- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
CSO - In the war over government data security, the statistics indicate the bad guys are winning. And some security experts say any hope of reversing that trend will take "a whole new paradigm" in IT security.
The U.S. Government Accountability Office (GAO) reported last week that federal data breaches involving unauthorized disclosures of personally identifiable information increased by 19%, or about 13,000 to 15,500, from 2010 to 2011.
At least some of the time, victims of those breaches are being left in the dark about it for months. About 123,000 Thrift Savings Plan participants whose personal information was compromised in a July 2011 breach were not notified until this past May.
That is not the only instance. The Washington Business Journal reported that the U.S. Environmental Protection Agency (EPA) waited until last week to notify 5,100 employees and 2,700 "other individuals" of a data security breach last March that exposed their Social Security numbers and banking information.
Greg Long, head of the Federal Retirement Thrift Investment Board, responding to questions from the Senate subcommittee on government management oversight, said the thrift board had followed federal guidance in responding to the attack, but didn't have the funding for a notification plan.
Daniel Berger, president and CEO of Redspin, a security assessment vendor, told CSO Online that the increase in breaches is no surprise, given that attacks have become, "more sophisticated and persistent. Groups such as foreign governments, organized crime, and hacktivist networks have the capability for multi-dimensional, coordinated, ongoing attacks against specific entities such as U.S federal agencies."
Berger said traditional perimeter defenses and other security controls are "no match for such attacks. A whole new paradigm is needed."
Tony Busseri, CEO of Route1, an IT security firm, suggested to Federal Computer Week that a piece of that new paradigm has to include better technology.
The EPA breach, reportedly caused by a virus in an email attachment on a contractor's computer, points again to the vulnerability of human error.
"We cannot just have policy-based approaches to cybersecurity," Busseri said by email. "It has to be technology-based too. If we rely upon the human condition - i.e., we expect someone to adhere to a policy -- and that's the only protection we have, we're going to have failure. By nature people are prone to making errors."
John Steven, internal CTO of Cigital, also said technology is lagging, especially when it comes to protecting usernames and passwords. "Credential thefts are not new vulnerabilities," he said. "These are system bugs that have been there for seven years and are being exploited now."
Steven said that is happening in both the private sector and government. "When the Yahoo [data breach] story broke, I went back and looked at three of my clients. We had reported critical vulnerabilities in password protection, an they had opted not to fix them," he said.