The Government Accountability Office has released a report entitled “INFORMATION
SECURITY: Emerging Cybersecurity Issues Threaten Federal Information Systems“.
From the report:
Spam, phishing, and spyware pose security risks to federal information
systems. Spam is a problem not only because of the enormous resources it
demands, but also because it now serves as a means for other types of
attack. Phishing can lead to identity theft and loss of sensitive information;
it can easily result in reduced trust in and therefore use of electronic
government services, thereby reducing the efficiencies that such services
offer. Phishers have targeted federal entities such as the Federal Bureau of
Investigation (FBI), Federal Deposit Insurance Corporation (FDIC), and
the Internal Revenue Service (IRS). Spyware threatens the confidentiality,
integrity, and availability of federal information systems by capturing and
releasing sensitive data, making unauthorized changes to systems,
decreasing system performance, and possibly creating new system
vulnerabilities, all without the user’s knowledge or consent. The blending
of these threats creates additional risks that cannot be easily mitigated with
currently available tools.
Agencies reported varying perceptions of the risks of spam, phishing, and
spyware. In addition, many agencies have not fully addressed the risks of
emerging cybersecurity threats as part of their required agencywide
information security programs, which include performing periodic
assessments of risk; implementing security controls commensurate with
the identified risk; ensuring security-awareness training for agency
personnel; and implementing procedures for detecting, reporting, and
responding to security incidents. An effective security program can assist
in agency efforts to mitigate and respond to these emerging cybersecurity
threats.
Several entities within the federal government and the private sector have
begun initiatives directed toward addressing spam, phishing, and spyware.
These actions range from targeting cybercrime to educating the user and
private-sector community on how to detect and protect systems and
information from these threats. While the initiatives demonstrate an
understanding of the importance of cybersecurity and emerging threats and
represent the first steps in addressing the risks associated with emerging
threats, similar efforts are not being made to assist federal agencies.
Alex Eckelberry
(Thanks to BeSpecific)