Activate Email 
TMCnet LOGIN
SUBSCRIPTIONS
» More Security Feature Articles
Security Featured Article
November 25, 2009
Federal IT Professionals Call for Reinforcements to Combat Persistent, Severe Threats: Report
By Brendan B. Read, Senior Contributing Editor
Forget bombs, guns and crowbars. The big lurking threats to U.S. government security, and therefore for all Americans are coming in from enemies and crooks via computers. And those on the front lines: federal defense and civilian agency IT security staff say they need more resources to defend the nation against cyberwarfare and cybercrime. At the same time they need to be more alert to these dangers, and tighten up their IT discipline to prevent the “bad guys” from getting through. Everyone working for the federal government no matter whether they are military or civilian, or their rank, title, and pay grade, must be vigilant and careful.
CDW Government’s (CDW (News - Alert)-G) new 2009 Federal Cybersecurity Report reveals that defense and civilian IT security professionals say external sources are their agencies/networks’ biggest threat. Defense agencies indicating state-sponsored cybersecurity-warfare programs as their most significant external cybersecurity issue. Civilian agencies report that independent international hackers and software problems are the biggest external challenges.
At the same time, internal threats such as inappropriate Web surfing, lax user authentication and loss of computing devices continue to leave agencies vulnerable to cybersecurity threats. Respondents cite malware, inappropriate employee activity and remote-user access as the top cybersecurity challenges they face each day and that remote computing challenges are increasing more than all others.
The report based on a September survey of 300 federal IT security professionals, identifies agency cybersecurity threats found that across federal civilian and Department of Defense (DoD) agencies, the number and severity of cybersecurity incidents has stayed the same or increased in the last year. Yet nearly one-third of all federal agencies experience a cybersecurity incident daily.
“Fundamentally, cybersecurity is not just a technology issue – it is a management and cultural challenge for Federal agencies,” says Andy Lausch, vice president of federal sales for CDW-G. “Federal IT security professionals are engaging in the cybersecurity war on multiple fronts, and they need the participation of the Federal employees, managers and senior staff that they support. First and foremost, federal IT security professionals are calling for increased end-user education, both to reduce internal cybersecurity incidents and to close the door to external threats.”
In response to growing threats, most federal IT security professionals say their requirements for network monitoring/intrusion prevention, encryption, user authentication, end-user education, patch management and network access control have increased or significantly increased during the last year. Yet just half say they have adequate budget to meet their cybersecurity needs says the report.
Agencies may see budget relief during the next few years, according to an October 2009 forecast on information security spending by market research firm INPUT. It projects federal spending on information security products and services will increase from $7.9 billion in 2009 to $11.7 billion in 2014. This allocation is being made in direct response to heightened attacks, evolving threats and presidential and congressional focus on cybersecurity improvements.
To address cybersecurity issues, agencies are taking a multifaceted approach, focusing on end-user training for internal challenges and cybersecurity tools for external threats, reports the CDW-G paper. To address avoidable end-user mistakes and reduce vulnerabilities, 82 percent of agencies provide ongoing training classes on security policies and procedures. To combat external threats, 81 percent have an Internet firewall and 71 percent have intrusion protection/detection.
Yet despite agency training commitments and technology implementations, many agencies still experience avoidable internal risks. More than 70 percent of agencies have experienced inappropriate Web surfing/downloads in the last 12 months, and more than 40 percent have seen the unauthorized transfer of sensitive information. Federal civilian and defense agencies agree that their top priority for improving agency cybersecurity is more end-user education.
In response, the CDW-G report recommends that federal agencies:
--Reassess end-user training: Establish programs and metrics to measure training success. Communicate security policies that include guidelines for acceptable use and policy acknowledgement. Establish consequences for non-compliance with agency cybersecurity policies.
--Address the mobile threat: Implement a tiered security architecture for mobile assets such as two-factor authentication, VPN sessions, data-at-rest encryption, remote Web filtering and end-point security software to ensure mobile devices are compliant and within policy.
--Implement industry-standard technologies: To reduce malware threats and enforce acceptable use policies, assess the agency enterprise and implement basic cybersecurity tools across the agency enterprise.
--Participate in the Federal Trusted Internet Connections program, which reduces the number of agency Internet connections: Participants confirm improved security.
“During the last several years, Federal agencies have proven they can do more with less in challenging budget environments,” says Lausch. “Unfortunately, they are simply outpaced by organized crime, increasingly sophisticated hackers and state-sponsored professionals. It is time for computer users to step up and take an active role in cybersecurity efforts. Much like Americans have made recycling an everyday task, it is time for users to form a new habit – making smart, network-protecting activity a part of their daily routines.”
CDW Government’s (CDW (News - Alert)-G) new 2009 Federal Cybersecurity Report reveals that defense and civilian IT security professionals say external sources are their agencies/networks’ biggest threat. Defense agencies indicating state-sponsored cybersecurity-warfare programs as their most significant external cybersecurity issue. Civilian agencies report that independent international hackers and software problems are the biggest external challenges.
At the same time, internal threats such as inappropriate Web surfing, lax user authentication and loss of computing devices continue to leave agencies vulnerable to cybersecurity threats. Respondents cite malware, inappropriate employee activity and remote-user access as the top cybersecurity challenges they face each day and that remote computing challenges are increasing more than all others.
The report based on a September survey of 300 federal IT security professionals, identifies agency cybersecurity threats found that across federal civilian and Department of Defense (DoD) agencies, the number and severity of cybersecurity incidents has stayed the same or increased in the last year. Yet nearly one-third of all federal agencies experience a cybersecurity incident daily.
“Fundamentally, cybersecurity is not just a technology issue – it is a management and cultural challenge for Federal agencies,” says Andy Lausch, vice president of federal sales for CDW-G. “Federal IT security professionals are engaging in the cybersecurity war on multiple fronts, and they need the participation of the Federal employees, managers and senior staff that they support. First and foremost, federal IT security professionals are calling for increased end-user education, both to reduce internal cybersecurity incidents and to close the door to external threats.”
In response to growing threats, most federal IT security professionals say their requirements for network monitoring/intrusion prevention, encryption, user authentication, end-user education, patch management and network access control have increased or significantly increased during the last year. Yet just half say they have adequate budget to meet their cybersecurity needs says the report.
Agencies may see budget relief during the next few years, according to an October 2009 forecast on information security spending by market research firm INPUT. It projects federal spending on information security products and services will increase from $7.9 billion in 2009 to $11.7 billion in 2014. This allocation is being made in direct response to heightened attacks, evolving threats and presidential and congressional focus on cybersecurity improvements.
To address cybersecurity issues, agencies are taking a multifaceted approach, focusing on end-user training for internal challenges and cybersecurity tools for external threats, reports the CDW-G paper. To address avoidable end-user mistakes and reduce vulnerabilities, 82 percent of agencies provide ongoing training classes on security policies and procedures. To combat external threats, 81 percent have an Internet firewall and 71 percent have intrusion protection/detection.
Yet despite agency training commitments and technology implementations, many agencies still experience avoidable internal risks. More than 70 percent of agencies have experienced inappropriate Web surfing/downloads in the last 12 months, and more than 40 percent have seen the unauthorized transfer of sensitive information. Federal civilian and defense agencies agree that their top priority for improving agency cybersecurity is more end-user education.
In response, the CDW-G report recommends that federal agencies:
--Reassess end-user training: Establish programs and metrics to measure training success. Communicate security policies that include guidelines for acceptable use and policy acknowledgement. Establish consequences for non-compliance with agency cybersecurity policies.
--Address the mobile threat: Implement a tiered security architecture for mobile assets such as two-factor authentication, VPN sessions, data-at-rest encryption, remote Web filtering and end-point security software to ensure mobile devices are compliant and within policy.
--Implement industry-standard technologies: To reduce malware threats and enforce acceptable use policies, assess the agency enterprise and implement basic cybersecurity tools across the agency enterprise.
--Participate in the Federal Trusted Internet Connections program, which reduces the number of agency Internet connections: Participants confirm improved security.
“During the last several years, Federal agencies have proven they can do more with less in challenging budget environments,” says Lausch. “Unfortunately, they are simply outpaced by organized crime, increasingly sophisticated hackers and state-sponsored professionals. It is time for computer users to step up and take an active role in cybersecurity efforts. Much like Americans have made recycling an everyday task, it is time for users to form a new habit – making smart, network-protecting activity a part of their daily routines.”
Brendan B. Read is TMCnet’s Senior Contributing Editor. To read more of Brendan’s articles, please visit his columnist page.
Edited by Patrick Barnard
» More Security Feature Articles
