BackStory High-impact
cyber risks
The Government Accountability Office surveyed 18 agencies that run high-impact systems and found 2,267 security incidents in a single year — nearly 500 of which involved installation of malicious code on the systems. Other key findings include:
9.4
Percentage of federal systems classified as high impact
Percentag3e of reported incidents that involved high- impact systems
Who’s attacking high-impact systems most often?
The most frequent attack methods include:
The biggest obstacles to identifying threats:
1. Continuous changes in technology
2. Employees
3. Lack of governmentwide information sharing
4. Rapidly changing threats
And the guidance cited as most useful:
1. NIST publications
2. Agency-specific guidance
3. DISA’s security technical implementation guides
4. OMB memoranda 5. NSA guidance
Nations Hackers/hacktivists Malicious insiders Criminal groups Terrorists Unknown/other
15 of 18 agencies 10 of 18 agencies 6 of 18 agencies 4 of 18 agencies 1 of 18 agencies 12 of 18 agencies
Phishing and spear phishing Credentials-based attacks SQL injections
Watering holes
Trusted third parties
17 of 18 agencies 10 of 18 agencies 7 of 18 agencies 7 of 18 agencies 6 of 18 agencies
Which attackers are most serious?
The most serious threat vectors are:
Nations
Malicious insiders Hackers/hacktivists Criminal groups Terrorists Unknown/other
18 of 18 agencies 12 of 18 agencies 8 of 18 agencies 5 of 18 agencies 5 of 18 agencies 6 of 18 agencies
Email
Web
Improper usage Impersonation/spoofing
18 of 18 agencies 17 of 18 agencies 8 of 18 agencies 6 of 18 agencies
34 July 15, 2016
FCW.COM
Source: “Agencies Need to Improve Controls over Selected High-Impact Systems” (GAO-16-501)