From: InfoSec News (isnC4I.ORG)
Date: Thu Apr 12 2001 - 21:33:35 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.cnet.com/news/0-1003-200-5586254.html?tag=tp_pr

By Robert Lemos
Special to CNET News.com
April 12, 2001, 10:20 a.m. PT

But the lack of security on corporate networks and the Internet is
more the fault of the victims--and the security industry--and not the
attackers, Michael Vatis, the United States' former top cybercop, said
during the Wednesday panel discussion .

"It's not just the hackers who are the threats but all of us who are
part of the problem as well," said Vatis, former executive director of
the federal government's National Infrastructure Protection Center.

Vatis joined three other security experts in a 45-minute panel to
discuss today's threats to network security.

While not condoning the defacement of Web sites or penetration of
networks, Vatis, now the director of the Institute for Security
Technology Studies at Dartmouth College, said vandals have done some
good.

"Hackers have done a lot in recent years to raise the awareness of the
threat than" anyone in the government, he said.

That threat has only increased over the past few years, according to
the latest study from the San Francisco-based Computer Security
Institute.

In the study, released in March, more than 40 percent of companies
surveyed said intruders had broken into their systems from the
Internet, up from 25 percent the year before. Another 38 percent of
the companies detected denial-of-service attacks, up from 27 percent,
and 94 percent had a computer virus incident in 2000, up from 85
percent the year before.

"Everyone can understand the profits that you can make in cyberspace,
but only a few people understand the losses that you can have,"
Richard Power, editorial director of the Computer Security Institute
and author of the security book "Tangled Web," told the assembled
security professionals.

Philip Reitinger, deputy chief of the computer crime and intellectual
property section at the U.S. Department of Justice's Criminal
Division, stressed that many corporate insecurities are caused by
networks becoming much more complex.

"It's a bit like trying to spackle all the holes in a huge block of
Swiss cheese," he told the gathered security specialists and system
administrators.

Worse, he added, is that it's not just a single company's networks
that a security manager has to worry about. The distributed
denial-of-service attacks that halted traffic to Yahoo and others for
several hours in February 2000 illustrated that the security of
others' networks can affect everyone.

"Your security may depend upon others who you expect to be secure,"
Reitinger said.

Yet there is a corporate culture of ducking the problem, said Gregory
Schaffer, director of PricewaterhouseCoopers' cybercrime prevention
practice.

While government and law enforcement are looking to nail the intruder,
companies just want to get their networks up and running after an
attack.

"The private sector's not concerned with finding someone to blame,"
Schaffer said. "They just want (an attack) to stop."

The general consensus: Before networks can be secure, that myopia has
to be corrected.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]