Information Security:

Recent Attacks on Federal Web Sites Underscore Need for Stronger Information Security Management

T-AIMD-99-223: Published: Jun 24, 1999. Publicly Released: Jun 24, 1999.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO discussed the recent break-ins of federal web sites.

GAO noted that: (1) the recent series of attacks on federal web sites have primarily focused on defacing, or vandalizing web site content or initiating denial of service attacks in order to crash servers; (2) fortunately, the consequences of recent attacks on federal web sites have been largely confined to agency embarrassment and temporary shut downs in web site service; (3) in fact, web site attacks can have much more serious consequences; (4) the recent attacks on federal web sites are a symptom of broader information security concerns across the government; (5) over the past several years, GAO and inspectors general have identified significant information security weaknesses in each of the largest 24 federal agencies; (6) these weaknesses include the inability to detect, protect against, and recover from viruses, web sites break-ins, and other attacks; inadequately segregated duties, which increase the risk that disgruntled employees as well as intruders can take unauthorized actions without detection; and weak configuration management processes, which cannot prevent unauthorized software from being implemented; (7) in view of these and other pervasive security weaknesses, in February 1997, GAO designated information security as a new governmentwide high-risk area; (8) since GAO's High-Risk Report, the recognition of the importance of addressing information security problems has greatly increased and led to significant actions; (9) agencies can undertake a number of immediate actions to quickly bolster security over their web sites; (10) organizations can begin to include explicit security requirements when selecting server and host technologies, isolate the web server from the organization's internal network, and only offer essential network services and operating system services on the server host machine; (11) however, while these and other actions recommended by security experts sound simple enough, implementing them is a resource intensive activity that requires continuous, automated support, and daily administrative effort, according to the Software Engineering Institute; and (12) to help agencies implement the kind of management framework that is required to effectively respond to evolving security requirements, GAO issued an executive guide describing a framework for managing security risks.

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here