Federal cybersecurity incidents dropped down by 12% in 2018, says FISMA report

• The security assessments revealed the top 5 common security vulnerabilities, which include lack of data protection, lack of network segmentation, inconsistent patch management, lack of strong authentication, and lack of continuous monitoring.
• The report highlights that improper usage and phishing remain the top attack vector.

According to the Office of Management and Budget’s annual report on the Federal Information Security Modernization Act (FISMA), the number of cyber incidents has reduced by 12% in 2018 (31,107) when compared to 2017 (35,277 incidents).

Key highlights

• In FY 2018, the Department of Homeland Security (DHS) conducted 61 HVA assessments, resulting in 356 findings (221 System Architecture Review findings and 135 Risk and Vulnerability Assessment findings).
• These assessments revealed the top 5 common security vulnerabilities, which include lack of data protection, lack of network segmentation, inconsistent patch management, lack of strong authentication, and lack of continuous monitoring.
• The report highlighted that the implementation of privileged network access management hit 94% of the target goal, while the implementation of software asset management went down from 69% in FY 2017 to 58% in 2018.
• Improper usage and phishing remain the top attack vector, with 9674 cyber incidents reported due to improper usage and 6,930 incidents reported due to phishing campaigns.
• Meanwhile, 27% of all the incidents reported during 2018 did not have an identified attack vector.

“While the trend is encouraging, drawing conclusions based on this data point, particularly as agencies have adjusted to several new sets of reporting guidelines over the last few years, would be concerning. As noted earlier, email-based threats remain prevalent, with Email/Phishing continuing to be a highly-targeted attack vector,” the report read.

The bottom line

Even though the cybersecurity incidents have come down, the security assessments reveal that the Federal Government continues to face challenges mitigating basic security vulnerabilities.