SlideShare a Scribd company logo

Government Data Breaches Rise

Rapid7
Rapid7

Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.

Technology
1 of 10
Download to read offline
Data Breaches in the Government Sector A Rapid7 Research Report
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Summary of Report Across all industries, data breaches and the protection of business-critical data remain a top concern. While the govern- ment sector has remained committed to making investments to prevent data breaches – implementing rigid security best practices, undergoing comprehensive product testing, developing compliance regulations, etc. – government agencies are not immune to breaches. In fact, according to a recent report by the Government Accountability Office (GAO), 18 out of 24 major federal agencies in the United States reported inadequate information security controls for reporting. Rapid7 has found that the government sector has experienced a steady increase in the number of records exposed, and a fluctuating number of incidents over the last three years. From January 1, 2009 to May 31, 2012, there have been 268 breach incidents in government agencies with more than 94 million records1 containing personally identifiable informa- tion (PII) exposed. Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, which includes information from The Open Security Foundation, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure. Key Findings: Cost of Breaches – According to the Ponemon Institute’s 2011 Cost of Data Breach Study, the cost per record has declined from $214 to $194. Number of Breach Incidents by Year – • 2009: 53 • 2010: 102 • 2011: 82 • January – May 31, 2012: 31 Incidents by Breach Type – Types of breaches, number of incidents and reported PII records exposed between Janu- ary 2009 – May 2012: • Unintended disclosure – 78 incidents exposing 11,783,776 records • Portable device – 51 incidents exposing 80,706,983 records • Physical loss – 46 incidents exposing 296,710 records • Hacking or malware – 40 incidents exposing 1,082,749 records • Insider – 39 incidents exposing 177,399 records • Stationary device – 6 incidents exposing 250,650 records • Unknown or other – 8 incidents exposing 5,906 records Locations of Breach Incidents – Top three locations with the highest number of reported incidents: 1. California – 21 incidents exposing 799,849 records (PII) 2. District Of Columbia – 20 incidents exposing 76,126,807 records (PII) 3. Texas – 16 incidents exposing 10,005,910 records (PII) Number of Records Exposed by Year – Year-by-year com- parison of reported breaches (by PII only): • 2009 – 79,109,971 • 2010 – 1,505,877 • 2011 – 4,046,163 • 2012 – 9,642,162 1 According to the Privacy Rights Clearinghouse: www.privacyrights.org, which includes information from The Open Source Foundation
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Overview Today, data breaches have gone mainstream. Whether it’s the LinkedIn password breach or Sony PlayStation Network at- tack, more consumers than ever have received notifications from companies stating that sensitive, personally identifiable information may have been exposed, and detailing next steps for protecting identities, bank and credit card accounts, and other critical applications. As the number of data breaches has increased, so too has the government’s interest in protecting citizens. Following Cali- fornia’s data breach notification law, SB 1386, which went into effect in 2003, all 50 states have adopted laws requiring that businesses notify their residents when their personal information may have been breached. Most recently, Senate Republicans have introduced draft legislation known as the “Data Security and Breach Notification Act of 2012 (S.3333)” to create a single, national standard for reporting data breaches. In addition to standardizing the notification process for a breach, the draft bill will also require that businesses and government agencies “take reasonable measures to protect and secure data in electronic form containing personal information” or face a $500,000-per-incident fine. However, it’s not just the private sector that is responsible for reporting on information security. The Federal Information Security and Management Act (FISMA), enacted in 2002 under the E-Government Act of 2002, required regular report- ing from federal agencies regarding their information security practices. FISMA was then revamped in 2009 to mandate real-time reporting rather than the previously-required annual reports. This new type of reporting would be facilitated by CyberScope, an online reporting tool. While headlines about exposed records by credit card companies, social media sites, and retailers are more common, breaches of government records with personally identifiable information continue to increase as well. In fact, according to The Open Security Foundation’s DataLossDB, government is the second highest industry to report data breaches in 2012. Data and Image Credit: The Open Security Foundation’s DataLossDB Each year, federal agencies are evaluated on their security measures in seven areas, and given scores to illustrate their level of compliance with FISMA to determine whether the agency had, “established and maintained a program that was generally consistent with NIST and OMB’s FISMA requirements, and included the needed attributes; the agency had established and maintained a program that needed significant improvements; (or that) the agency had not established a program for the area.” According to the Fiscal Year 2011 Report to Congress on the Implementation of The Federal Infor- mation Security Management Act of 2002, eight federal agencies scored less than 65 percent.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Credit: Fiscal Year 2011 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002 In that same report, the United States Computer Emergency Readiness Team (US-CERT) received a total of 107,439 reports, 41,776 of which impacted federal government departments and agencies in fiscal year 2010. That number in- creased the following year (FY 2011) to a total of 107,655 reports, 43,889 of which impacted federal government depart- ments and agencies. For incidents that were part of an outside attack, malicious code was the most widely reported incident type by the federal government in fiscal year 2011. One factor in that increase may be the abrupt rise of hacktivism in 2011. Defined as “the use of computers and computer networks as a means of protest to promote political ends,” hacktivism pre-dates 2011. However, its impact on govern- ment infrastructure captured widespread attention when the Tunisian government websites were attacked in January 2011 following its censorship of the Wikileaks documents, and the Tunisian protests. That same year, a variety of govern- ment agencies were attacked and/or their records were exposed, including the Federal Bureau of Investigation, the Government of Brazil, the United States Marine Corp, the United States Department of Homeland Security, NATO, and the California Department of Justice, among others. While these activities encompassed more than data breaches, including denial-of-service attacks, the hacktivism exposed the vulnerability of websites, networks, and databases of government agencies. In addition to hacktivism, government infrastructure comes under attack by other forces, including foreign hackers, and cyberespionage by nation states. Richard Clarke, former White House counter-terrorism adviser, stated in 2011 that “the Chinese have attacked every major U.S. company, every government agency, and [nongovernmental organizations] NGOs” following reports that hackers associated with the Chinese military attacked the Chamber of Commerce.2 In Octo- ber 2011, the Office of the National Counterintelligence Executive, which focuses on espionage against the United States, 2 ABC News Report, “ChineseHackIntoUSChamberofCommerce,AuthoritiesSay,”December2011
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com released a report titled “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace”3 to Congress. This report publicly stated that China and Russia were responsible for stealing trade secrets, technology, and intellectual property. For many of these attacks, the amount of records breached remains unknown. With employee error, malicious insider threats, and outside attacks, including hactivism and cyberespionage, the United States government infrastructure faces increased exposure. Details on Findings I. Number of Incidents by Year For this report, Rapid7 analyzed government data breaches between January 1, 2009 and May 31, 2012. Based on the data provided by the Privacy Rights Clearinghouse, which includes information from The Open Source Foundation, there were a total of 268 incidents during this time frame. Among those incidents, 67 list the number of records exposed as unknown. For the purpose of this report, Rapid7 included those occurrences as part of its analysis for number of inci- dents, breach location and type, but not for number of records exposed. Based on the time frame, there were more incidents of data breaches in 2010 compared to other years – with a near double year-over-year comparison to 2009 – yet 2010 included the lowest number of PII records exposed, with less than 2 million. During 2011, there were 82 incidents with more than 4 million PII records breached (more than doubling 2010) and by May 2012, there were 31 incidents with more than 9 million PII records exposed. Though 2009 may have led with the greatest number of records exposed for the analyzed time frame, most occurred during the month of October, when more than 76 million records were breached. This was a result of one of the larg- est government data breaches in history, when 76 million US veterans’ personally identifiable information was exposed after a defective hard drive was sent to a government vendor for repair and recycle before the data was erased. The hard drive hosted a database of military veterans’ information, (including social security numbers), which according to various reports, potentially dated back to records from 1972. Leading up to that month and specific incident, September of 2009 had no incidents of data breaches. 3 http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Even though less than half of 2012 is being reviewed for this report, the number of records exposed so far has already doubled the total from 2011. As of May 31, 2012, 2012 has reported an estimated 9,642,162 of PII records stolen and 10,816,795 total records (PII and non-PII) breached. When looking at the data from January 2012 to May 31, 2012, April is the highest reported month for breaches. The majority of breaches for the 5-month time frame occurred in this month, which reported approximately 6,780,000 PII and 7,280,000 total records exposed. Throughout each of these years, one group of government employees remained particularly at risk both at the federal and state/local levels: U.S. veterans. From January 1, 2009-May 31, 2012, there were 14 incidents impacting veterans, with more than 76.2 million records with personally identifiable information exposed. The Department of Veteran Affairs experienced multiple breaches (the same agency that scored less than 65 percent in the 2011 FISMA scores). A few of these breaches include: • October 2, 2009: U.S. Military Veterans (District of Columbia) • May 14, 2010: Department of Veterans Affairs (District of Columbia) • November 16, 2010: Education Department, Department of Veterans Affairs (New York) • December 21, 2010: Department of Veterans Affairs (Texas) • January 29, 2011: Veterans Affairs Medical Center (Vermont) • January 20, 2012: Department of Veteran Affairs (District of Columbia) II. Types of Data Breaches
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com For this report, the types of data breaches are divided into eight categories, per the Privacy Rights Clearinghouse, and are defined as: • Unintended disclosure – Sensitive information posted publicly on a website, mishandled, or sent to the wrong party via email, fax, or mail. • Hacking or malware – Electronic entry by an outside party, malware, and spyware. • Insider – Someone with legitimate access intentionally breaches information – such as an employee or contrac- tor. • Physical loss – Lost, discarded, or stolen non-electronic records, such as paper documents. • Portable device – Lost, discarded, or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc. • Stationary device – Lost, discarded, or stolen stationary electronic device such as a computer or server not de- signed for mobility. • Unknown or other. From January 2009 through May 31, 2012, employee error and device theft caused the majority of data breaches. Com- bining unintended disclosure, insider threats, physical losses, the loss/theft of portable devices, and the loss/theft of stationary devices, the total number of incidents reached 214 (out of 268), exposing more than 93 million PII records. Of those individual categories, unintended disclosure was the reported leading cause of incidents by type, with 78 occur- rences that exposed the second highest number of records at more than 11 million. This category was followed by por- table devices (50), physical loss (46), hacking/malware (40) and insider threat (39). The theft/loss of stationary devices and unknown categories were the smallest with 6 and 8 incidents. The analysis also shows that the number of incidents caused by hacking is on a steady rise. A year-over-year comparison shows a nearly 50 percent increase from 2009 to 2011. Between January 1, 2012 and May 31, 2012, government agen- cies reported more hacking incidents than any other category.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com In terms of the type of breach that compromised the greatest amount of PII records, portable devices were at the top, with more than 80 million PII records exposed. The largest case in the portable device category is the incident in October 2009, when 76 million US veterans’ data was exposed as a result of a hard drive that wasn’t erased before being sent out for repair and recycle. The second and third most common types of breaches were unintended disclosure and hacking or malware. Unintended disclosure reported an estimated more than 11.7 million PII and 13.6 million total records exposed. Hacking and malware reported approximately 1.1 million PII and 2.3 million total records exposed. For hacking, the total number of records exposed actually puts the files at additional risk, since hackers and malware use phishing schemes to then convert those public records into PII. In fact, one of the larger reported hacking cases, a hack into the Utah Department of Health com- puter server, involved 280,000 PII records and 780,000 total records exposed, which was not the initially reported num- ber (25,096 PII records and 181,604 total records) when the breach was officially filed. It’s important to note that the hacking category contains many breaches where the number of records exposed was reported as unknown. This makes it impossible to accurately measure the damage. These incidents include many hacking events claimed by Anonymous and Lulzsec, including an attack on the Arizona Department of Public Safety (AZDPS), the Texas Police Chief Association, California Statewide Law Enforcement Association (CSLEA), and the United States Bureau of Justice Statistics (BJS). One incident that was reported involved the Federal Aviation Administration; in 2009 hackers attacked the agency’s computer system, accessing the names and Social Security numbers of employees and retirees. The U.S. Army was also hacked in 2009, when a database of personal information about nearly 1,600 soldiers was pen- etrated by unauthorized users. Aside from unknown types of breaches, which were the lowest recorded number of breaches, the number of insider attacks or errors which led to breaches were actually relatively small, with approximately 177,399 PII records stolen and 211,899 total records exposed.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com By analyzing the data, it’s clear to see that the number of cases or data breach events remains relatively consistent across the largest categories for records exposed. In other words, while the portable devices category accounts for the largest amount of records breached, the number of incidents involving portable devices (48) is lower than that of unintended disclosure (59). Also, the number of cases in the insider and hacking category is the same, while records breached by an employee or contractor is relatively low (177,399 of PII records and 211,899 total records) compared to records breached by a hacker or malware (1,082,749 PII records and 2,257,796 total records). III. Location of Breaches Among the locations that lead the nation in largest number of breach incidents, California is the highest with 21 events between January 1, 2009 and May 31, 2012. California is followed by the District of Columbia (20) and Texas (16). In terms of size of breaches, the District of Columbia experienced the greatest amount of PII records exposed, with approximately 76 million records exposed during the analyzed time period. Considering the number of federal agen- cies located in the D.C. area, including high-profile organizations, it’s not surprising that the location was the highest in number of breaches. However, despite its concentrated area of government offices and proximity to D.C., Virginia was not the second highest state for the number of records breached. The state that reported the second highest number of breached records was Texas, with approximately 10 million records breached. The top three locations in the United States with the highest number of records breached was rounded out by Oklahoma, with 1.36 million records breached (fol- lowed closely by New York with 1.35 million records). There are a number of states that reported no breaches at all, including Kentucky, Montana, Nevada, North Dakota and South Dakota. Alaska, Delaware, Idaho, New Hampshire, Rhode Island and West Virginia reported one incident each, which exposed fewer than 75,000 records combined. According to the most recent Fedscope data, compiled by the U.S. Office of Personnel Management, the top five largest federal employment locations in the nation include California, Washington D.C., Virginia, Texas, and Maryland. Conclusion: Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal informa- tion security controls, and poor best practices for protecting data on portable devices. At the same time, an increase in regulations has led to a rapid rise in IT and security certification costs. For example, costs for FISMA compliance auditing have risen to $1 billion annual and FISMA accreditation costs to $1.3 billion annually. According to the OBM fiscal year
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 2011 report to Congress on the implementation of FISMA (March 2012), federal agencies are spending $13.3 billion on IT security each year. With this in mind, there are clear steps to ensure that an environment meets compliance regulations as well as company policies on security and risk intelligence. Steps include: 1. Vulnerability Management (Risk Assessment) Federal agencies must discover, assess, prioritize, and mitigate vulnerabilities in both physical and virtual federal comput- ing infrastructures. Best practices include mapping vulnerabilities to alerts generated by IAVA, as required by DISA. 2. Penetration Testing (Risk Validation) After vulnerabilities are discovered and prioritized, IT administrators must validate actual exploitability in federal comput- ing infrastructure to document real, contextual risk through penetration tests and social engineering. 3. Regulatory Compliance (FISMA) Meeting FISMA requirements includes testing security controls that map to NIST SP 800-53 Rev.4 and automating Cyber- Scope reporting, required to submit monthly FISMA metrics. 4. Configuration Compliance IT administrators must perform security audits to establish and maintain compliance with the United States General Con- figuration Benchmarks (USGCB), the Federal Desktop Core Configuration (FDCC) and other SCAP guidelines. 5. Continuous Monitoring As a final step, government IT departments must address NIST SP 800-137 requirements for continuous monitoring and risk-guided decision making.

Recommended

Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011Vladimir Matviychuk
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 

Recommended

Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011Vladimir Matviychuk
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation finalsunnyjoshi88
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1Charles (Mac) Hamilton M.A., M.F.A., C.P.C.
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesEchoworx
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Open Government Data & Privacy Protection
Open Government Data & Privacy ProtectionOpen Government Data & Privacy Protection
Open Government Data & Privacy ProtectionSylvia Ogweng
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Data Protection: Process Information
Data Protection: Process InformationData Protection: Process Information
Data Protection: Process InformationCristina Villavicencio
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALLouise Collins
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 

More Related Content

What's hot

"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation finalsunnyjoshi88
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesEchoworx
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Open Government Data & Privacy Protection
Open Government Data & Privacy ProtectionOpen Government Data & Privacy Protection
Open Government Data & Privacy ProtectionSylvia Ogweng
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALLouise Collins
 

What's hot (20)

Data Privacy
Data PrivacyData Privacy
Data Privacy
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation final
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer Privacy
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government Agencies
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Open Government Data & Privacy Protection
Open Government Data & Privacy ProtectionOpen Government Data & Privacy Protection
Open Government Data & Privacy Protection
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protection
 
Data Protection: Process Information
Data Protection: Process InformationData Protection: Process Information
Data Protection: Process Information
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINAL
 

Viewers also liked

Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 

Viewers also liked (9)

Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance Guide
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization Security
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Gfr 2005
Gfr 2005Gfr 2005
Gfr 2005
 

Similar to Government Data Breaches Rise

www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxericbrooks84875
 
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...- Mark - Fullbright
 
National Consumers League 2013 State of ID Theft Report
National Consumers League 2013 State of ID Theft ReportNational Consumers League 2013 State of ID Theft Report
National Consumers League 2013 State of ID Theft Reportnationalconsumersleague
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]Lucy Kitchin
 
Important Issues for Federal Agencies to Consider When Using Social Media and...
Important Issues for Federal Agencies to Consider When Using Social Media and...Important Issues for Federal Agencies to Consider When Using Social Media and...
Important Issues for Federal Agencies to Consider When Using Social Media and...Osterman Research, Inc.
 
Actiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance, Inc.
 
Cryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of JusticeCryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of JusticeLoeb Smith Attorneys
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
 
Breach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoBreach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoJonas Mercier
 
Information or cyber warfare is computer related attacks which a.docx
Information or cyber warfare is computer related attacks which a.docxInformation or cyber warfare is computer related attacks which a.docx
Information or cyber warfare is computer related attacks which a.docxannettsparrow
 
Sheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docx
Sheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docxSheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docx
Sheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docxmaoanderton
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportDivya Kothari
 

Similar to Government Data Breaches Rise (20)

The State of Identity Theft in 2013
The State of Identity Theft in 2013The State of Identity Theft in 2013
The State of Identity Theft in 2013
 
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
 
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
 
National Consumers League 2013 State of ID Theft Report
National Consumers League 2013 State of ID Theft ReportNational Consumers League 2013 State of ID Theft Report
National Consumers League 2013 State of ID Theft Report
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 
Important Issues for Federal Agencies to Consider When Using Social Media and...
Important Issues for Federal Agencies to Consider When Using Social Media and...Important Issues for Federal Agencies to Consider When Using Social Media and...
Important Issues for Federal Agencies to Consider When Using Social Media and...
 
Actiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communications
 
Cryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of JusticeCryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of Justice
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
 
Breach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoBreach level index_report_2017_gemalto
Breach level index_report_2017_gemalto
 
Information or cyber warfare is computer related attacks which a.docx
Information or cyber warfare is computer related attacks which a.docxInformation or cyber warfare is computer related attacks which a.docx
Information or cyber warfare is computer related attacks which a.docx
 
Sheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docx
Sheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docxSheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docx
Sheet1x1x2x3x4LHSRHSslackObjective function121015110Material 53420.docx
 
Cyber liability and public entities infographic
Cyber liability and public entities infographic Cyber liability and public entities infographic
Cyber liability and public entities infographic
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
 

More from Rapid7

[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 

More from Rapid7 (8)

[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's Effectiveness
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL Injection
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIO
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Government Data Breaches Rise

  • 1. Data Breaches in the Government Sector A Rapid7 Research Report
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Summary of Report Across all industries, data breaches and the protection of business-critical data remain a top concern. While the govern- ment sector has remained committed to making investments to prevent data breaches – implementing rigid security best practices, undergoing comprehensive product testing, developing compliance regulations, etc. – government agencies are not immune to breaches. In fact, according to a recent report by the Government Accountability Office (GAO), 18 out of 24 major federal agencies in the United States reported inadequate information security controls for reporting. Rapid7 has found that the government sector has experienced a steady increase in the number of records exposed, and a fluctuating number of incidents over the last three years. From January 1, 2009 to May 31, 2012, there have been 268 breach incidents in government agencies with more than 94 million records1 containing personally identifiable informa- tion (PII) exposed. Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, which includes information from The Open Security Foundation, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure. Key Findings: Cost of Breaches – According to the Ponemon Institute’s 2011 Cost of Data Breach Study, the cost per record has declined from $214 to $194. Number of Breach Incidents by Year – • 2009: 53 • 2010: 102 • 2011: 82 • January – May 31, 2012: 31 Incidents by Breach Type – Types of breaches, number of incidents and reported PII records exposed between Janu- ary 2009 – May 2012: • Unintended disclosure – 78 incidents exposing 11,783,776 records • Portable device – 51 incidents exposing 80,706,983 records • Physical loss – 46 incidents exposing 296,710 records • Hacking or malware – 40 incidents exposing 1,082,749 records • Insider – 39 incidents exposing 177,399 records • Stationary device – 6 incidents exposing 250,650 records • Unknown or other – 8 incidents exposing 5,906 records Locations of Breach Incidents – Top three locations with the highest number of reported incidents: 1. California – 21 incidents exposing 799,849 records (PII) 2. District Of Columbia – 20 incidents exposing 76,126,807 records (PII) 3. Texas – 16 incidents exposing 10,005,910 records (PII) Number of Records Exposed by Year – Year-by-year com- parison of reported breaches (by PII only): • 2009 – 79,109,971 • 2010 – 1,505,877 • 2011 – 4,046,163 • 2012 – 9,642,162 1 According to the Privacy Rights Clearinghouse: www.privacyrights.org, which includes information from The Open Source Foundation
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Overview Today, data breaches have gone mainstream. Whether it’s the LinkedIn password breach or Sony PlayStation Network at- tack, more consumers than ever have received notifications from companies stating that sensitive, personally identifiable information may have been exposed, and detailing next steps for protecting identities, bank and credit card accounts, and other critical applications. As the number of data breaches has increased, so too has the government’s interest in protecting citizens. Following Cali- fornia’s data breach notification law, SB 1386, which went into effect in 2003, all 50 states have adopted laws requiring that businesses notify their residents when their personal information may have been breached. Most recently, Senate Republicans have introduced draft legislation known as the “Data Security and Breach Notification Act of 2012 (S.3333)” to create a single, national standard for reporting data breaches. In addition to standardizing the notification process for a breach, the draft bill will also require that businesses and government agencies “take reasonable measures to protect and secure data in electronic form containing personal information” or face a $500,000-per-incident fine. However, it’s not just the private sector that is responsible for reporting on information security. The Federal Information Security and Management Act (FISMA), enacted in 2002 under the E-Government Act of 2002, required regular report- ing from federal agencies regarding their information security practices. FISMA was then revamped in 2009 to mandate real-time reporting rather than the previously-required annual reports. This new type of reporting would be facilitated by CyberScope, an online reporting tool. While headlines about exposed records by credit card companies, social media sites, and retailers are more common, breaches of government records with personally identifiable information continue to increase as well. In fact, according to The Open Security Foundation’s DataLossDB, government is the second highest industry to report data breaches in 2012. Data and Image Credit: The Open Security Foundation’s DataLossDB Each year, federal agencies are evaluated on their security measures in seven areas, and given scores to illustrate their level of compliance with FISMA to determine whether the agency had, “established and maintained a program that was generally consistent with NIST and OMB’s FISMA requirements, and included the needed attributes; the agency had established and maintained a program that needed significant improvements; (or that) the agency had not established a program for the area.” According to the Fiscal Year 2011 Report to Congress on the Implementation of The Federal Infor- mation Security Management Act of 2002, eight federal agencies scored less than 65 percent.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Credit: Fiscal Year 2011 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002 In that same report, the United States Computer Emergency Readiness Team (US-CERT) received a total of 107,439 reports, 41,776 of which impacted federal government departments and agencies in fiscal year 2010. That number in- creased the following year (FY 2011) to a total of 107,655 reports, 43,889 of which impacted federal government depart- ments and agencies. For incidents that were part of an outside attack, malicious code was the most widely reported incident type by the federal government in fiscal year 2011. One factor in that increase may be the abrupt rise of hacktivism in 2011. Defined as “the use of computers and computer networks as a means of protest to promote political ends,” hacktivism pre-dates 2011. However, its impact on govern- ment infrastructure captured widespread attention when the Tunisian government websites were attacked in January 2011 following its censorship of the Wikileaks documents, and the Tunisian protests. That same year, a variety of govern- ment agencies were attacked and/or their records were exposed, including the Federal Bureau of Investigation, the Government of Brazil, the United States Marine Corp, the United States Department of Homeland Security, NATO, and the California Department of Justice, among others. While these activities encompassed more than data breaches, including denial-of-service attacks, the hacktivism exposed the vulnerability of websites, networks, and databases of government agencies. In addition to hacktivism, government infrastructure comes under attack by other forces, including foreign hackers, and cyberespionage by nation states. Richard Clarke, former White House counter-terrorism adviser, stated in 2011 that “the Chinese have attacked every major U.S. company, every government agency, and [nongovernmental organizations] NGOs” following reports that hackers associated with the Chinese military attacked the Chamber of Commerce.2 In Octo- ber 2011, the Office of the National Counterintelligence Executive, which focuses on espionage against the United States, 2 ABC News Report, “ChineseHackIntoUSChamberofCommerce,AuthoritiesSay,”December2011
  • 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com released a report titled “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace”3 to Congress. This report publicly stated that China and Russia were responsible for stealing trade secrets, technology, and intellectual property. For many of these attacks, the amount of records breached remains unknown. With employee error, malicious insider threats, and outside attacks, including hactivism and cyberespionage, the United States government infrastructure faces increased exposure. Details on Findings I. Number of Incidents by Year For this report, Rapid7 analyzed government data breaches between January 1, 2009 and May 31, 2012. Based on the data provided by the Privacy Rights Clearinghouse, which includes information from The Open Source Foundation, there were a total of 268 incidents during this time frame. Among those incidents, 67 list the number of records exposed as unknown. For the purpose of this report, Rapid7 included those occurrences as part of its analysis for number of inci- dents, breach location and type, but not for number of records exposed. Based on the time frame, there were more incidents of data breaches in 2010 compared to other years – with a near double year-over-year comparison to 2009 – yet 2010 included the lowest number of PII records exposed, with less than 2 million. During 2011, there were 82 incidents with more than 4 million PII records breached (more than doubling 2010) and by May 2012, there were 31 incidents with more than 9 million PII records exposed. Though 2009 may have led with the greatest number of records exposed for the analyzed time frame, most occurred during the month of October, when more than 76 million records were breached. This was a result of one of the larg- est government data breaches in history, when 76 million US veterans’ personally identifiable information was exposed after a defective hard drive was sent to a government vendor for repair and recycle before the data was erased. The hard drive hosted a database of military veterans’ information, (including social security numbers), which according to various reports, potentially dated back to records from 1972. Leading up to that month and specific incident, September of 2009 had no incidents of data breaches. 3 http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf
  • 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Even though less than half of 2012 is being reviewed for this report, the number of records exposed so far has already doubled the total from 2011. As of May 31, 2012, 2012 has reported an estimated 9,642,162 of PII records stolen and 10,816,795 total records (PII and non-PII) breached. When looking at the data from January 2012 to May 31, 2012, April is the highest reported month for breaches. The majority of breaches for the 5-month time frame occurred in this month, which reported approximately 6,780,000 PII and 7,280,000 total records exposed. Throughout each of these years, one group of government employees remained particularly at risk both at the federal and state/local levels: U.S. veterans. From January 1, 2009-May 31, 2012, there were 14 incidents impacting veterans, with more than 76.2 million records with personally identifiable information exposed. The Department of Veteran Affairs experienced multiple breaches (the same agency that scored less than 65 percent in the 2011 FISMA scores). A few of these breaches include: • October 2, 2009: U.S. Military Veterans (District of Columbia) • May 14, 2010: Department of Veterans Affairs (District of Columbia) • November 16, 2010: Education Department, Department of Veterans Affairs (New York) • December 21, 2010: Department of Veterans Affairs (Texas) • January 29, 2011: Veterans Affairs Medical Center (Vermont) • January 20, 2012: Department of Veteran Affairs (District of Columbia) II. Types of Data Breaches
  • 7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com For this report, the types of data breaches are divided into eight categories, per the Privacy Rights Clearinghouse, and are defined as: • Unintended disclosure – Sensitive information posted publicly on a website, mishandled, or sent to the wrong party via email, fax, or mail. • Hacking or malware – Electronic entry by an outside party, malware, and spyware. • Insider – Someone with legitimate access intentionally breaches information – such as an employee or contrac- tor. • Physical loss – Lost, discarded, or stolen non-electronic records, such as paper documents. • Portable device – Lost, discarded, or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc. • Stationary device – Lost, discarded, or stolen stationary electronic device such as a computer or server not de- signed for mobility. • Unknown or other. From January 2009 through May 31, 2012, employee error and device theft caused the majority of data breaches. Com- bining unintended disclosure, insider threats, physical losses, the loss/theft of portable devices, and the loss/theft of stationary devices, the total number of incidents reached 214 (out of 268), exposing more than 93 million PII records. Of those individual categories, unintended disclosure was the reported leading cause of incidents by type, with 78 occur- rences that exposed the second highest number of records at more than 11 million. This category was followed by por- table devices (50), physical loss (46), hacking/malware (40) and insider threat (39). The theft/loss of stationary devices and unknown categories were the smallest with 6 and 8 incidents. The analysis also shows that the number of incidents caused by hacking is on a steady rise. A year-over-year comparison shows a nearly 50 percent increase from 2009 to 2011. Between January 1, 2012 and May 31, 2012, government agen- cies reported more hacking incidents than any other category.
  • 8. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com In terms of the type of breach that compromised the greatest amount of PII records, portable devices were at the top, with more than 80 million PII records exposed. The largest case in the portable device category is the incident in October 2009, when 76 million US veterans’ data was exposed as a result of a hard drive that wasn’t erased before being sent out for repair and recycle. The second and third most common types of breaches were unintended disclosure and hacking or malware. Unintended disclosure reported an estimated more than 11.7 million PII and 13.6 million total records exposed. Hacking and malware reported approximately 1.1 million PII and 2.3 million total records exposed. For hacking, the total number of records exposed actually puts the files at additional risk, since hackers and malware use phishing schemes to then convert those public records into PII. In fact, one of the larger reported hacking cases, a hack into the Utah Department of Health com- puter server, involved 280,000 PII records and 780,000 total records exposed, which was not the initially reported num- ber (25,096 PII records and 181,604 total records) when the breach was officially filed. It’s important to note that the hacking category contains many breaches where the number of records exposed was reported as unknown. This makes it impossible to accurately measure the damage. These incidents include many hacking events claimed by Anonymous and Lulzsec, including an attack on the Arizona Department of Public Safety (AZDPS), the Texas Police Chief Association, California Statewide Law Enforcement Association (CSLEA), and the United States Bureau of Justice Statistics (BJS). One incident that was reported involved the Federal Aviation Administration; in 2009 hackers attacked the agency’s computer system, accessing the names and Social Security numbers of employees and retirees. The U.S. Army was also hacked in 2009, when a database of personal information about nearly 1,600 soldiers was pen- etrated by unauthorized users. Aside from unknown types of breaches, which were the lowest recorded number of breaches, the number of insider attacks or errors which led to breaches were actually relatively small, with approximately 177,399 PII records stolen and 211,899 total records exposed.
  • 9. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com By analyzing the data, it’s clear to see that the number of cases or data breach events remains relatively consistent across the largest categories for records exposed. In other words, while the portable devices category accounts for the largest amount of records breached, the number of incidents involving portable devices (48) is lower than that of unintended disclosure (59). Also, the number of cases in the insider and hacking category is the same, while records breached by an employee or contractor is relatively low (177,399 of PII records and 211,899 total records) compared to records breached by a hacker or malware (1,082,749 PII records and 2,257,796 total records). III. Location of Breaches Among the locations that lead the nation in largest number of breach incidents, California is the highest with 21 events between January 1, 2009 and May 31, 2012. California is followed by the District of Columbia (20) and Texas (16). In terms of size of breaches, the District of Columbia experienced the greatest amount of PII records exposed, with approximately 76 million records exposed during the analyzed time period. Considering the number of federal agen- cies located in the D.C. area, including high-profile organizations, it’s not surprising that the location was the highest in number of breaches. However, despite its concentrated area of government offices and proximity to D.C., Virginia was not the second highest state for the number of records breached. The state that reported the second highest number of breached records was Texas, with approximately 10 million records breached. The top three locations in the United States with the highest number of records breached was rounded out by Oklahoma, with 1.36 million records breached (fol- lowed closely by New York with 1.35 million records). There are a number of states that reported no breaches at all, including Kentucky, Montana, Nevada, North Dakota and South Dakota. Alaska, Delaware, Idaho, New Hampshire, Rhode Island and West Virginia reported one incident each, which exposed fewer than 75,000 records combined. According to the most recent Fedscope data, compiled by the U.S. Office of Personnel Management, the top five largest federal employment locations in the nation include California, Washington D.C., Virginia, Texas, and Maryland. Conclusion: Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal informa- tion security controls, and poor best practices for protecting data on portable devices. At the same time, an increase in regulations has led to a rapid rise in IT and security certification costs. For example, costs for FISMA compliance auditing have risen to $1 billion annual and FISMA accreditation costs to $1.3 billion annually. According to the OBM fiscal year
  • 10. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 2011 report to Congress on the implementation of FISMA (March 2012), federal agencies are spending $13.3 billion on IT security each year. With this in mind, there are clear steps to ensure that an environment meets compliance regulations as well as company policies on security and risk intelligence. Steps include: 1. Vulnerability Management (Risk Assessment) Federal agencies must discover, assess, prioritize, and mitigate vulnerabilities in both physical and virtual federal comput- ing infrastructures. Best practices include mapping vulnerabilities to alerts generated by IAVA, as required by DISA. 2. Penetration Testing (Risk Validation) After vulnerabilities are discovered and prioritized, IT administrators must validate actual exploitability in federal comput- ing infrastructure to document real, contextual risk through penetration tests and social engineering. 3. Regulatory Compliance (FISMA) Meeting FISMA requirements includes testing security controls that map to NIST SP 800-53 Rev.4 and automating Cyber- Scope reporting, required to submit monthly FISMA metrics. 4. Configuration Compliance IT administrators must perform security audits to establish and maintain compliance with the United States General Con- figuration Benchmarks (USGCB), the Federal Desktop Core Configuration (FDCC) and other SCAP guidelines. 5. Continuous Monitoring As a final step, government IT departments must address NIST SP 800-137 requirements for continuous monitoring and risk-guided decision making.