From: William Knowles (wkC4I.ORG)
Date: Wed May 03 2000 - 18:03:42 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Forwarded by: Darek Milewski <darek.milewskipl.pwcglobal.com>]

http://www.securityfocus.com/news/21

Government Plans Computer Lock-Down
Attacks are rising, but U.S. computer chiefs have a plan to
make the net safe for e-government.
By Kevin Poulsen
April 20, 2000 12:29 AM PST

Washington-- Key U.S. government Chief Information Officers said
Wednesday that a comprehensive computer security plan to be released
this summer will clear the way for a new wave of government functions
and services to be safely put on the Internet.

"What we are doing now is developing a series of benchmarks that would
allow us to provide to agencies examples of good security practices
tied to a specific set of government services," said Department of
Energy CIO John Gilligan. "We're going to draw a series of examples
and use those examples to draw what we think are benchmark security
and privacy practices, then share that with the various agencies."

Gilligan serves as co-chair of the Federal CIO Council's Security,
Privacy and Critical Infrastructure Committee. Together with the CIOs
of the Commerce and State Departments, he outlined the Committee's
plans at an industry briefing at FOSE 2000 -- an information
technology exposition for government agencies.

Federal agencies have been criticized for lagging behind private
industry in serving the public online -- most recently in a March
report from the centrist Democratic think tank The Progressive Policy
Institute. Gilligan blamed hackers for the delays, offering that
government CIOs "felt constrained by questions and concerns about
security."

The CIOs' response: a virtual Bible of government computer security
practices that will address web based information services, online
government procurement and financial transactions with the public over
the Internet. It's due to be released to all federal agencies this
summer, with a broader plan promised in the fall. 'All you have to
know is how to point and click a mouse and you can hack people.' --
Fernando Burbano, State Department CIO Attacks up, but less Successful
A 1996 law established the position of Chief Information Officer in
all major Federal departments and agencies to spur the development of
cost-efficient technological initiatives within the government. The
CIO Council was created by Executive Order to act as the principal
interagency forum for information technology matters.

The Council's Security, Privacy and Critical Infrastructure Committee
is responsible for developing security practices for government
networks, a task that's taken on increased urgency in the wake of
high-profile Denial of Service attacks, web hacks on government sites,
and growing concern in Congress and at the White House over
"cyberterrorism."

Fernando Burbano, the State Department's CIO, blamed the availability
of automated hacking tools like L0phtcrack and BO2K for the
government's computer security woes. "What really makes it worse is in
the early 1980s it used to take a lot of sophistication to hack," said
Burbano. "All you have to know now is how to point and click a mouse
and you can hack people."

Indicating a screenshot of nmapin his Power Point slide show, Burbano
explained, "Nmap is freeware that probes networks by sending data
packets to ports... All you have to know is how to point and click
this thing."

Despite easy-to-use scripts, Gilligan said that DOE systems are
holding their own. While the number of attacks are increasing at a
"non-linear" rate, "fortunately, the number of successful attacks is
actually steady and decreasing as a percentage," said Gilligan.
Burbano noted the same trend with State Department computers.

Last month, the Senate Governmental Affairs Committee approved the
Government Information Security Act, after hearing testimony from
federal computer security experts and hacker Kevin Mitnick. The
legislation would require agencies to submit to an annual independent
audit of their information security programs and practices.

----------------------------------------------------------------
The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient
is prohibited. If you received this in error, please contact the
sender and delete the material from any computer.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]