You may have seen in the news that the White House’s audit on federal agencies came back with findings of poor security. 97 agencies participated in the assessment and 74% of them were at risk or at high risk. The briefing can be read in full here:
It’s about 20 pages, so not too long.
A few of the gems from the report:
One of the agencies audited has 62 (or more) independent email services just for that single agency. The audit points to that as, “How in the world are you going to protect your uses from phishing with this situation, since there is no way that you can monitor inbound and outbound mail in this environment?” Sixty two mail services.
Good news: 73% of the agencies had implemented encryption for data in transit that met with federal standards. Bad news: only 16% met standards for data at rest. Which means - someone gets into the network, it’s kid in a candy store time.
The most horrifying piece of the report was the situational awareness part. 30,899 recorded “cyber incidents” with 11,802 that nobody could figure out how the attack happened or who was behind it. With those numbers, I’d bet that there is a particularly high number of “cyber incidents” that went undetected.