[ISN] Firms Respond to White House Cybersecurity Call

From: InfoSec News (isnat_private)
Date: Wed Oct 02 2002 - 01:50:55 PDT

  • Next message: InfoSec News: "[ISN] Infamous Hacker's Laptop Up For Auction"

    http://www.washingtonpost.com/wp-dyn/articles/A28403-2002Oct1.html
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    Tuesday, October 1, 2002; 3:46 PM 
    
    In a coup for the Bush administration's anti-regulatory approach to
    cybersecurity, a handful of leading network security firms on
    Wednesday will launch new products to protect government and
    private-sector networks from the most serious Internet security
    threats.
    
    For the first time, some of the biggest IT security vendors in the
    country are cooperating on defining the top 20 threats, overcoming a
    history of frequently disagreeing over which vulnerabilities deserve
    the most urgent attention.
    
    People familiar with the program say it will figure prominently in IT
    security efforts under the proposed Department of Homeland Security
    and the White House's strategy for protecting the nation's most
    critical systems from cyberattack.
    
    Government security experts have long been hampered by disagreements
    among the private network security firms that are hired to test and
    protect government systems, said Alan Paller, director of research at
    the SANS Institute, a leading IT security research organization that
    has close ties to the government.
    
    "One of the most fascinating pieces of data we found is that vendors
    differ completely on what they consider the worst threats," he said.  
    "It's almost as if these companies operate in different universes."
    
    Having a standardized list of the most important vulnerabilities makes
    it easier for security vendors to develop intrusion detection and
    scanning tools, Paller said.
    
    At least five IT security vendors will use Wednesday's event to unveil
    product upgrades that cater to the top 20 threats, including Mission
    Viejo, Calif.-based Foundstone, Austin, Texas-based TippingPoint and
    Atlanta-based Internet Security Systems Inc.
    
    One computer security firm based in Silicon Valley -- Qualys Inc. --
    plans to launch a free online service that will allow companies to
    test their internal networks against the top threat list.
    
    The White House is leading the creation of a national cybersecurity
    strategy that has been criticized by some experts for failing to
    include strict security guidelines and mandates for the private
    sector. The fact that private firms are cooperating with the
    government to identify and defeat top threats dovetails with the
    administration's line that the government can take the lead in raising
    awareness about cybersecurity without imposing strict rules on the
    private sector.
    
    Wednesday's announcement is being hosted by the General Services
    Administration (GSA), which plays a leading role in coordinating the
    government's acquistion of goods and services, including IT security,
    from private companies. The GSA is expected to announce the creation
    of a task force to foster use of the top 20 list in future security
    testing contracts.
    
    The GSA plans to ask the chief information officers of federal
    agencies to follow NASA's lead on tackling IT security. After years of
    failing to fix persistent vulnerabilities in its networks, the space
    agency recently conducted a top-down review of its security audit
    processes.
    
    What NASA found, according to a case study to be released Wednesday,
    was that the commercial vulnerability scans turned up tens of
    thousands of security holes but offered little or conflicting guidance
    as to which problems were the most urgent. The workload so overwhelmed
    and confused NASA system administrators that they ended up
    accomplishing almost nothing.
    
    NASA subsequently surveyed some 120,000 computers at its 10 field
    offices to learn which vulnerabilities were being exploited the most,
    and ordered administrators to patch those holes in more manageable
    batches of two dozen or so at a time. NASA administrators also created
    a friendly competition between the field offices to see which one
    could patch the holes first.
    
    NASA is now on its fourth wave of vulnerability testing, and has
    managed to drastically reduce the number of successful hacker attacks.  
    The agency's security effort will come under scrutiny again next
    month, when the General Accounting Office issues its annual computer
    security report cards to two dozen federal agencies. The agency earned
    a grade of "C-minus" for 2001, well above the grade of "F" that most
    federal agencies earned last year.
    
    Certainly not all federal employees are as motivated by a
    technological challenge as the average NASA engineer. But the agency's
    experience has plenty of relevance for private-sector security
    administrators and consultants who frequently struggle under
    near-impossible workloads, said Dan Ingevaldson, team leader for the
    research arm of Internet Security Systems.
    
    "Everyone is fully aware of the amount of information and work
    scanners can generate," Ingevaldson said. "That's why it's so
    important to have some sort of consensus across the board that tells
    (systems administrators) what they should look at right now and what
    could potentially be put off until the next week."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 03:43:38 PDT