Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Eindringlinge wg. Sicherheitslöchern,
Weisheiten von Wired


Do OS Vendors Sell Lemons? 
By Robert Zarate 
7:18 a.m. March 8, 2002 PST 

WASHINGTON -- Government Web intrusions mainly occur because vendors sell 
systems with security holes, a researcher told a federal advisory panel on 

Alan Paller, director of research at the SANS Institute, presented his 
findings to a National Institute of Standards and Technology body that was 
meeting to discuss minimum cybersecurity standards for the U.S. 

Paller noted a report from that found that in 100 days, 37 
dot-gov and dot-mil websites had suffered defacement attacks. 

"How could so many websites be hacked? The answer was that the system was 
sold broken," he told NIST's Computer System Security and Privacy Advisory 
Board. "Vendors sell systems with known and unknown vulnerabilities." 

Paller cited a well-known vulnerability in Microsoft Windows NT 4.0 and 
2000, which allowed the Code Red II virus to make some 150,000 systems 
vulnerable to attack. 

But he praised the efforts of Sandia National Laboratories, which now has 
a purchasing policy of buying systems deemed explicitly "safe" by vendors. 

To bolster computer security, Paller recommended that agencies not only 
intensively educate their system administrators, but that they 
continuously monitor statistics for Web security and obtain certification 
showing that minimum standards have been met. "System administrators 
cannot be the only defense," Paller said. "If training system admins to be 
smarter is the only defense we have, we're not going to get better." 

Created by the 1987 Computer Security Act, the NIST panel is charged with 
examining cybersecurity and privacy issues surrounding sensitive 
unclassified information in federal computer systems. 

Not much has changed since 1987. In the committee report accompanying the 
Computer Security Act, Congress complained that "only five of 25 Federal 
computer systems surveyed by (auditors) contained minimum safeguards, and 
only two of 25 systems offered formal training sessions for computer 

The NIST group is responsible for making security-related recommendations 
to the Commerce Department, Congress and the National Security Agency. Its 
current members include Marilyn Bruneau of Andersen, Mary Forte of the 
National Security Agency, Richard Guida from Johnson & Johnson, Susan 
Landau of Sun Microsystems and Steven Lipner, a manager at Microsoft's 
Security Response Center. 

Franklin Reeder, the group's chairman, said the Sept. 11 terrorist attacks 
have altered the board's function. "The environment in which the board 
operates, the perception of the role of security and the (board's) 
relevancy have changed," Reeder said. 

NASA's deputy CIO, David Nelson, said his agency had improved since it 
garnered a C-minus in an unflattering report card last fall. 

"We think we're (now) at about a B-minus," he said. "We think NASA is 
approaching competence. In the next three years we will be striving for 

Nelson attributed NASA's possibly passing grade to its decision to 
establish "cybersecurity" metrics, calculating figures like the ratio of 
attempted break-ins to successful ones. "We track metrics quarterly and 
discuss them with management," he said. 

Last November, a House subcommittee released a report on computer security 
in the federal government. Of the 24 federal departments and agencies that 
the subcommittee reviewed, 16 received failing grades and only three 
agencies earned grades above a D+. 

More spending played a role in NASA's success, Nelson said. "We spent $2.2 
billion on IT, and $110 million in IT security," he said. "I don't agree 
with someone who says you can buy security on the cheap. But I don't think 
you can buy your way out of insecurity." 

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.