[ISN] FBI to release computer-security updates

From: InfoSec News (isnat_private)
Date: Tue Oct 01 2002 - 02:03:34 PDT

  • Next message: InfoSec News: "Re: [ISN] Prospect of Iraq conflict raises new cyberattack fears"

    By Robert Lemos 
    Staff Writer, CNET News.com
    September 30, 2002, 5:50 PM PT
    The FBI and a prestigious computer-security research group are set to
    announce new initiatives to keep companies up to date on the most
    threatening software vulnerabilities, CNET News.com has learned.
    The FBI's National Infrastructure Protection Center and the SysAdmin,
    Audit, Networking and Security (SANS) Institute, a research and
    education organization made up of government, corporate and academic
    experts, will unveil the initiatives Wednesday, exactly two weeks
    after the Bush Administration released a draft for comment of the
    National Strategy for Securing Cyberspace.
    The SANS-FBI efforts will try to improve how companies deal with the
    multitude of security flaws software companies announce every week.  
    The focus of the initiatives is on identifying security holes and
    delivering tools so companies can plug them, a practical approach
    outlined in the Administration's cybersecurity plan, said Alan Paller,
    director of research for SANS.
    "We have to get rid of the emphasis on threat analysis and work on
    vulnerability analysis," Paller said. "That's because we can fix the
    vulnerabilities, but if we wait until the threat is clear, we will be
    too late."
    While Paller wouldn't provide specifics, News.com has learned that in
    addition to releasing its latest annual list of the Top 20
    vulnerabilities for Windows and Unix systems, the two groups will,
    within the next four months, release an expanded list of the most
    common and dangerous software flaws.
    The organizations may also release a critical vulnerability analysis
    (CVA) report on a weekly basis, which would describe newly discovered
    flaws and how companies have dealt with them. The plans for the weekly
    report are currently in flux, however, and Paller would not comment on
    its status.
    Eliminating the Top 20 flaws
    Although he wouldn't name specific companies, Paller said five
    security firms will participate by building new features into their
    systems to scan corporate networks for vulnerabilities on the Top 20
    list. News.com has learned that Internet Security Systems, Foundstone,
    Qualys, and TippingPoint are four of the five.
    Gerhard Eschelbeck, vice president of engineering for security service
    provider Qualys, said the company would offer a free scan for the
    SANS-FBI Top 20 vulnerabilities to any network owner. While he didn't
    comment on whether Qualys would support the expanded list of flaws the
    organizations plan to release later, Eschelbeck did stress that it
    wouldn't be hard to do so.
    "The beauty of the service-based model that we have is that we can
    distribute signatures with a click of a mouse," Eschelbeck said.
    Network-protection company Internet Security Systems, which has built
    scanning support for the vulnerabilities included in the previous
    lists released by SANS will do so again, said Dan Ingevaldson, leader
    of ISS's research and development team.
    "There are a lot more vendors involved this year," Ingevaldson said.  
    "A whole bunch got together and made a choice over what should be
    included in the list."
    This will be the third year that the SANS Institute has released a
    list of top flaws. In June 2000, the organization listed its Top 10.  
    It updated that to a Top 20 in October 2001. Companies that eliminate
    the vulnerabilities on the Top 20 list from their networks will have
    made themselves immune to approximately 80 percent of all attacks on
    the Internet, Paller said.
    To show how effective such tools can be, the SANS Institute and the
    FBI will point to system administrators at NASA, who used a
    vulnerability-focused approach to eliminate security problems with
    their network. Details from that study haven't yet been released.
    "NASA is the poster child for this," said Paller.
    In addition, the Federal Computer Incident Response Center (FedCIRC)  
    will take part in the announcement.
    Lists of confusion
    Not everyone is enamored of the new initiatives, however.
    At least one security consultant familiar with the announcement
    worried that the planned expansion of the list from 20 to perhaps as
    many as 100 vulnerabilities could just cause more confusion.
    "We just have too many databases already," he said, asking not to be
    Purdue University maintains the Common Vulnerability Database, and
    most security companies have their own databases as well. In addition,
    the Common Vulnerability Encyclopedia, run by the Mitre Group, is a
    central repository and Rosetta stone that links together the various
    definitions companies create for the same vulnerabilities.
    But Paller said that's exactly why such lists are needed. He stressed
    that the new list would direct companies to the most-serious of the
    three dozen or so vulnerabilities that appear each week and add depth
    to the other databases.
    The databases "all look at this elephant from a slightly different
    perspective," Paller said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 05:15:41 PDT