If you thought Y2K was bad, wait until cyber-security hits
http://www.eweek.com/article2/0,3959,387377,00.asp "All the while maintaining that the government will not set IT security requirements for the private sector, top federal IT officials today said they expect such mandates will be imposed on federal agencies and that the same standards will also be used by industry." While standards are great, one-size-fits-all standards aren't. When the government's cyber-security plan is released in September, will there be 500 requirements that Internet Service Providers must meet? Should ISPs be more secure than the post office or the telephone or the bike messenger? Must Bill's Bait & Sushi Shop ISP Service meet the same security requirements as the ISP for the White House? ISPs come in all sorts of shapes and sizes. Consumers use cordless phones at home, but the NSA prohibits use of cordless phones in secure areas. Just because the government issues a security standard doesn't make it suitable for all purposes. Some people like paying $9.95 for Internet service from an ISP without a backup generator, and wouldn't want to pay $29.95 for a "certified" ISP with a backup generator. If the $9.95 ISP fails, heck they could almost afford two more for the same price as a single "certified" ISP. Sometimes a hammer is just a hammer, and you don't need a MIL-SPEC. If the Department of Homeland Security creates a new security standard for ISPs, what do you think will happen to any ISP which doesn't meet it? The security "Gold Standard" for Microsoft 2000 was written by the Critical Infrastructure Protection Board, the Center for Internet Security, the National Security Agency, the General Services Administration, the National Institute of Standards and Technology, and the SANS Institute. Do you know who is writing the security "Gold Standard" for Internet Service Providers?
http://www.eweek.com/article2/0,3959,387377,00.asp
"All the while maintaining that the government will not set IT security requirements for the private sector, top federal IT officials today said they expect such mandates will be imposed on federal agencies and that the same standards will also be used by industry."
While standards are great, one-size-fits-all standards aren't. When the government's cyber-security plan is released in September, will there be 500 requirements that Internet Service Providers must meet? Should ISPs be more secure than the post office or the telephone or the bike messenger? Must Bill's Bait & Sushi Shop ISP Service meet the same security requirements as the ISP for the White House?
ISPs come in all sorts of shapes and sizes. Consumers use cordless phones at home, but the NSA prohibits use of cordless phones in secure areas. Just because the government issues a security standard doesn't make it suitable for all purposes. Some people like paying $9.95 for Internet service from an ISP without a backup generator, and wouldn't want to pay $29.95 for a "certified" ISP with a backup generator. If the $9.95 ISP fails, heck they could almost afford two more for the same price as a single "certified" ISP. Sometimes a hammer is just a hammer, and you don't need a MIL-SPEC. If the Department of Homeland Security creates a new security standard for ISPs, what do you think will happen to any ISP which doesn't meet it?
Backup generators? That's far too mundane. Check out this quote from Howard Schmidt in http://www.supercomputingonline.com/article.php?sid=2269 "The routing tables of the future will be unmanageable; there will slowdown and failures, and malicious and criminal activity between 2002 and 2009 all mean the Internet quits working," warned Schmidt. He even forecast a future in which "special aircraft will be flying the routing tables" physically to servers after periodic network brownouts. Perhap ISP's can differentiate themselves by whether their required "special aircraft" are super-sonic or sub-sonic. Do we need an update for RFC1149 (BGP over F-16's?).
### On Fri, 19 Jul 2002 11:21:47 -0400, "Larry J. Blunk" <ljb@merit.edu> ### casually decided to expound upon Sean Donelan <sean@donelan.com> the ### following thoughts about "Re: If you thought Y2K was bad, wait until ### cyber-security hits ": LJB> Perhap ISP's can differentiate themselves by whether their required LJB> "special aircraft" are super-sonic or sub-sonic. Do we need an update LJB> for RFC1149 (BGP over F-16's?). Perhaps an extension of the HALO/Proteus "network" concept... |8^) -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/
Jake Khuon wrote:
### On Fri, 19 Jul 2002 11:21:47 -0400, "Larry J. Blunk" <ljb@merit.edu> ### casually decided to expound upon Sean Donelan <sean@donelan.com> the ### following thoughts about "Re: If you thought Y2K was bad, wait until ### cyber-security hits ":
LJB> Perhap ISP's can differentiate themselves by whether their required LJB> "special aircraft" are super-sonic or sub-sonic. Do we need an update LJB> for RFC1149 (BGP over F-16's?).
Perhaps an extension of the HALO/Proteus "network" concept... |8^)
But all the planes will be Internet enabled needing constant constant contact with Redmond so that their embedded Windows systems can function; so they won't fly. Back to the pony express days :-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **********************************************************************
On Fri, 19 Jul 2002, Larry J. Blunk wrote:
Backup generators? That's far too mundane. Check out this quote from Howard Schmidt in http://www.supercomputingonline.com/article.php?sid=2269
"The routing tables of the future will be unmanageable; there will slowdown and failures, and malicious and criminal activity between 2002 and 2009 all mean the Internet quits working," warned Schmidt. He even forecast a future in which "special aircraft will be flying the routing tables" physically to servers after periodic network brownouts.
Has Howard Schmidt offered to eat his words if his version of the Internet Apocalypse doesn't happen by 2009? James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
### On Fri, 19 Jul 2002 12:14:51 -0400 (EDT), <up@3.am> casually decided to ### expound upon "Larry J. Blunk" <ljb@merit.edu> the following thoughts ### about "Re: If you thought Y2K was bad, wait until cyber-security hits ": up> Has Howard Schmidt offered to eat his words if his version of the up> Internet Apocalypse doesn't happen by 2009? Online article... Are there any forms of digestable storage media? -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/
On Thu, Jul 18, 2002 at 08:22:00PM -0400, sean@donelan.com said: [snip more depressing erosion of common sense and liberties under the guise of 'patriotism']
The security "Gold Standard" for Microsoft 2000 was written by the Critical Infrastructure Protection Board, the Center for Internet Security, the National Security Agency, the General Services Administration, the National Institute of Standards and Technology, and the SANS Institute.
_Microsoft_ managed to get a security 'Gold Standard' for one of its products? This must be for some non-golden value of gold ... -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
On Sat, 20 Jul 2002 17:28:20 PDT, Scott Francis <darkuncle@darkuncle.net> said:
_Microsoft_ managed to get a security 'Gold Standard' for one of its products? This must be for some non-golden value of gold ...
Microsoft didn't do anything (take that as you may). The CIS and SANS crew did up their W2K benchmark - the news here is that the NSA, GSA, and NIST are all throwing their backing of it as a Good Thing. It's a *long* checklist of everything you need to do to W2K to beat it into submission security-wise. Basically, *after* you do everything on the list, it will require a *skilled* hacker or a script kiddie with an actual 0day exploit to 0wn you. I didn't get involved in that one, but I've been working on the Unixoid stuff with CIS and SANS. We make no claims that if you do everything on the checklist that you're secure - the claim is that *failure* to do everything is demonstrably *insecure*. Yes, you read it and every single item will strike you as "any sysadmin who didn't just fall out of a tree knows THAT". The oft-overlooked point is that most sysadmins DID just fall out of trees - often landing on their head in the process. Think of it as recognition that "Your Clue Must Be --->THIS<--- Tall To Ride The Internet". It's about time... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Sat, Jul 20, 2002 at 11:37:49PM -0400, Valdis.Kletnieks@vt.edu said: [snip]
Think of it as recognition that "Your Clue Must Be --->THIS<--- Tall To Ride The Internet". It's about time...
Great! How long until we can extend this to users? -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
On Sat, 20 Jul 2002 21:40:20 PDT, Scott Francis said:
On Sat, Jul 20, 2002 at 11:37:49PM -0400, Valdis.Kletnieks@vt.edu said: [snip]
Think of it as recognition that "Your Clue Must Be --->THIS<--- Tall To R= ide The Internet". It's about time...
Great! How long until we can extend this to users?
In the corporate environment, it's at least theoretically feasible to make network access contingent on passing a computer literacy course (modulo the usual concerns about the cost of training, etc). I'll personally nominate for sainthood anybody who figures out how to make it work for an ISP's terms of service. ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Sat, 20 Jul 2002 Valdis.Kletnieks@vt.edu wrote:
I didn't get involved in that one, but I've been working on the Unixoid stuff with CIS and SANS. We make no claims that if you do everything on the checklist that you're secure - the claim is that *failure* to do everything is demonstrably *insecure*.
The CIS/W2Kpro checklist is not that. Failure to do everything on the W2K checklist is not "ispo facto" evidence a computer is insecure. Many items on the CIS/W2Kpro checklist are of the form if you aren't using this item, you should disable it. That is a good security practice. But it does not follow if you are using the item (i.e. its enabled), your machine is insecure. Unfortunately the CIS/W2Kpro scoring tool can't tell the difference. As a list of things to consider, and a free tool to check a computer's configuration, the CIS/W2Kpro checklist is a great addition to the security toolbox. Just don't try to push it too hard. Not following the CIS/W2Kpro checklist is not evidence of security malpractice. The puffery in the accompaning press releases and news articles was more than the CIS/W2Kpro checklist can support. A blast from the past. Internet security woes inflated, experts say By Gary H. Anthes OCT 16, 1995 http://www.computerworld.com/news/1995/story/0,11280,9990,00.html
participants (7)
-
Jake Khuon -
Larry J. Blunk -
Martin Hepworth -
Scott Francis -
Sean Donelan -
up@3.am -
Valdis.Kletnieks@vt.edu