Security holes going unpatched

[InfoSec News <isn () C4I ORG>]

http://www.fcw.com/fcw/articles/2000/0529/web-topten-06-02-00.asp

BY Diane Frank
06/02/2000

The CIO Council is asking every federal chief information officer to
find and fix the lapses that made a top 10 list of critical Internet
security threats.

The list, released Thursday, includes problems that have solutions,
but the solutions have not been put in place by federal systems
administrators. So agency World Web Web sites keep getting hacked, and
agencies keep ending up in the news after being hit by attacks that
should not have happened, said Allan Paller, director of research at
the SANS Institute, a group of federal, industry and academic experts
that coordinated the list.

The CIO Councils Security, Privacy and Critical Infrastructure
Committee is sending the list to all federal CIOs with a memorandum
asking them to take immediate action, said John Gilligan, CIO at the
Energy Department and co-chairman of the committee.

"Our intent is, "This is not a one-shot [deal where] were going to fix
everything. The intent is to begin the process," Gilligan said.

It also will help CIOs and systems administrators answer a common
question from management, Gilligan said: "The question that is asked
often after an investigation, after an audit, is, "Why is it that we
continue to have these problems? It seems so simple."

The top 10 list will change as new vulnerabilities are discovered and
new attacks are made, so simply listing the top vulnerabilities and
threats will not make every agency more secure. However, the review it
starts will be "enormously valuable," Gilligan said.

"Its not that all of the vulnerabilities have been summarized in the
top 10, although many of them have, but it gives us a place to start
beginning to fix the problems and also to define our processes," he
said.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".