The report says that for the fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls. These weaknesses include issues with access control, configuration management, segregation of duties, continuity of operations and security management.

The GAO says these weaknesses are the result of security programs not being fully implemented. While control activities – such as awareness training – have gone up, several agencies reported decreased levels of testing security controls and training for employees with significant security responsibilities.

The GAO recommends that the Director of the Office of Management and Budget (OMB) make several changes to their guidance policies, including the implementation of an “approve” or “disapprove” of agency security programs after review periods. This is suggested so that agencies are held accountable for implementing effective security programs.

You can download the full report here [PDF].

6 years after FISMA was enacted, the GAO reports that poor information security is still a widespread issue in the Federal government. In the 2008 performance and accountability reports, 20 out of 24 major agencies noted that information system controls over their financial systems and information were either a “significant deficiency” or a “material weakness.”

The GAO summary notes that:

Over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agencywide information security program, as required by FISMA.

23 out of 24 agencies were found to have weaknesses in their agencywide information security programs in 2008. Although agencies reported an increased compliance in implementing security controls in 2008, the GAO notes that there are shortcomings with implementing key control activities for the year.

For fiscal year 2008 reporting, agencies reported higher levels of FISMA implementation for most information security metrics and lower levels for others. Increases were reported in the number and percentage of employees and contractors receiving security awareness training, the number and percentage of systems with tested contingency plans, and the number and percentage of systems that were certified and accredited. However, the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly and the number and percentage of systems that had been tested and evaluated at least annually decreased slightly.

The GAO recommends that current reporting requirements change in order that inspector generals be required to report on the agencies’ effectiveness of activities, which would help determine if agencies are effectively implementing their policies, procedures and practices. The full list of GAO recommendations can be found in this PDF.

Melissa notes that our global digital infrastructure is neither secure nor resilient, driven by interoperability and efficiency rather than security. She notes that previous attempts at cybersecurity have been made in isolation and have failed; the Federal government is not organized to address this growing issue because responsibilities for cyberspace are distributed widely across federal departments and agencies.

During the 60-day review, the cybersecurity team identified 250 needs, tasks and recommendations for a national cyber security plan. The recommendation outlines a top-down approach to cyber security, with the White House leading the way and overseeing and working with other government agencies, State and local stakeholders, as well as those in academia and the industry.

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society.

Here’s a video of Melissa’s speech:

The speech, if somewhat repetitive and littered with political fluff, does hint at many changes to come. Almost nothing was specified yet, and many are critical of it. Let’s hope the report released in a few days will specify a bit more. Attempting to muster resources on the National and International level, across the government and private sectors, won’t be an easy task!

Download Melissa Hathaway’s prepared remarks here [PDF]

The new cybersecurity legislation proposes additional changes to address issues of cyber crime, global cyber espionage and cyber attacks.

“I believe Congress must bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cybersecurity efforts in the 21st century.” – Senator Rockefeller

The Rockefeller-Snow initiative would include provisions for:

• Raising the profile of cybersecurity within the Federal government, including the aforementioned Office plus a comprehensive national strategy, a quadrennial cybersecurity review and a threat and vulnerability assessment
• Promoting public awareness and protecting civil liberties, including a legal review of the statutory and regulatory framework applicable, changes required, and a report on identity management and civil liberties
• Remaking the relationship between government and the private sector on cybersecurity, including a public-private clearinghouse for cyber threat and vulnerability information sharing, an Advisory Panel, enforceable cybersecurity standards, licensing for cybersecurity professionals, State and regional cybersecurity centers for small and medium-sized businesses, and more
• Fostering innovation and creativity in cybersecurity to develop long-term solutions, including increased recruitment for students into cybersecurity, increased funding for R&D, and an attempt to place a dollar value on cybersecurity risk

Read more about the new cybersecurity legislation being proposed here.

Via SecurityFocus ; Image: clipart

The documents outline a Metropolitan Police Service and MI5 counterterrorist operation against al-Qaeda suspects. The document revealed details for a planned arrest of terrorist suspects following a long covert surveillance operation. Steps were made to censor the photographs (only successful in Britain) and Mr. Quick’s location fearing that information would tip off the suspects. The operation was able to continue, with arrests made sooner than was planned, but it is still a major security blunder.

Bob Quick says he “deeply regretted” revealing the documents to photographers, and some people seem willing to forgive him for simply holding the paper the wrong way. However, the secret documents should not have been carried outside of secure areas in printed format – at the very least, they could have been transported in an encrypted drive. This is not the first incident where a government official has accidentally shown secret notes to the journalists who often wait outside of Downing Street.

Bob Quick resigned soon after the incidence, following a meeting with the home secretary and the Metropolitan Police commissioner.

“I have today offered my resignation in the knowledge that my action could have compromised a major counterterrorism operation.

I deeply regret the disruption caused to colleagues undertaking the operation, and remain grateful for the way in which they adapted quickly and professionally to a revised timescale.”

It is a pity that the breach was made, but the repercussions are already wide-ranging. Not only has the public outcry damaged the trust in government security, but the MPS has lost its most senior, and experienced, counterterrorism specialist. This should underscore the importance of having a clear security policy and ongoing employee training – at all levels – to ensure compliance to basic security measures.

Via Schneier

Pervasive and sustained computerbased (cyber) attacks against federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity nationwide. Congress and the Executive Branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high risk and has reported on needed improvements in implementing the national cybersecurity strategy.

The GAO made 30 recommendations in key cybersecurity areas, including bolstering cyber analysis and warning capabilities, completing actions identified during cyber exercises, improving cybersecurity of infrastructure control systems, strengthening DHS’ ability to help recover from Internet disruptions and addressing cybercrime.

In addition to these areas identified as needing improvement, the GAO report identified 12 key strategy improvements:

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy
3. Establish a governance structure for strategy implementation
4. Publicize and raise awareness about the seriousness of the cybersecurity problem
5. Create an accountable, operational cybersecurity organization
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans
7. Bolster public/private partnerships through an improved value proposition and use of incentives
8. Focus greater attention on addressing the global aspects of cyberspace
9. Improve law enforcement efforts to address malicious activities in cyberspace
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts
11. Increase the cadre of cybersecurity professionals
12. Make the federal government a model for cybersecurity

The GAO says that the nation’s federal and private-sector infrastructure systems remain at risk without these improvements. They suggest the new administration consider these improvements as part of the nation’s cybersecurity strategy.

Via network world

The CAG initiative is part of a larger effort to advance recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency. The goal of the consortium was to come up with a risk-based standard to counter known forms of cyber attack. The 20 actions should help the government or private organizations mitigate or prevent cyber attacks. The controls cover areas including access controls, wireless security, data leakage and training. Each control details what threat it covers and how the control could be automated & tested for effectiveness.

20 Controls & Metrics for Effective Cyber Defense

1. Inventory of authorized and unauthorized hardware.
2. Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
3. Secure configurations for hardware and software on laptops, workstations, and servers.
4. Secure configurations of network devices such as firewalls, routers, and switches.
5. Boundary Defense
6. Maintenance, Monitoring and Analysis of Complete Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection
16. Secure Network Engineering
17. Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training To Fill Gaps

The CAG is still in draft and they are actively soliciting criticism and suggestions. You can learn more about how to contact them here for most of March. After a public review of the standards, pilots will be conducted in several federal agencies and the draft will be reviewed and audited.

Hat tip to Dave Jevans ; Image: Clipart

Melissa Hathaway, who has served as Cyber Coordination Executive to the Director of National Intelligence, chaired the National Cyber Study Group, a group responsible for helping develop a 5-year $30 billion dollar plan to secure federal systems and infrastructure against online threats. This Comprehensive National Cyber Security Initiative (CNCI) was approved by Bush earlier last year and is still being implemented.

The new review will look at ongoing security programs, plans and activities and will develop recommendations to ensure they continue to meet the needs of both the public and private sectors. Essentially, Hathaway will be reviewing the progress of the existing CNCI plan and offering advice to keep it moving forward.

“The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties,” said Assistant to the President for Counterterrorism and Homeland Security John Brennan.

As part of her task, Hathaway will reportedly evaluate a recommendation that a special White House “cyberadviser” role be created (something Obama echoed on the campaign trail). It is suggested that this role report directly to the President rather than leaving cybersecurity to the Department of Homeland Security. This type of role would help create a comprehensive plan for cybersecurity, an issue that spans all government agencies.

Via CSO Online, Computerworld, Govtech, White House, USA Today, WSJ ; Image: clipart

The VA data breach of 2006, which was listed as one of the 10 largest data breaches since 2000 and as one of the worst breaches ever, was the result of computer going missing from the home of an employee, who had taken the computer home without permission. The computer contained insurance claim data (including Social Security Numbers and insurance information) for 26.5 million active duty troops and veterans, leaving them open to to identity theft and fraud.

The FBI was able to recover the equipment and apprehended the thieves; the VA found no evidence that data had been compromised. The VA Inspector General faulted the data analyst and his supervisors for putting veterans at unreasonable risk. A series of delays after the employee notified his superiors meant that affected veterans were not told about the breach until 3 weeks later.

Five veteran groups filed a class-action lawsuit against the VA alleging invasion of privacy. The lawsuit sought $1000 in damages for violations of privacy for each military personnel affected. This would have amounted to $26.5 billion in damages.

In court filings on Tuesday, lawyers for the VA and the veterans represented in the suit agreed to settle the lawsuit for $20 million. VA spokesman Phil Budahn made a statement, after the settlement, that:

“We want to assure veterans there is no evidence that the information involved in this incident was used to harm a single veteran.”

The money for the settlement will come from the U.S. Treasury and will go to veterans who can show they suffered “actual harm” (physical symptoms of emotional distress or expenses) as the result of the breach. I’ll be curious to see how they determine the ‘proof’ of these items. Each veteran will receive $75 – $1500 upon proving their suffering. Any remainder of funds will be donated to veterans’ charities. U.S. District Judge James Robertson must approve the terms of this settlement before it becomes final.

In November of 2007, the VA suffered a smaller breach, affecting 12,000, after 3 computers were stolen. They have suffered other data breaches, affecting up to 1.8 million, several times since 2006. Let’s hope this settlement means that the VA is truly accepting responsibility for the data breach suffered in 2006.

Via Yahoo, SC Magazine

Barack Obama’s name has been used by an increasing number of malware authors and spammers since he ran for the Presidency, with a whole new spate of social engineering tactics coming out for Inauguration Day.

As the Microsoft Malware blog shows, these cybercriminals have set up fake sites that mimic the official Barack Obama website, barackobama.com

As with any email you get from unknown sources, one of the tips you can use to make sure you don’t end up on a fake website is to not click the links. Instead, go to your browser and type in the URL. Although real websites can be taken over to host malware, this way you are avoiding the social engineering tactics that attempt to catch you in your inbox.

Microsoft offers information on what to look for in fake websites, including URLs that include the words “direct”, “online” or “great”, and images such as these.

For those of you who have been eagerly awaiting Obama’s Inauguration, I suggest you also take a look at the changes now visible on Whitehouse.gov. The nicest that website has ever looked! The transition was captured by CNet, along with the brief bugs apparent during the transition progress.