Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Re: CIP-Bericht von der US Nat. Academy of Sciences



Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

http://www.wired.com/news/infostructure/0,1377,49570,00.html
            U.S. Cyber Security Weakening
Reuters
11:15 a.m. Jan. 8, 2002 PST

U.S. computer systems are increasingly vulnerable to cyber attacks,
partly because companies are not implementing security measures
already available, according to a new report released Tuesday.

"From an operational standpoint, cyber security today is far worse
that what known best practices can provide," said the Computer Science
and Telecommunications Board, part of the National Research Council.

"Even without any new security technologies, much better security
would be possible today if technology producers, operators of critical
systems, and users took appropriate steps," it said in a report
released four months after the events of Sept. 11.

Experts estimate U.S. corporations spent about $12.3 billion to clean
up damage from computer viruses in 2001. Some predict viruses and
worms could cause even more damage in 2002.

The report said a successful cyber attack on the U.S. air traffic
control system in coordination with airline hijackings like those seen
on Sept. 11 could result in a "much more catastrophic disaster
scenario."

To avert such risks, the panel urged organizations to conduct more
random tests of system security measures, implement better
authentication systems and provide more training and monitoring to
make information systems more secure. All these measures were possible
without further research, it said.

Investments in new technologies and better operating procedures could
improve security even further, it noted.

Herbert Lin, senior scientist at the board, said information
technologies were developing at a very rapid rate, but security
measures had not kept pace.

In fact, he said, recommendations for improving security made by the
panel a decade ago were still relevant and timely.

"The fact that the recommendations we made 10 years ago are still
relevant points out that there is a real big problem, structurally and
organizationally, in paying attention to security," Lin said.

"We've been very frustrated in our ability to get people to pay
attention, and we're not the only ones," he added.

Increased security concerns after the Sept. 11 attacks on New York and
Washington could provide fresh impetus for upgrading computer
security, Lin said.

But he warned against merely putting more federal funds into research,
noting that it was essential to implement technologies and best
practices already available.

"The problem isn't research at this point. We could be so much safer
if everyone just did what is possible now," Lin said.

For instance, the report notes that passwords are the most common
method used today to authenticate computer users, despite the fact
that they are known to be insecure.

A hardware token, or smart card, used together with a personal
identification number or biometrics, would provide much better
security for the computer system, the report said.

The report urged vendors of computer systems to provide
well-engineered systems for user authentication based on such hardware
tokens, taking care to make sure they were more secure and convenient
for users.

In addition, it said vendors should develop simple and clear
blueprints for secure operation and ship systems with security
features turned on so that a conscious effort was needed to disable
them.

One big problem was the lack of incentives for companies to respond
adequately to the security challenge, the report said.

It said one possible remedy would be to make software companies,
system vendors and system operators liable for system breaches and to
mandate reporting of security breaches that could threaten critical
social functions.





---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.