nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: If you thought Y2K was bad, wait until cyber-security hits

From: Sean Donelan <sean () donelan com>
Date: Sun, 21 Jul 2002 04:31:18 -0400 (EDT)


On Sat, 20 Jul 2002 Valdis.Kletnieks () vt edu wrote:

I didn't get involved in that one, but I've been working on the Unixoid
stuff with CIS and SANS.  We make no claims that if you do everything on
the checklist that you're secure - the claim is that *failure* to do
everything is demonstrably *insecure*.


The CIS/W2Kpro checklist is not that.  Failure to do everything on the
W2K checklist is not "ispo facto" evidence a computer is insecure. Many
items on the CIS/W2Kpro checklist are of the form if you aren't using
this item, you should disable it.  That is a good security practice.  But
it does not follow if you are using the item (i.e. its enabled), your
machine is insecure.  Unfortunately the CIS/W2Kpro scoring tool can't
tell the difference.

As a list of things to consider, and a free tool to check a computer's
configuration, the CIS/W2Kpro checklist is a great addition to the
security toolbox.  Just don't try to push it too hard. Not following the
CIS/W2Kpro checklist is not evidence of security malpractice.  The puffery
in the accompaning press releases and news articles was more than the
CIS/W2Kpro checklist can support.


A blast from the past.

Internet security woes inflated, experts say
By Gary H. Anthes
OCT 16, 1995

http://www.computerworld.com/news/1995/story/0,11280,9990,00.html
Previous By Date Next
Previous By Thread Next

Current thread: