GAO says U.S. agencies unprepared to fight cyberthreats
A majority of them aren't ready to combat phishing, spam and spyware
Computerworld - A majority of federal agencies appear to be unprepared to deal with emerging information security threats such as spyware, phishing and spam, according to a report released Monday by the U.S. Government Accountability Office (GAO). Adding to the problem is a lack of guidance on what exactly government agencies need to report when it comes to these threats, as well as how and to whom they should report such incidents.
As a result, "the federal government is limited in its ability to identify and respond to emerging cybersecurity threats, including sophisticated and coordinated attacks that target multiple federal entities," the 79-page report warned.
The GAO report is based on input from security executives at 24 major federal agencies and discusses potential threats, reported agency perception to these threats and efforts to address them.
According to the GAO, spam, phishing and spyware all pose potent and growing threats to the integrity of federal information systems. Phishing scams, for instance, can result in identity theft and loss of confidential information, the GAO said, adding that several agencies -- including the FBI and the Internal Revenue Service -- had already fallen victim to phishers.
Similarly, spyware programs threaten the integrity of federal systems because of their ability to monitor and reconfigure the systems they infect, the report said. "The blending of these threats creates additional risks that cannot be easily mitigated with currently available tools," the GAO said.
Even so, a majority of the agencies have not yet begun addressing these threats as part of the information security programs they are required to implement under the Federal Information Security Management Act of 2002.
In many instances, spyware, phishing and spam are not even considered security threats. For example, 19 of the 24 agencies reported productivity and bandwidth-related issues resulting from spam e-mail, while only one agency identified it as a potential security problem. Similarly, 17 of the 24 agencies reported that they had not assessed the risk posed to their networks by phishing. And reports provided by 20 agencies showed that all of those agencies lack a formal incident response plan for dealing with phishing and spyware.
There was also little consistency in the way agencies report problems. Some reported them to the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT), as required, while others reported incidents to law enforcement agencies. Still others did not report incidents outside their agencies at all. Neither the Office of Management and Budget nor the Department of Homeland Security -- the entities responsible for coordinating the government's response to cyberthreats -- has
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!