Risk
4/23/2009
12:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cybersecurity Balancing Act

Government IT pros struggle to meet mandates as computer system threats keep growing.

Most federal agencies get passing marks for meeting the Federal Information Security Management Act, the primary regulation dictating cybersecurity practices in the federal government. Even so, the ground rules for cybersecurity keep changing, and federal systems are anything but bulletproof.

The Office of Management and Budget's FISMA implementation report for fiscal 2008 gave 92% of major agencies satisfactory or better grades for the quality of their certification and accreditation processes. It noted high percentages of inventoried systems and systems with tested contingency plans and security controls, and said 84% of major agencies had "effective" cybersecurity plans.

InformationWeek Reports

That's the good news. The other side of it is that threats to government computer systems are more worrisome than ever. Federal agencies reported to the U.S. Computer Emergency Readiness Team (US-CERT) that they experienced 18,050 cybersecurity attacks in fiscal 2008, triple the number from 2006. "Terabytes of data are being exfiltrated out of government networks," warns Greg Garcia, assistant secretary of cybersecurity and communications at the Department of Homeland Security under President George W. Bush.

Government security pros find themselves having to comply with myriad specifications and regulations, compounding the challenges of getting it right. A diagram that used to hang on the wall at the Defense Information Systems Agency detailing every agency with authority over cybersecurity "looked like a bowl of spaghetti," says Vic Maconachy, former director of the National Security Agency's cybersecurity education and training program.

Mandates Galore
Passed in 2002, FISMA requires every federal agency to inventory its information systems, categorize them according to risk, carry out contingency planning and risk assessments, train employees in cybersecurity, and report certain incidents to law enforcement. Agencies also need to certify and accredit their cybersecurity processes and related documentation.

The White House, meanwhile, is carrying out a cybersecurity review, due any day, and new cybersecurity bills are being introduced in Congress. What's more, the government likely will begin releasing over the next few months more details of the still-classified Comprehensive National Cyber Security Initiative created under Bush.

"There's a high level of interest in cybersecurity, and that's a good thing, but for the implementers in the agencies, it can be a bit confusing with all the things being proposed," says Matt Scholl, who oversees several government-wide cybersecurity programs, including FISMA implementation, as security management and assurance group manager at the National Institute of Standards and Technology.

As part of the Comprehensive National Cyber Security Initiative, a multibillion-dollar program introduced 16 months ago, the government hopes to create and enforce security best practices and technology guidance that can be implemented across agencies. First, though, the government has to lay out the program in more detail. "One of the problems with the development of the Cyber Initiative is that it was over-classified, and we couldn't proactively share with the public and the Congress, so there remains a dearth of useful information about it," says Garcia.

Among the CNSCI requirements is implementation of intrusion-detection and -prevention systems. According to a recent InformationWeek survey of 309 government IT professionals, 65% plan to increase use of intrusion detection over the next year. "The private-sector capabilities are very sophisticated now. There's no reason every department and agency shouldn't be using them," says Rod Beckstrom, until recently director of the National Cyber Security Center at the Department of Homeland Security.

Scholl warns, however, that further mandates shouldn't be too far-reaching in mandating specific technologies, given how different various agencies are. "We have wide and unique use cases that really must be considered," he says.

chart: Keep Out And Stay Out: What are your plans for these security technologies over the next 24 months?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.