[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Eindringlinge wg. Sicherheitslöchern
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Weisheiten von Wired
-------------------------
http://www.wired.com/news/politics/0,1283,50931,00.html?tw=ascii
Do OS Vendors Sell Lemons?
By Robert Zarate
7:18 a.m. March 8, 2002 PST
WASHINGTON -- Government Web intrusions mainly occur because vendors sell
systems with security holes, a researcher told a federal advisory panel on
Thursday.
Alan Paller, director of research at the SANS Institute, presented his
findings to a National Institute of Standards and Technology body that was
meeting to discuss minimum cybersecurity standards for the U.S.
government.
Paller noted a report from Attrition.org that found that in 100 days, 37
dot-gov and dot-mil websites had suffered defacement attacks.
"How could so many websites be hacked? The answer was that the system was
sold broken," he told NIST's Computer System Security and Privacy Advisory
Board. "Vendors sell systems with known and unknown vulnerabilities."
Paller cited a well-known vulnerability in Microsoft Windows NT 4.0 and
2000, which allowed the Code Red II virus to make some 150,000 systems
vulnerable to attack.
But he praised the efforts of Sandia National Laboratories, which now has
a purchasing policy of buying systems deemed explicitly "safe" by vendors.
To bolster computer security, Paller recommended that agencies not only
intensively educate their system administrators, but that they
continuously monitor statistics for Web security and obtain certification
showing that minimum standards have been met. "System administrators
cannot be the only defense," Paller said. "If training system admins to be
smarter is the only defense we have, we're not going to get better."
Created by the 1987 Computer Security Act, the NIST panel is charged with
examining cybersecurity and privacy issues surrounding sensitive
unclassified information in federal computer systems.
Not much has changed since 1987. In the committee report accompanying the
Computer Security Act, Congress complained that "only five of 25 Federal
computer systems surveyed by (auditors) contained minimum safeguards, and
only two of 25 systems offered formal training sessions for computer
users."
The NIST group is responsible for making security-related recommendations
to the Commerce Department, Congress and the National Security Agency. Its
current members include Marilyn Bruneau of Andersen, Mary Forte of the
National Security Agency, Richard Guida from Johnson & Johnson, Susan
Landau of Sun Microsystems and Steven Lipner, a manager at Microsoft's
Security Response Center.
Franklin Reeder, the group's chairman, said the Sept. 11 terrorist attacks
have altered the board's function. "The environment in which the board
operates, the perception of the role of security and the (board's)
relevancy have changed," Reeder said.
NASA's deputy CIO, David Nelson, said his agency had improved since it
garnered a C-minus in an unflattering report card last fall.
"We think we're (now) at about a B-minus," he said. "We think NASA is
approaching competence. In the next three years we will be striving for
excellence."
Nelson attributed NASA's possibly passing grade to its decision to
establish "cybersecurity" metrics, calculating figures like the ratio of
attempted break-ins to successful ones. "We track metrics quarterly and
discuss them with management," he said.
Last November, a House subcommittee released a report on computer security
in the federal government. Of the 24 federal departments and agencies that
the subcommittee reviewed, 16 received failing grades and only three
agencies earned grades above a D+.
More spending played a role in NASA's success, Nelson said. "We spent $2.2
billion on IT, and $110 million in IT security," he said. "I don't agree
with someone who says you can buy security on the cheap. But I don't think
you can buy your way out of insecurity."
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.