[iwar] "securing" windows (fwd)

From: Fred Cohen (fc@all.net)
Date: 2002-07-17 08:06:48


Return-Path: <sentto-279987-5000-1026918325-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 17 Jul 2002 08:24:07 -0700 (PDT)
Received: (qmail 22305 invoked by uid 510); 17 Jul 2002 15:20:38 -0000
Received: from n19.grp.scd.yahoo.com (66.218.66.74) by all.net with SMTP; 17 Jul 2002 15:20:38 -0000
X-eGroups-Return: sentto-279987-5000-1026918325-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.192] by n19.grp.scd.yahoo.com with NNFMP; 17 Jul 2002 15:05:25 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_4); 17 Jul 2002 15:05:24 -0000
Received: (qmail 42622 invoked from network); 17 Jul 2002 15:05:23 -0000
Received: from unknown (66.218.66.216) by m10.grp.scd.yahoo.com with QMQP; 17 Jul 2002 15:05:23 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 17 Jul 2002 15:05:23 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g6HF6m201818; Wed, 17 Jul 2002 08:06:48 -0700
Message-Id: <200207171506.g6HF6m201818@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 17 Jul 2002 08:06:48 -0700 (PDT)
Subject: [iwar] "securing" windows (fwd)
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Fred,

FYI (From AP, I believe):

Jul 17, 2:40 AM (ET)

By D. IAN HOPPER 
WASHINGTON (AP) - The Pentagon, the National Security Agency and private
organizations have developed security standards for Microsoft's most popular
business computer operating system in order to stop the most common assaults
against federal networks. 
The government will announce the standards on Wednesday to show federal
computer engineers how to alter Microsoft's Windows 2000 operating system to
make it more secure. 
Government experts hope that the benchmarks will solve an embarrassing
problem that affects both federal and private computer networks, largely by
plugging security holes most hackers already know about. 
Technology research firm Gartner estimated recently that through 2005, 90
percent of computer attacks will use known security flaws for which a
solution is available.
"It's a massive problem," said Clint Kreitner, head of the Center for
Internet Security, a partnership of companies and American and Canadian
government agencies. "They slap their systems on the Net and get ready to
go, then wonder why they get breached in the next 10 minutes." 
Most recent attacks were written and released by bored kids testing their
skills, but the government is becoming more concerned about organized
attacks against federal computers from terrorists or foreign governments. 
"What we're trying to do is have a government and industry partnership to
set benchmarks for frequently used software," said Richard Clarke, the
president's computer security adviser. 
The Windows 2000 standards - a how-to guide to change security settings -
will be required for Defense Department computers, and the White House is
considering whether to require the same for the rest of the government.
Standards guides for other software will follow. 
Several government agencies have had their own security standards for some
time. What's new about Wednesday's announcement is that the various agencies
have agreed on a single standard - a difficult task that was worked out
about three months ago. 
Experts at CIS, the NSA and the Commerce Department's National Institute for
Standards and Technology had three different candidates for standards at
first. On April 18, the authors met in a room at NIST offices in Maryland. 
"They were told they could leave as soon as they came to an agreement," said
Alan Paller of the Sans Institute, a research and education group involved
in the announcement. 
That night, they had a document several hundred pages long describing how to
make Windows 2000 secure but still usable. 
That was only half the battle, though. Clarke said they wanted to make it
easy for federal network engineers to make the changes. 
"You'd give a 200-page document to a system administrator, and say, 'Have a
nice day,'" Clarke said. "So no one did it." 
To fix that, the government has a software tool that grades computer
security so that everyone, from the engineers to top executives, understands
how secure their computers are. The tool then recommends changes. 
The standards and the tool will be offered free to anyone. The experts hope
that private companies will adopt the standards as well and encourage
software makers to ship their products in a more secure configuration. 
"If it's just government, it won't have as much value as if it's government
and the private sector," Clarke said. 
Intel Corp., Visa and Chevron are already part of the private partnership
that will promote the standards. 
Some government agencies, including the Air Force, are hoping that within a
year they can use their procurement power to require that vendors offer more
secure versions of their software based on the standards. 
"Now we can go to Microsoft and others to say that this is our common set of
expectations," Air Force Chief Information Officer John Gilligan said.
"Right now, we're doing the work. We can then get into negotiations about
how they can subsume a substantial part of that work." 
Microsoft has seen the standards and offered some suggestions to the final
product. 
The standards aren't an end-all solution for computer security. Clarke said
computer security is as much employee training as it is good software. But
the experts see it as a solid first step. 
"It'll reduce the low-hanging fruit," Clarke said. "Given the growing
sophistication of hackers, we're going to continue to have problems."

L. Scott Maruoka

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Save on REALTOR Fees
http://us.click.yahoo.com/Xw80LD/h1ZEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT