previous by Date:  [ISN] Poll: Most Want U.S. to Make Internet Safe, InfoSec News
Next by Date:  [ISN] REVIEW: "CISSP Exam Notes", K. Wan, InfoSec News
Previous by Thread:  [ISN] Poll: Most Want U.S. to Make Internet Safe, InfoSec News
Next by Thread:  [ISN] REVIEW: "CISSP Exam Notes", K. Wan, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]