Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] noch eine FBI-Initiative gegen Computerverwundbarkeiten,

Zu generellen Debatte um die (möglichen? realen? übertriebenen?)
Cyber-Bedrohungen ein schönes Zitat:
"We have to get rid of the emphasis on threat analysis and work on
vulnerability analysis," Paller said. "That's because we can fix the
vulnerabilities, but if we wait until the threat is clear, we will be
too late."

FBI to release computer-security updates

By Robert Lemos 
Staff Writer, CNET
September 30, 2002

The FBI and a prestigious computer-security research group are set to
announce new initiatives to keep companies up to date on the most
threatening software vulnerabilities, CNET has learned.

The FBI's National Infrastructure Protection Center and the SysAdmin,
Audit, Networking and Security (SANS) Institute, a research and
education organization made up of government, corporate and academic
experts, will unveil the initiatives Wednesday, exactly two weeks
after the Bush Administration released a draft for comment of the
National Strategy for Securing Cyberspace.

The SANS-FBI efforts will try to improve how companies deal with the
multitude of security flaws software companies announce every week.  
The focus of the initiatives is on identifying security holes and
delivering tools so companies can plug them, a practical approach
outlined in the Administration's cybersecurity plan, said Alan Paller,
director of research for SANS.

"We have to get rid of the emphasis on threat analysis and work on
vulnerability analysis," Paller said. "That's because we can fix the
vulnerabilities, but if we wait until the threat is clear, we will be
too late."

While Paller wouldn't provide specifics, has learned that in
addition to releasing its latest annual list of the Top 20
vulnerabilities for Windows and Unix systems, the two groups will,
within the next four months, release an expanded list of the most
common and dangerous software flaws.

The organizations may also release a critical vulnerability analysis
(CVA) report on a weekly basis, which would describe newly discovered
flaws and how companies have dealt with them. The plans for the weekly
report are currently in flux, however, and Paller would not comment on
its status.

Eliminating the Top 20 flaws

Although he wouldn't name specific companies, Paller said five
security firms will participate by building new features into their
systems to scan corporate networks for vulnerabilities on the Top 20
list. has learned that Internet Security Systems, Foundstone,
Qualys, and TippingPoint are four of the five.

Gerhard Eschelbeck, vice president of engineering for security service
provider Qualys, said the company would offer a free scan for the
SANS-FBI Top 20 vulnerabilities to any network owner. While he didn't
comment on whether Qualys would support the expanded list of flaws the
organizations plan to release later, Eschelbeck did stress that it
wouldn't be hard to do so.

"The beauty of the service-based model that we have is that we can
distribute signatures with a click of a mouse," Eschelbeck said.

Network-protection company Internet Security Systems, which has built
scanning support for the vulnerabilities included in the previous
lists released by SANS will do so again, said Dan Ingevaldson, leader
of ISS's research and development team.

"There are a lot more vendors involved this year," Ingevaldson said.  
"A whole bunch got together and made a choice over what should be
included in the list."

This will be the third year that the SANS Institute has released a
list of top flaws. In June 2000, the organization listed its Top 10.  
It updated that to a Top 20 in October 2001. Companies that eliminate
the vulnerabilities on the Top 20 list from their networks will have
made themselves immune to approximately 80 percent of all attacks on
the Internet, Paller said.

To show how effective such tools can be, the SANS Institute and the
FBI will point to system administrators at NASA, who used a
vulnerability-focused approach to eliminate security problems with
their network. Details from that study haven't yet been released.

"NASA is the poster child for this," said Paller.

In addition, the Federal Computer Incident Response Center (FedCIRC)  
will take part in the announcement.

Lists of confusion

Not everyone is enamored of the new initiatives, however.

At least one security consultant familiar with the announcement
worried that the planned expansion of the list from 20 to perhaps as
many as 100 vulnerabilities could just cause more confusion.

"We just have too many databases already," he said, asking not to be

Purdue University maintains the Common Vulnerability Database, and
most security companies have their own databases as well. In addition,
the Common Vulnerability Encyclopedia, run by the Mitre Group, is a
central repository and Rosetta stone that links together the various
definitions companies create for the same vulnerabilities.

But Paller said that's exactly why such lists are needed. He stressed
that the new list would direct companies to the most-serious of the
three dozen or so vulnerabilities that appear each week and add depth
to the other databases.

The databases "all look at this elephant from a slightly different
perspective," Paller said.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.