Government Web intrusions mainly occur because vendors sell systems with security holes, a researcher told a federal advisory panel on Thursday. Alan Paller, director of research at the SANS Institute, presented his findings to a National Institute of Standards and Technology body that was meeting to discuss minimum cybersecurity standards for the U.S. government.
Paller noted a report from Attrition.org that found that in 100 days, 37 dot-gov and dot-mil websites had suffered defacement attacks.
“How could so many websites be hacked? The answer was that the system was sold broken,” he told NIST’s Computer System Security and Privacy Advisory Board. “Vendors sell systems with known and unknown vulnerabilities.”
Paller cited a well-known vulnerability in Microsoft Windows NT 4.0 and 2000, which allowed the Code Red II virus to make some 150,000 systems vulnerable to attack.
But he praised the efforts of Sandia National Laboratories, which now has a purchasing policy of buying systems deemed explicitly “safe” by vendors.
To bolster computer security, Paller recommended that agencies not only intensively educate their system administrators, but that they continuously monitor statistics for Web security and obtain certification showing that minimum standards have been met. “System administrators cannot be the only defense,” Paller said. “If training system admins to be smarter is the only defense we have, we’re not going to get better.”
Created by the 1987 Computer Security Act, the NIST panel is charged with examining cybersecurity and privacy issues surrounding sensitive unclassified information in federal computer systems.
Not much has changed since 1987. In the committee report accompanying the Computer Security Act, Congress complained that “only five of 25 Federal computer systems surveyed by (auditors) contained minimum safeguards, and only two of 25 systems offered formal training sessions for computer users.”
The NIST group is responsible for making security-related recommendations to the Commerce Department, Congress and the National Security Agency. Its current members include Marilyn Bruneau of Andersen, Mary Forte of the National Security Agency, Richard Guida from Johnson & Johnson, Susan Landau of Sun Microsystems and Steven Lipner, a manager at Microsoft’s Security Response Center.
Franklin Reeder, the group’s chairman, said the Sept. 11 terrorist attacks have altered the board’s function. “The environment in which the board operates, the perception of the role of security and the (board’s) relevancy have changed,” Reeder said.
NASA‘s deputy CIO, David Nelson, said his agency had improved since it garnered a C-minus in an unflattering report card last fall.
“We think we’re (now) at about a B-minus,” he said. “We think NASA is approaching competence. In the next three years we will be striving for excellence.”
Nelson attributed NASA’s possibly passing grade to its decision to establish “cybersecurity” metrics, calculating figures like the ratio of attempted break-ins to successful ones. “We track metrics quarterly and discuss them with management,” he said.
Last November, a House subcommittee released a report on computer security in the federal government. Of the 24 federal departments and agencies that the subcommittee reviewed, 16 received failing grades and only three agencies earned grades above a D+.
More spending played a role in NASA’s success, Nelson said. “We spent $2.2 billion on IT, and $110 million in IT security,” he said. “I don’t agree with someone who says you can buy security on the cheap. But I don’t think you can buy your way out of insecurity.”
Wired – March 8, 2002