http://www.washingtonpost.com/wp-dyn/articles/A28403-2002Oct1.html By Brian Krebs washingtonpost.com Staff Writer Tuesday, October 1, 2002; 3:46 PM In a coup for the Bush administration's anti-regulatory approach to cybersecurity, a handful of leading network security firms on Wednesday will launch new products to protect government and private-sector networks from the most serious Internet security threats. For the first time, some of the biggest IT security vendors in the country are cooperating on defining the top 20 threats, overcoming a history of frequently disagreeing over which vulnerabilities deserve the most urgent attention. People familiar with the program say it will figure prominently in IT security efforts under the proposed Department of Homeland Security and the White House's strategy for protecting the nation's most critical systems from cyberattack. Government security experts have long been hampered by disagreements among the private network security firms that are hired to test and protect government systems, said Alan Paller, director of research at the SANS Institute, a leading IT security research organization that has close ties to the government. "One of the most fascinating pieces of data we found is that vendors differ completely on what they consider the worst threats," he said. "It's almost as if these companies operate in different universes." Having a standardized list of the most important vulnerabilities makes it easier for security vendors to develop intrusion detection and scanning tools, Paller said. At least five IT security vendors will use Wednesday's event to unveil product upgrades that cater to the top 20 threats, including Mission Viejo, Calif.-based Foundstone, Austin, Texas-based TippingPoint and Atlanta-based Internet Security Systems Inc. One computer security firm based in Silicon Valley -- Qualys Inc. -- plans to launch a free online service that will allow companies to test their internal networks against the top threat list. The White House is leading the creation of a national cybersecurity strategy that has been criticized by some experts for failing to include strict security guidelines and mandates for the private sector. The fact that private firms are cooperating with the government to identify and defeat top threats dovetails with the administration's line that the government can take the lead in raising awareness about cybersecurity without imposing strict rules on the private sector. Wednesday's announcement is being hosted by the General Services Administration (GSA), which plays a leading role in coordinating the government's acquistion of goods and services, including IT security, from private companies. The GSA is expected to announce the creation of a task force to foster use of the top 20 list in future security testing contracts. The GSA plans to ask the chief information officers of federal agencies to follow NASA's lead on tackling IT security. After years of failing to fix persistent vulnerabilities in its networks, the space agency recently conducted a top-down review of its security audit processes. What NASA found, according to a case study to be released Wednesday, was that the commercial vulnerability scans turned up tens of thousands of security holes but offered little or conflicting guidance as to which problems were the most urgent. The workload so overwhelmed and confused NASA system administrators that they ended up accomplishing almost nothing. NASA subsequently surveyed some 120,000 computers at its 10 field offices to learn which vulnerabilities were being exploited the most, and ordered administrators to patch those holes in more manageable batches of two dozen or so at a time. NASA administrators also created a friendly competition between the field offices to see which one could patch the holes first. NASA is now on its fourth wave of vulnerability testing, and has managed to drastically reduce the number of successful hacker attacks. The agency's security effort will come under scrutiny again next month, when the General Accounting Office issues its annual computer security report cards to two dozen federal agencies. The agency earned a grade of "C-minus" for 2001, well above the grade of "F" that most federal agencies earned last year. Certainly not all federal employees are as motivated by a technological challenge as the average NASA engineer. But the agency's experience has plenty of relevance for private-sector security administrators and consultants who frequently struggle under near-impossible workloads, said Dan Ingevaldson, team leader for the research arm of Internet Security Systems. "Everyone is fully aware of the amount of information and work scanners can generate," Ingevaldson said. "That's why it's so important to have some sort of consensus across the board that tells (systems administrators) what they should look at right now and what could potentially be put off until the next week." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 03:43:38 PDT