Auditors Cite Need for Better Cyber Incident Investigations

The Air Force failed to effectively manage and investigate numerous cyber events in 2009, according to a recent Air Force Audit Agency report based on a 2010 investigation. For example, the Air Force Computer Emergency Response Team, responsible for monitoring suspicious activity on the Air Force network, did not even investigate 23 percent, or 18 of 78, “category 5” cyber events, found the AFAA auditors. A category 5 activity could expose Air Force systems to increased risk, such as an Air Force user accessing a domain known to host malicious files. Network personnel also failed to implement corrective actions, like restricting access to certain websites, streaming media, and social networking, to prevent cyber incidents from recurring, stated the auditors. The report recommended, and the Air Force agreed, that 24th Air Force—USAF’s cyber operations arm—should boost its network storage capacity so personnel can retain audit logs that will help them keep track of malicious websites. The Air Force also should establish a standard list of restricted proxy server categories, according to the report. These changes are expected to be in place by January. (Full report; caution, large-sized file.)