US federal agencies report 28,581 security incidents across nine attack vector categories in 2019

Improper usage was identified as the most common attack vector last year

The US federal agencies made significant progress last year in improving their overall cyber security posture and meeting the cyber security targets set by the White House.

That's according to the latest Federal Information Security Modernization Act (FISMA) Annual Report [PDF], submitted to the US Congress last week and showing an 8 per cent decrease in cyber security incidents reported across federal agencies in fiscal 2019.

In total, US federal agencies reported 28,581 security incidents across nine attack vector categories in 2019, compared to 31,107 incidents in the previous year.

As per FISMA report, improper usage was the most common attack vector used in 12,507 incidents.

The popularity of this attack vector among cyber actors suggests that federal agencies "have processes or capabilities that detect when a security policy is being violated, but lack automated enforcement or prevention mechanisms".

Nearly 25 per cent of all security incidents were reported without an identified attack vector, suggesting a need for additional steps from the government to help federal agencies ascertain the sources and vectors in such incidents.

Email/phishing was the third most popular mode of cyber attack against the US federal agencies. This method was used in 4,388 security incidents.

Other attack modes used in cyber security incidents last year included web-based attacks (1982 incidents), loss or theft of equipment (1885 incidents), attrition (332 incidents), multiple attack vectors (165 incidents), external/removable media (47 incidents), and impersonation/spoofing (35 incidents).

FISMA report says that most of the incidents reported last year did not involve user data, and therefore, they were not publicly disclosed. Only three incidents required public disclosure due to mishandling of users' data. These incidents occurred within Department of Homeland Security agencies and were found to have minimal or negligible impact on user data.

In one incident, the Federal Emergency Management Agency shared personally identifiable information of nearly 895,000 disaster hurricane survivors with a third-party volunteer organisation. The impact of this data breach was Minimal.

In another incident, a ransomware attack was reported at a contractor that manufactured license plate readers used by the US Customs and Border Protection. The attack enabled attackers to exfiltrate license plate images and facial images of travellers inside of a vehicle. The impact of this breach was Negligible.

In third incident, the Federal Emergency Management Agency accidentally shared the PII of nearly 2.5 million hurricane survivors with a contractor responsible for meeting temporary shelter needs. The impact of this data breach was determined to be Low.