The number of reported cybersecurity incidents involving federal information networks continues to increase while the posture of federal agencies to defend against them appears to be weakening in 2012, according to projected data from a Congressional watchdog agency.

The Government Accountability Office’s director of information security issues, Greg Wilshusen, in a presentation to federal and industry security officials, said that the rate of reported security incidents, which had leveled off in 2011 after a steady four-year climb, was expected to jump again in 2012.

Citing figures from the U.S. Computer Emergency Readiness Team, Wilshusen said federal agencies are projected to register 48,000 information security incidents in fiscal 2012, compared to roughly 43,000 last year. Wilshusen said information was not available to explain why 2011 figures had risen only slightly over the year before, but suggested that recent efforts by agencies to defend their networks had partially offset the continued growth in incidents.

The rise in incidents in 2012 reflects the continuing escalation in network assaults globally, but also the challenge federal agencies are having implementing adequate security controls to combat such incidents.

According to a GAO audit released earlier this year, examining 2011 security practices, of the top 24 federal departments and agencies:

  • All 24 demonstrated material weaknesses in controlling who could access their networks;
  • 23 showed weaknesses in security management, lacking for instance, procedures for assessing risks or plans for addressing those risks;
  • 22 had shortcomings in configuration management designed to reduce exploitation;
  • 18 lacked adequate contingency plans;
  • The majority had inadequate controls in segregating duties, which reduces the risk that one person can perform certain activities without detection.

Agency ratings for 2012 in these five critical areas “will be consistent with 2011’s findings and may even be a little worse,” based on current indications, said Wilshusen, speaking at a Government Technology Research Alliance forum on government security.

Over half of incidents reported to US-CERT, said Wilshusen, “related to unauthorized access and improper use of agencies’ systems.”

Wilshusen acknowledged that the agencies have been required to invest in continuous monitoring tools and reporting methods, resulting in a struggle at agencies to also invest in more rigorous preventative measures.

He also acknowledged that the while data on reported incidents provides a valid snapshot of the magnitude of cyber threats, GAO still lacks data showing which remediation efforts are most effective. Agency security officials have argued that GAO’s security assessments can sometimes focus too often on superficial compliance measures rather on activities that more directly impact network security.

Wilshusen said the pattern of incidents and the findings on network weaknesses, however, suggested a familiar series of do’s and don’ts.

Frequently-identified weaknesses – The Don’ts:
• Boundaries for network devices are not sufficiently controlled
• Systems configuration do not enforce strong authentication
• Authorization controls are not fully implemented
• Sensitive information are not effectively encrypted
• System activity is not adequately logged and monitored
• Physical security lapses expose IT resources to accidental or malicious damage
• Unapplied patches, outdated software, and unapproved or untested changes introduce risk
• Contingency plans are not effectively tested

Key security practices for improving security controls– The Do’s:
• Separate or segment network according to function or data security requirements
• Implement access control lists
• Strengthen authentication controls
• Limit access to bona fide needs
• Remove inactive accounts & accounts of separated users
• Use encrypted protocols
• Install patches timely
• Keep software current

Common recommendations for improving security programs – The Do’s:
• Provide role-based training for those with significant security responsibilities
• Monitor assets, configurations, vulnerabilities frequently
• Test effectiveness of IT security controls
• Remedy known vulnerabilities timely
• Verify effectiveness of remediation efforts
• Implement adequate incident detection and response capabilities
• Test viability of contingency plans

Wilshusen also outlined GAO’s cybersecurity audit plans for fiscal 2013, saying his office would focus on six major areas:

FISMA
-Mandate report / Annual analysis
-Small and independent agencies
-Census, NMB
-FCC ESN
-Cyber risk management / High impact system

Emerging Issues
-Cybersecurity strategies
-Cyber incident handling and response
-Oversight of contractor security
-Continuous monitoring
-FedRAMP

Privacy
-Data breach notification and response
-Computer matching agreements

Critical IT Systems & Infrastructure
-Federal role in datacomm network security
-Maritime cyber threats and security
-Federal cyber coordination with state and local government
-DOD cyber efforts

Training/ Methodology/ Liaison
– FISCAM
– GAO Internal Controls
– Internal/External Training
– Technical Assistance to Hill
– OMB/NIST/NASCIO

Consolidated Financial Statements
-IRS
-BPD/Federal Reserve
-FDIC
-SEC
-OIGs
-TARP
-FHFA
-SOSI
-CFPB