[ISN] Security czar points finger of blame

From: InfoSec News (isnat_private)
Date: Thu Aug 01 2002 - 03:39:39 PDT

  • Next message: InfoSec News: "Re: [ISN] Fluffy Bunny No Longer Energized"

    http://news.com.com/2100-1001-947409.html?tag=fd_top
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    July 31, 2002, 2:42 PM PT
    
    LAS VEGAS -- Software makers and Internet service providers must share
    the blame for the nation's vulnerable networks, President Bush's
    special adviser on cyberspace security said Wednesday.
    
    Speaking to a thousand attendees at the annual Black Hat Security
    briefings here, Richard Clarke identified five specific groups
    responsible for the vulnerability and said that people who can secure
    the Internet must step up to the plate.
    
    "There are a lot of people in our country that rely on cyberspace, who
    are not taking responsibility for securing their part of cyberspace,"  
    he said.
    
    The speech, which precedes the Bush administration's rollout on Sept.  
    18 of the national strategy for critical infrastructure protection,
    outlined many of the issues that Clarke and others had to consider in
    constructing the new strategy.
    
    The major issue, Clarke said, is that companies and organizations that
    create the hardware, software and services that makeup the Internet
    aren't doing enough to secure their products. In laying the blame for
    the vulnerabilities in the Internet, he pointed not only to software
    makers and ISPs, but also to those who create and use wireless
    networks, to the lack of a group responsible for securing the
    Internet, and to the government itself.
    
    While he didn't outline the national strategy's recommendations,
    Clarke's list of the five groups shows whom the government is
    targeting with the new initiative.
    
    Clarke saved much of his rhetoric to lambaste the software industry.
    
    "The software industry has an obligation to do a better job producing
    software that works," he said. "It's no longer acceptable that we can
    buy software and run software on sensitive systems that is filled with
    glitches."
    
    Clarke pointed to statistics published by the Computer Emergency
    Response Team (CERT) Coordination Center that show that the number of
    software vulnerabilities found by researchers has increased every
    year. The number of flaws found to date has already surpassed the
    total flaws found last year, he said.
    
    He also said that while few firms acknowledged the incidents, nearly
    every major financial and banking company was hit hard by the Nimda
    virus last September. He cited damage figures of nearly $3 billions
    attributed to the virus.
    
    He stressed, however, that the virus got into computers through
    vulnerabilities that at the time were known.
    
    "It's not because the vulnerabilities has not been identified (that
    Nimda spread), but because the patches had not been applied," he said.
    
    He called on software makers to provide patches that are easy to
    install and also have been checked for compatibility with the major
    software applications used by most companies.
    
    "That's why Nimda was so successful," he said. "Not because (the
    system administrators) didn't have a chance to put the patches on but
    because they wanted to test the patches themselves."
    
    ISPs to step up
    
    Internet service providers also have to be more security conscious,
    Clarke said. By selling broadband connectivity to home users without
    making security a priority, telecommunications companies, cable
    providers and ISPs have not only opened the nation's homes to attack,
    but also created a host of computers with fast connections that have
    hardly any security.
    
    "Millions of houses are getting connected, which means that more and
    more are getting vulnerable," he said.
    
    In a measure of how greatly wireless networks are undermining
    corporate and home-user security, Clarke put such networks in his top
    five of security offenders. Already, he said, the Department of
    Defense has ordered the shutdown of all wireless LANs in use within
    the department and in the various military forces.
    
    "Companies throughout the country have networks that are wide open
    because of wireless LANs," he said.
    
    Clarke also called on the government to drive more secure standards
    for the Internet and for the Net's gurus to form an organization
    responsible for the network's security.
    
    Clarke likened the situation to Winston Churchill's early warnings of
    Germany's air force buildup prior to World War II that prepared Great
    Britain for the air war against Germany. He said that today's system
    administrators must do the same.
    
    "You all have responsibility to be Winston Churchills, to be out there
    in front of anyone who will listen to say we are vulnerable," he told
    the attendees. "If a cyberwar comes, and come it will, we will be like
    the (Royal Air Force) and win."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 06:42:56 PDT