http://www.washingtonpost.com/wp-dyn/articles/A28403-2002Oct1.html

By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, October 1, 2002; 3:46 PM

In a coup for the Bush administration's anti-regulatory approach to
cybersecurity, a handful of leading network security firms on
Wednesday will launch new products to protect government and
private-sector networks from the most serious Internet security
threats.

For the first time, some of the biggest IT security vendors in the
country are cooperating on defining the top 20 threats, overcoming a
history of frequently disagreeing over which vulnerabilities deserve
the most urgent attention.

People familiar with the program say it will figure prominently in IT
security efforts under the proposed Department of Homeland Security
and the White House's strategy for protecting the nation's most
critical systems from cyberattack.

Government security experts have long been hampered by disagreements
among the private network security firms that are hired to test and
protect government systems, said Alan Paller, director of research at
the SANS Institute, a leading IT security research organization that
has close ties to the government.

"One of the most fascinating pieces of data we found is that vendors
differ completely on what they consider the worst threats," he said.
"It's almost as if these companies operate in different universes."

Having a standardized list of the most important vulnerabilities makes
it easier for security vendors to develop intrusion detection and
scanning tools, Paller said.

At least five IT security vendors will use Wednesday's event to unveil
product upgrades that cater to the top 20 threats, including Mission
Viejo, Calif.-based Foundstone, Austin, Texas-based TippingPoint and
Atlanta-based Internet Security Systems Inc.

One computer security firm based in Silicon Valley -- Qualys Inc. --
plans to launch a free online service that will allow companies to
test their internal networks against the top threat list.

The White House is leading the creation of a national cybersecurity
strategy that has been criticized by some experts for failing to
include strict security guidelines and mandates for the private
sector. The fact that private firms are cooperating with the
government to identify and defeat top threats dovetails with the
administration's line that the government can take the lead in raising
awareness about cybersecurity without imposing strict rules on the
private sector.

Wednesday's announcement is being hosted by the General Services
Administration (GSA), which plays a leading role in coordinating the
government's acquistion of goods and services, including IT security,
from private companies. The GSA is expected to announce the creation
of a task force to foster use of the top 20 list in future security
testing contracts.

The GSA plans to ask the chief information officers of federal
agencies to follow NASA's lead on tackling IT security. After years of
failing to fix persistent vulnerabilities in its networks, the space
agency recently conducted a top-down review of its security audit
processes.

What NASA found, according to a case study to be released Wednesday,
was that the commercial vulnerability scans turned up tens of
thousands of security holes but offered little or conflicting guidance
as to which problems were the most urgent. The workload so overwhelmed
and confused NASA system administrators that they ended up
accomplishing almost nothing.

NASA subsequently surveyed some 120,000 computers at its 10 field
offices to learn which vulnerabilities were being exploited the most,
and ordered administrators to patch those holes in more manageable
batches of two dozen or so at a time. NASA administrators also created
a friendly competition between the field offices to see which one
could patch the holes first.

NASA is now on its fourth wave of vulnerability testing, and has
managed to drastically reduce the number of successful hacker attacks.
The agency's security effort will come under scrutiny again next
month, when the General Accounting Office issues its annual computer
security report cards to two dozen federal agencies. The agency earned
a grade of "C-minus" for 2001, well above the grade of "F" that most
federal agencies earned last year.

Certainly not all federal employees are as motivated by a
technological challenge as the average NASA engineer. But the agency's
experience has plenty of relevance for private-sector security
administrators and consultants who frequently struggle under
near-impossible workloads, said Dan Ingevaldson, team leader for the
research arm of Internet Security Systems.

"Everyone is fully aware of the amount of information and work
scanners can generate," Ingevaldson said. "That's why it's so
important to have some sort of consensus across the board that tells
(systems administrators) what they should look at right now and what
could potentially be put off until the next week."

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]