Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 17th, 2011 in Current News, Vulnerabilities & Exploits by Simply Security | 1 Comment | Tags: Vulnerabilities

Data protection practices at several major government agencies are lacking, the GAO asserted.

Despite an emphasis on protecting sensitive data and thwarting cybersecurity threats in both the public and private sectors, many federal agencies continue to employ data protection practices that may be lacking, a recent report from the U.S. Government Accountability Office asserted.

According to the GAO's report, 24 major federal agencies have weaknesses in their data security policies and practices that "place the confidentiality, integrity and availability of sensitive information and information systems at risk."

The 49-page report stated that the number of data security incidents affecting federal agencies has increased by more than 650 percent in the last five years. Issues involving access control, business continuity and security management, among others, continue to plague these agencies, potentially putting sensitive government information at risk.

Among the agencies and departments cited by the report are Homeland Security, Commerce, Defense, NASA, Health and Human Services and several others. Data security incidents that have been reported in recent years include unauthorized access, denial of service, malicious coding, acceptable use violations and third-party exploitations.

"Threats to systems supporting critical infrastructure and federal information systems are evolving and growing," the report stated. "Advanced persistent threats – where an adversary that possesses sophisticated levels of expertise and significant resources can attack by using multiple means such as cyber, physical or deception to achieve its objectives – pose increasing risks."

The GAO's report comes of the heels of another critical assessment of the U.S. government's cybersecurity practices. A separate report from the Intelligence and National Security Alliance Cyber Council asserted that the government's cybersecurity intelligence is lacking, and there is "little focus on defining and exploring the cyberthreat environment at a higher level."

According to the INSA's report, data protection and cybersecurity practices among federal agencies are fragmented and, therefore, are not as effective as they should be. This seems to support the GAO's claims that data security measures are not nearly where they need to be.

"These shortcomings leave federal agencies vulnerable to external as well as internal threats," according to the GAO. "As long as agencies have not fully and effectively implemented their information security programs, including addressing the hundreds of recommendations that we and inspectors general have made, federal systems will remain at increased risk of attack or compromise."

This lack of data security may be worrisome, but it is also somewhat ironic, as the U.S. Congress has been pushing for more comprehensive data protection practices for both the public and private sectors. In late September, the Senate Judiciary Committee approved new legislation designed to improve data security measures.

The Personal Data Privacy and Security Act of 2011, authored by Vermont Democrat Patrick Leahy, is intended to establish data protection measures for several areas, including the U.S. financial networks and power grids. It also aims to create a national data breach notification standard.

Legislation, however, is not the only solution to the federal government's data security woes. Agencies are advised to be proactive in protecting sensitive information and IT networks. This means controls must be tested, weaknesses must be identified and reporting must be improved. Additionally, agencies must educate employees of the dangers of data breaches and security failures.

The task of protecting the nation's critical IT infrastructure may be a difficult one, especially as cyberthreats continue to evolve and present new challenges to government agencies. However, given the potential dangers of cyberwarfare, as well as more minor data security threats, it is crucial that the government stay abreast on the latest data protection practices and safeguard sensitive networks and information.

Security News from SimplySecurity.com by Trend Micro