[ISN] U.S. Cyber Security Weakening

From: InfoSec News (isnat_private)
Date: Wed Jan 09 2002 - 04:00:49 PST

  • Next message: InfoSec News: "[ISN] U.S. Department of Justice on Benjamin Troy Breuninger"

    11:15 a.m. Jan. 8, 2002 PST  
    U.S. computer systems are increasingly vulnerable to cyber attacks,
    partly because companies are not implementing security measures
    already available, according to a new report released Tuesday.
    "From an operational standpoint, cyber security today is far worse
    that what known best practices can provide," said the Computer Science
    and Telecommunications Board, part of the National Research Council.
    "Even without any new security technologies, much better security
    would be possible today if technology producers, operators of critical
    systems, and users took appropriate steps," it said in a report
    released four months after the events of Sept. 11.
    Experts estimate U.S. corporations spent about $12.3 billion to clean
    up damage from computer viruses in 2001. Some predict viruses and
    worms could cause even more damage in 2002.
    The report said a successful cyber attack on the U.S. air traffic
    control system in coordination with airline hijackings like those seen
    on Sept. 11 could result in a "much more catastrophic disaster
    To avert such risks, the panel urged organizations to conduct more
    random tests of system security measures, implement better
    authentication systems and provide more training and monitoring to
    make information systems more secure. All these measures were possible
    without further research, it said.
    Investments in new technologies and better operating procedures could
    improve security even further, it noted.
    Herbert Lin, senior scientist at the board, said information
    technologies were developing at a very rapid rate, but security
    measures had not kept pace.
    In fact, he said, recommendations for improving security made by the
    panel a decade ago were still relevant and timely.
    "The fact that the recommendations we made 10 years ago are still
    relevant points out that there is a real big problem, structurally and
    organizationally, in paying attention to security," Lin said.
    "We've been very frustrated in our ability to get people to pay
    attention, and we're not the only ones," he added.
    Increased security concerns after the Sept. 11 attacks on New York and
    Washington could provide fresh impetus for upgrading computer
    security, Lin said.
    But he warned against merely putting more federal funds into research,
    noting that it was essential to implement technologies and best
    practices already available.
    "The problem isn't research at this point. We could be so much safer
    if everyone just did what is possible now," Lin said.
    For instance, the report notes that passwords are the most common
    method used today to authenticate computer users, despite the fact
    that they are known to be insecure.
    A hardware token, or smart card, used together with a personal
    identification number or biometrics, would provide much better
    security for the computer system, the report said.
    The report urged vendors of computer systems to provide
    well-engineered systems for user authentication based on such hardware
    tokens, taking care to make sure they were more secure and convenient
    for users.
    In addition, it said vendors should develop simple and clear
    blueprints for secure operation and ship systems with security
    features turned on so that a conscious effort was needed to disable
    One big problem was the lack of incentives for companies to respond
    adequately to the security challenge, the report said.
    It said one possible remedy would be to make software companies,
    system vendors and system operators liable for system breaches and to
    mandate reporting of security breaches that could threaten critical
    social functions.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 10:13:16 PST