Risk
4/23/2009
12:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cybersecurity Balancing Act

Government IT pros struggle to meet mandates as computer system threats keep growing.

Most federal agencies get passing marks for meeting the Federal Information Security Management Act, the primary regulation dictating cybersecurity practices in the federal government. Even so, the ground rules for cybersecurity keep changing, and federal systems are anything but bulletproof.

The Office of Management and Budget's FISMA implementation report for fiscal 2008 gave 92% of major agencies satisfactory or better grades for the quality of their certification and accreditation processes. It noted high percentages of inventoried systems and systems with tested contingency plans and security controls, and said 84% of major agencies had "effective" cybersecurity plans.

InformationWeek Reports

That's the good news. The other side of it is that threats to government computer systems are more worrisome than ever. Federal agencies reported to the U.S. Computer Emergency Readiness Team (US-CERT) that they experienced 18,050 cybersecurity attacks in fiscal 2008, triple the number from 2006. "Terabytes of data are being exfiltrated out of government networks," warns Greg Garcia, assistant secretary of cybersecurity and communications at the Department of Homeland Security under President George W. Bush.

Government security pros find themselves having to comply with myriad specifications and regulations, compounding the challenges of getting it right. A diagram that used to hang on the wall at the Defense Information Systems Agency detailing every agency with authority over cybersecurity "looked like a bowl of spaghetti," says Vic Maconachy, former director of the National Security Agency's cybersecurity education and training program.

Mandates Galore
Passed in 2002, FISMA requires every federal agency to inventory its information systems, categorize them according to risk, carry out contingency planning and risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

The White House, meanwhile, is carrying out a cybersecurity review, due any day, and new cybersecurity bills are being introduced in Congress. What's more, the government likely will begin releasing over the next few months more details of the still-classified Comprehensive National Cyber Security Initiative created under Bush.

"There's a high level of interest in cybersecurity, and that's a good thing, but for the implementers in the agencies, it can be a bit confusing with all the things being proposed," says Matt Scholl, who oversees several government-wide cybersecurity programs, including FISMA implementation, as security management and assurance group manager at the National Institute of Standards and Technology.

As part of the Comprehensive National Cyber Security Initiative, a multibillion-dollar program introduced 16 months ago, the government hopes to create and enforce security best practices and technology guidance that can be implemented across agencies. First, though, the government has to lay out the program in more detail. "One of the problems with the development of the Cyber Initiative is that it was over-classified, and we couldn't proactively share with the public and the Congress, so there remains a dearth of useful information about it," says Garcia.

Among the CNSCI requirements is implementation of intrusion-detection and -prevention systems. According to a recent InformationWeek survey of 309 government IT professionals, 65% plan to increase use of intrusion detection over the next year. "The private-sector capabilities are very sophisticated now. There's no reason every department and agency shouldn't be using them," says Rod Beckstrom, until recently director of the National Cyber Security Center at the Department of Homeland Security.

Scholl warns, however, that further mandates shouldn't be too far-reaching in mandating specific technologies, given how different various agencies are. "We have wide and unique use cases that really must be considered," he says.

chart: Keep Out And Stay Out: What are your plans for these security technologies over the next 24 months?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.