Risk
4/23/2009
12:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cybersecurity Balancing Act

Government IT pros struggle to meet mandates as computer system threats keep growing.

Most federal agencies get passing marks for meeting the Federal Information Security Management Act, the primary regulation dictating cybersecurity practices in the federal government. Even so, the ground rules for cybersecurity keep changing, and federal systems are anything but bulletproof.

The Office of Management and Budget's FISMA implementation report for fiscal 2008 gave 92% of major agencies satisfactory or better grades for the quality of their certification and accreditation processes. It noted high percentages of inventoried systems and systems with tested contingency plans and security controls, and said 84% of major agencies had "effective" cybersecurity plans.

InformationWeek Reports

That's the good news. The other side of it is that threats to government computer systems are more worrisome than ever. Federal agencies reported to the U.S. Computer Emergency Readiness Team (US-CERT) that they experienced 18,050 cybersecurity attacks in fiscal 2008, triple the number from 2006. "Terabytes of data are being exfiltrated out of government networks," warns Greg Garcia, assistant secretary of cybersecurity and communications at the Department of Homeland Security under President George W. Bush.

Government security pros find themselves having to comply with myriad specifications and regulations, compounding the challenges of getting it right. A diagram that used to hang on the wall at the Defense Information Systems Agency detailing every agency with authority over cybersecurity "looked like a bowl of spaghetti," says Vic Maconachy, former director of the National Security Agency's cybersecurity education and training program.

Mandates Galore
Passed in 2002, FISMA requires every federal agency to inventory its information systems, categorize them according to risk, carry out contingency planning and risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

The White House, meanwhile, is carrying out a cybersecurity review, due any day, and new cybersecurity bills are being introduced in Congress. What's more, the government likely will begin releasing over the next few months more details of the still-classified Comprehensive National Cyber Security Initiative created under Bush.

"There's a high level of interest in cybersecurity, and that's a good thing, but for the implementers in the agencies, it can be a bit confusing with all the things being proposed," says Matt Scholl, who oversees several government-wide cybersecurity programs, including FISMA implementation, as security management and assurance group manager at the National Institute of Standards and Technology.

As part of the Comprehensive National Cyber Security Initiative, a multibillion-dollar program introduced 16 months ago, the government hopes to create and enforce security best practices and technology guidance that can be implemented across agencies. First, though, the government has to lay out the program in more detail. "One of the problems with the development of the Cyber Initiative is that it was over-classified, and we couldn't proactively share with the public and the Congress, so there remains a dearth of useful information about it," says Garcia.

Among the CNSCI requirements is implementation of intrusion-detection and -prevention systems. According to a recent InformationWeek survey of 309 government IT professionals, 65% plan to increase use of intrusion detection over the next year. "The private-sector capabilities are very sophisticated now. There's no reason every department and agency shouldn't be using them," says Rod Beckstrom, until recently director of the National Cyber Security Center at the Department of Homeland Security.

Scholl warns, however, that further mandates shouldn't be too far-reaching in mandating specific technologies, given how different various agencies are. "We have wide and unique use cases that really must be considered," he says.

chart: Keep Out And Stay Out: What are your plans for these security technologies over the next 24 months?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.