Return-Path: <sentto-279987-2086-1000950933-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 19 Sep 2001 18:57:10 -0700 (PDT) Received: (qmail 25488 invoked by uid 510); 20 Sep 2001 01:56:01 -0000 Received: from n29.groups.yahoo.com (216.115.96.79) by 204.181.12.215 with SMTP; 20 Sep 2001 01:56:01 -0000 X-eGroups-Return: sentto-279987-2086-1000950933-fc=all.net@returns.onelist.com Received: from [10.1.1.222] by b05.egroups.com with NNFMP; 20 Sep 2001 01:55:37 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 20 Sep 2001 01:55:33 -0000 Received: (qmail 52897 invoked from network); 20 Sep 2001 01:55:32 -0000 Received: from unknown (10.1.10.27) by 10.1.1.222 with QMQP; 20 Sep 2001 01:55:32 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 20 Sep 2001 01:55:35 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id SAA09707 for iwar@onelist.com; Wed, 19 Sep 2001 18:55:35 -0700 Message-Id: <200109200155.SAA09707@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 19 Sep 2001 18:55:35 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Who's.Protecting.Our.Infrastructure?] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit SEPTEMBER 18, 2001 SECURITY NET By Alex Salkever Who's Protecting Our Infrastructure? No one. Computer-security standards that would thwart hacker terrorism against utility, telecom, health-care, or power systems don't exist € Find More Stories Like This Chris Wysopal, a computer-security expert, was scheduled to brief the Senate Governmental Affairs Committee in Washington, D.C., on Wednesday, Sept. 12. But when the Federal Aviation Administration grounded all national air travel after two hijacked planes struck the World Trade Center towers and a third set the Pentagon ablaze, Wysopal's appearance was postponed indefinitely. His message, however, should not get drowned out in the din of war talk. A noted good-guy hacker and the research director of Web-security company @stake, Wysopal planned to deliver a candid assessment of how utilities, telecoms, and other critical national infrastructure providers protect their computer networks. A HODGEPODGE. Wysopal's assessment? Much work remains to be done. While some critical infrastructure providers have rock-solid protections, all too many have neglected even the basic steps of encrypting databases, auditing their networks, and patching security holes on all their servers. When it comes to network security, "there need to be some minimum requirements," says Wysopal. "There are none now." With major military action looming and the economy reeling, shoring up computer security among infrastructure providers might not seem a top priority. It would cost money, obviously, and might be inconvenient. Nevertheless, President George W. Bush should add the protection of infrastructure -- and the crucial computer systems that control it -- to the growing list of mandates under the rubric "Homeland Defense." The very backbone of what makes America strong is the reliable provision of water, power, communications, and health care. Without these services, our ability to wage a war and to project power would be severely diminished. Furthermore, the disruptions to normal life unleashed if determined, malicious hacker-terrorists were successful could could be disastrous. A BIT SHOCKING. How shaky is the protection of the computer networks embedded in our critical national infrastructure? That's hard to tell right now. Says Wysopal, who has audited security at a number of infrastructure providers: "It varies across the board. I have seen some excellent security in some places and very poor in others." That's about par for a field where no national standards have been developed. But it's a bit shocking considering what's at stake. Imagine the chaos that could ensue should a terrorist act of mass destruction be combined with induced power or telecom outages. Obviously, cell phones played a crucial role in the aftermath of the New York disaster. For many, they were the only means of contact with the outside world. Yet earlier this summer, Verizon Wireless, the nation's largest cell-phone provider, encountered horrendous problems after someone hacked into a customer database and dumped credit-card records into various Internet chat rooms. Many security experts commented, in the wake of that incident, that Verizon should do a total security audit. In response, the company said it would vigorously investigate the issue and put in place preventive measures. POROUS 911. Here's another truly terrifying tale from a man who should know -- Thomas Noonan, the CEO of Internet Security Systems. One of the largest computer-security companies in the world, ISS builds software and sells protection services. That makes Noonan a personal target for nefarious hackers. Small wonder a police officer shows up at his front door at least once a week in response to "calls" by hackers who break into the 911 system. "It's just their way of letting me know that they can find me if they want," says Noonan. It also means that the 911 system, a decentralized but critical part of the infrastructure, needs a major network security overhaul. No question, the cost of bringing infrastructure providers' systems up to snuff could well stretch into the billions. But what's a few more billion, considering the types of spending the U.S. is now looking at in the name of Homeland Defense? Computer-security standards for critical companies could end up being well worth the cost. Salkever covers computer security issues twice a month in his Security Net column, only on BW Online Edited by Douglas Harbrecht ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT