Watchdog finds security holes in key government systems

Four federal agencies have failed to implement key security precautions for their networks, “with almost all of the systems having weaknesses in all, or most, of the control areas,” according to an audit by the Government Accountability Office (GAO). 

The agencies faulted by the GAO were the Nuclear Regulatory Commission, NASA, the Department of Veterans Affairs and the Office of Personnel Management, which suffered a massive data breach last year

{mosads}The report was a response to a Senate Homeland Security request for the GAO to review the security of “high impact” government systems — one where a breach could cause “a severe or catastrophic adverse effect on organizational operations.” 

All four of the agencies fared poorly in the GAO’s testing. 

The tests looked at five key concepts in securing system access: authenticating users, limiting users access to the minimum required to do their jobs, regularly auditing and monitoring of the systems, encrypting sensitive data, and setting up a digital perimeter around the network to prevent unauthorized data getting in or out.

The GAO tested two systems from each agency. Every system had security flaws in implementing at least three of the five concepts the GAO emphasized. 

“These weaknesses existed in part because the agencies had not effectively implemented elements of their information security programs,” the report said. “As a result, increased risk exists that sensitive information could be disclosed or modified without authorization, and system operations may be disrupted.”

Beyond those criteria, the GAO found that six of the tested systems had not been installing software updates “in a timely manner.” Computer security experts consider keeping software up to date one of the most critical steps in preventing intruders from successfully attacking a system.

In the OPM’s official response to the report’s findings, it said one of its two tested systems was controlled by a contractor no longer employed by the agency. On the whole, the agencies agreed to the spirit of the GAO’s suggestions, although the OPM disagreed with some of the GAO’s approaches and perceived vagueness in some of the GAO’s wording. 

The report also included a survey of all 18 agencies with high impact systems. It found that, despite half of the agencies wishing for more federal guidance, many agencies were unaware of the full extent of federal cybersecurity assistance programs. 

Separately, the 18 agencies identified phishing attacks as both the most serious and most frequent attack against systems. That is in line with the industry as a whole. Trend Micro has estimated that 90 percent of targeted attacks start through highly personalized phishing emails known as “spear phishing.”