[iwar] [fc:Feds.Eye.Setting.Software.Standards.Software.Makers.Warned.to.Improve.Security.-.Or.Else]

• Next message: Fred Cohen: "[iwar] [fc:Can.Your.Organization.Survive.a.Cybercrime?]"
• Previous message: Fred Cohen: "[iwar] [fc:MUSLIM.NATIONS.SAY.MIDEAST.CRISIS.SPURS.TERRORISM]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Return-Path: <sentto-279987-2663-1002141122-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 03 Oct 2001 13:33:09 -0700 (PDT)
Received: (qmail 16910 invoked by uid 510); 3 Oct 2001 20:32:07 -0000
Received: from n27.groups.yahoo.com (216.115.96.77) by 204.181.12.215 with SMTP; 3 Oct 2001 20:32:07 -0000
X-eGroups-Return: sentto-279987-2663-1002141122-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by n27.groups.yahoo.com with NNFMP; 03 Oct 2001 20:32:02 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 3 Oct 2001 20:32:02 -0000
Received: (qmail 75989 invoked from network); 3 Oct 2001 20:32:01 -0000
Received: from unknown (10.1.10.142) by l7.egroups.com with QMQP; 3 Oct 2001 20:32:01 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 3 Oct 2001 20:32:01 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id NAA18944 for iwar@onelist.com; Wed, 3 Oct 2001 13:32:00 -0700
Message-Id: <200110032032.NAA18944@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 3 Oct 2001 13:32:00 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Feds.Eye.Setting.Software.Standards.Software.Makers.Warned.to.Improve.Security.-.Or.Else]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Feds Eye Setting Software Standards Software Makers Warned to Improve Security - Or Else
By Tech Live staff
     
Oct.  3 - If software companies don't start doing a better job of fixing
vulnerabilities in their products, they could face formal government
standards, a top federal official warned Monday. 

The comments came from John Gilligan, acting chief information officer
(CIO) for the Air Force and a representative of the Federal CIO Council,
a government body tasked with addressing IT security issues. 

 During an FBI cybersecurity briefing in Washington Monday, Gilligan
said the rise in malicious code attacks in recent years - from the
Melissa virus to the recent Nimda worm - highlights key vulnerabilities
that, if exploited, could lead to attacks capable of crippling the US
economy and communications network.  The interdependence of computers on
the Internet means "we are only as strong as the weakest link," Gilligan
said. 

Software Patches Only Offer Temporary Solution

 Part of the problem, he said, is that software makers too often take a
"find and patch" approach to designing products, releasing software with
latent security holes on the assumption that the problems will be found
and fixed later. 

"None of us can afford the cost of a continual race against would-be
cyberattackers using the current 'find and patch' approach to deal with
latent vulnerabilities in commercial software packages," Gilligan said. 
"Simply the economic cost of this 'find and patch' mode of operating is
enormous."

Gilligan said increased political tensions following the September 11
terrorist attacks on the World Trade Center and the Pentagon are likely
to result in an escalation of computer-based attacks in the future. 
Software makers need to either voluntarily change product design and
release cycles to reflect this heightened threat or risk formal
government intervention, he said. 

Gilligan's warning comes less than a week after a Gartner Research
report urged businesses to replace Microsoft Internet Information
Services Web server software immediately with products from other firms
with a better track record of dealing with security holes. 

Although Gilligan praised Microsoft for its "aggressive actions" to
improve internal security processes, that still is not enough, he said. 

"I think the first step is to establish a set of standards," Gilligan
said.  "Beyond that, the next step would be to, through some contractual
or legal expectation, have some reinforcement of that.  And I think what
we'll see is an evolution of that over the upcoming months."

Cybersecurity Could Be a Major Issue for Homeland Security Office

 According to Allan Paller of the nonprofit SANS Institute, which often
works with the FBI to assess computer threats, industry leaders already
have begun the process of setting formal security standards for software
under a project sponsored by the Center for Internet Security. 

Moreover, cybersecurity could soon be a top issue with the newly created
Office of Homeland Security, Gilligan said.  Over the next couple of
months, Gilligan said he and the other members of the Federal CIO
Council plan to work with the newly created agency to make increased
cybersecurity part of the overall US domestic defense plan. 

Copyright 2001 TechTV, Inc. 

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

• Next message: Fred Cohen: "[iwar] [fc:Can.Your.Organization.Survive.a.Cybercrime?]"
• Previous message: Fred Cohen: "[iwar] [fc:MUSLIM.NATIONS.SAY.MIDEAST.CRISIS.SPURS.TERRORISM]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:53 PST