Recent Attacks on Federal Web Sites Underscore Need for Stronger Information Security Management
T-AIMD-99-223: Published: Jun 24, 1999. Publicly Released: Jun 24, 1999.
Pursuant to a congressional request, GAO discussed the recent break-ins of federal web sites.
GAO noted that: (1) the recent series of attacks on federal web sites have primarily focused on defacing, or vandalizing web site content or initiating denial of service attacks in order to crash servers; (2) fortunately, the consequences of recent attacks on federal web sites have been largely confined to agency embarrassment and temporary shut downs in web site service; (3) in fact, web site attacks can have much more serious consequences; (4) the recent attacks on federal web sites are a symptom of broader information security concerns across the government; (5) over the past several years, GAO and inspectors general have identified significant information security weaknesses in each of the largest 24 federal agencies; (6) these weaknesses include the inability to detect, protect against, and recover from viruses, web sites break-ins, and other attacks; inadequately segregated duties, which increase the risk that disgruntled employees as well as intruders can take unauthorized actions without detection; and weak configuration management processes, which cannot prevent unauthorized software from being implemented; (7) in view of these and other pervasive security weaknesses, in February 1997, GAO designated information security as a new governmentwide high-risk area; (8) since GAO's High-Risk Report, the recognition of the importance of addressing information security problems has greatly increased and led to significant actions; (9) agencies can undertake a number of immediate actions to quickly bolster security over their web sites; (10) organizations can begin to include explicit security requirements when selecting server and host technologies, isolate the web server from the organization's internal network, and only offer essential network services and operating system services on the server host machine; (11) however, while these and other actions recommended by security experts sound simple enough, implementing them is a resource intensive activity that requires continuous, automated support, and daily administrative effort, according to the Software Engineering Institute; and (12) to help agencies implement the kind of management framework that is required to effectively respond to evolving security requirements, GAO issued an executive guide describing a framework for managing security risks.