Top IT Security Threats

With federal IT security breaches on the rise, policy makers, federal oversight organizations, industry think tanks and academia are providing updates on the worst threats faced by government IT infrastructures.

According to data reported by the U.S. Computer Emergency Readiness Team (US-CERT), reported attacks on U.S. government computer networks climbed 40% last year, and more infiltrators are trying to plant malicious software they could use to control or steal sensitive data. Accounts of unauthorized access to government computers and installations of hostile programs rose from a combined 3,928 incidents in 2007 to 5,488 in 2008, The latest report, issued in February 2009, represented a small sampling - just 1% of federal agencies have fully developed tracking systems - and some of the uptick in reported attacks may be due to better reporting in the last year.

Government networks are targeted by foreign nations seeking intelligence, such as China and Russia, as well as criminal groups and individuals who may want to disrupt power, communication or financial systems. Some attackers are less interested in stealing data than in undermining a system’s ability to operate by planting software that could slow critical networks in emergencies. Security industry observers expressed alarm about phishing, in which seemingly legitimate e-mails solicit sensitive information, and ‘web redirects,’ which shunt a computer to a website where it downloads malicious software. According to reports, fewer attacks are being used to take down an organization’s entire IT system. Instead, attacks now penetrate IT systems without impairing them, primarily to siphon out sensitive information without detection.

In general, security industry observers say the biggest security risks emerge from:

*Policy shortcomings – an under-developed, outdated or inadequate security policy, or a failure to enforce policies can introduce risks such as employee misconduct, experimentation, hacking and other improper actions.

*Hacker attacks – Viruses, worms, denial-of-service attacks, web-defacement and hacker penetration are still common and lead to downtime, lost productivity, loss of reputation, and possible fines and other monetary expenses.

*Theft or loss of systems and/or data – Without key security measures in place, organizations face losses due to theft or accidental misplacement of assets. Leakage of proprietary information and data can result in system downtime, loss of proprietary information and/or sensitive data.

*Human error – a lack of security awareness among employees can lead to leakage of proprietary data, even through personal emails and ‘social engineering’ schemes. Misconfigured systems also present vulnerabilities and can occur from experimentation, accidental employee actions, allowing security fixes to get out of date, failure to periodically review risks and policies and changes in services and service level offerings.

A group called Information Infrastructure Protection (I3P), a national consortium of leading academic institutions, federally-funded labs and non-profit organizations dedicated to strengthening the U.S. cybersecurity infrastructure, issued a report in February that listed the following factors as the fastest growing security threats in 2009:

*Insider threats – perpetrators inside an organization leveraging access to corporate information.

*Persistent targeted threats – sophisticated threats targeting proprietary or sensitive information, often through faked email messages or the exploitation of a series of individually innocuous vulnerabilities.

*Supply chain threats – The danger of counterfeit or tampered computer hardware and software provided by vendors and suppliers, often based overseas.

*Attacks against data – While great emphasis has been placed on securing data in transit,defending data against unauthorized editing is often overlooked.

*IT security arms race – A threat considered asymmetrical, as adversaries focus time and money on attacks, while the target, such as U.S. government organizations, must prioritize spending on IT security among other budget items.

*Unpunished attacks – Adversaries overseas emboldened by the difficulty of prosecution across national boundaries.