That’s one amazingly scary number: Since 2006 cyber incidents involving the Federal government have grown 1,300%.
Another Government Accountability Office report on Federal cybersecurity out this week offers little in the way of optimism for the cyber-safeguard of the massive resources the government has control over.
+More on Network World: Network security weaknesses plague federal agencies+
“Federal information systems and networks are inherently at risk. They are highly complex and dynamic, technologically diverse, and often geographically dispersed. This complexity increases the difficulty in identifying, managing, and protecting the myriad of operating systems, applications, and devices comprising the systems and networks. Compounding the risk, systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown. For example, the national vulnerability database maintained by the Mitre Corporation has identified 78,907 publicly known cybersecurity vulnerabilities and exposures as of September 15, 2016, with more being added each day,” the GAO wrote.
+More on Network World: Feds' primary network security weapon needs more bang+
In the report the GAO made three recommendations to help control cyber issues, including:
Implement risk-based information security programs. Agencies have been challenged to fully and effectively establish and implement information security programs. They need to enhance capabilities to identify cyber threats, implement sustainable processes for securely configuring their computer assets, patch vulnerable systems and replace unsupported software, ensure comprehensive testing and evaluation of their security on a regular basis, and strengthen oversight of IT contractors.
Improve capabilities for detecting, responding to, and mitigating cyber incidents. Even with strong security, organizations can continue to be victimized by attacks exploiting previously unknown vulnerabilities. To address this, DHS [Department of Homeland Security] needs to expand the capabilities and adoption of its intrusion detection and prevention system, and agencies need to improve their practices for responding to cyber incidents and data breaches.
Expand cyber workforce and training efforts. Ensuring that the government has a sufficient cybersecurity workforce with the right skills and training remains an ongoing challenge. Government-wide efforts are needed to better recruit and retain a qualified cybersecurity workforce and to improve workforce planning activities at agencies.
Secure everything: The GAO said it routinely determine that agencies do not enable key information security capabilities of their operating systems, applications, workstations, servers, and network devices. Agencies were not always aware of the insecure settings that introduced risk to the computing environment. Establishing strong configuration standards and implementing sustainable processes for monitoring and enabling configuration settings will strengthen the security posture of federal agencies.
Patch! Patch vulnerable systems and replace unsupported software. Federal agencies consistently fail to apply critical security patches in a timely manner on their systems, sometimes years after the patch is available. We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risks.
The GAO said it has designated federal information security as a government-wide high-risk area since 1997 and since then has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls, the GAO wrote. As of September 16, 2016, about 1,000 have not been implemented.
Check out these other hot stories: