nanog mailing list archives
Re: If you thought Y2K was bad, wait until cyber-security hits
From: Sean Donelan <sean () donelan com>
Date: Sun, 21 Jul 2002 04:31:18 -0400 (EDT)
On Sat, 20 Jul 2002 Valdis.Kletnieks () vt edu wrote:
I didn't get involved in that one, but I've been working on the Unixoid stuff with CIS and SANS. We make no claims that if you do everything on the checklist that you're secure - the claim is that *failure* to do everything is demonstrably *insecure*.
The CIS/W2Kpro checklist is not that. Failure to do everything on the W2K checklist is not "ispo facto" evidence a computer is insecure. Many items on the CIS/W2Kpro checklist are of the form if you aren't using this item, you should disable it. That is a good security practice. But it does not follow if you are using the item (i.e. its enabled), your machine is insecure. Unfortunately the CIS/W2Kpro scoring tool can't tell the difference. As a list of things to consider, and a free tool to check a computer's configuration, the CIS/W2Kpro checklist is a great addition to the security toolbox. Just don't try to push it too hard. Not following the CIS/W2Kpro checklist is not evidence of security malpractice. The puffery in the accompaning press releases and news articles was more than the CIS/W2Kpro checklist can support. A blast from the past. Internet security woes inflated, experts say By Gary H. Anthes OCT 16, 1995 http://www.computerworld.com/news/1995/story/0,11280,9990,00.html
Current thread:
- If you thought Y2K was bad, wait until cyber-security hits Sean Donelan (Jul 18)
- Re: If you thought Y2K was bad, wait until cyber-security hits Larry J. Blunk (Jul 19)
- Re: If you thought Y2K was bad, wait until cyber-security hits Jake Khuon (Jul 19)
- Re: If you thought Y2K was bad, wait until cyber-security hits Martin Hepworth (Jul 19)
- Re: If you thought Y2K was bad, wait until cyber-security hits up (Jul 19)
- Re: If you thought Y2K was bad, wait until cyber-security hits Jake Khuon (Jul 19)
- Re: If you thought Y2K was bad, wait until cyber-security hits Jake Khuon (Jul 19)
- Re: If you thought Y2K was bad, wait until cyber-security hits Scott Francis (Jul 20)
- Re: If you thought Y2K was bad, wait until cyber-security hits Valdis . Kletnieks (Jul 20)
- Re: If you thought Y2K was bad, wait until cyber-security hits Scott Francis (Jul 20)
- Re: If you thought Y2K was bad, wait until cyber-security hits Valdis . Kletnieks (Jul 20)
- Re: If you thought Y2K was bad, wait until cyber-security hits Sean Donelan (Jul 21)
- Re: If you thought Y2K was bad, wait until cyber-security hits Valdis . Kletnieks (Jul 20)
- Re: If you thought Y2K was bad, wait until cyber-security hits Larry J. Blunk (Jul 19)
- <Possible follow-ups>
- Re: If you thought Y2K was bad, wait until cyber-security hits Mathew Lodge (Jul 18)
- Re: If you thought Y2K was bad, wait until cyber-security hits Gordon Cook (Jul 18)