Title: Network security is poor and is getting worse, a poll of 61
organizations finds
Subtitle: NCSA: Lack of security, not bandwidth, will limit Net use
William Jackson
Government Computer News
Cyberspace can be a scary place, according to a recent study by the
National Computer Security Association.
NCSA profiled 61 organizations, including some federal agencies,
whose computer networks are protected by firewalls. Fortyfour percent
reported unauthorized users had probed their networks.
A similar percentage reported no attempted intrusions. However, industry
experience suggests that it would be "unwise to give 100 percent
credibility to the claim," the report said.
Nearly a quarter of those interviewed said the problem has gotten worse
over the last year.
NCSA, a for-profit organization in Carlisle, PA., might appear to have
a vested interest in larger numbers, since it sells product certification
services to vendors. But if recent firewall announcements are any indicator,
network security is weighing heavily on the minds of network administrators
everywhere.
"The issue of security is jumping dramatically in every aspect of
computing," said NCSA president and chief executive officer Peter Tippett.
Because network bandwidth continues to broaden and transmission speeds to
increase, Tippett said he believes security, not bandwidth, will become
the limiting factor in using the Internet to conduct business.
NCSA officials cautioned against extrapolating the results of the
firewall study, characterizing it as a profile rather than a statistically
significant survey. The report came out of interviews with network security
personnel. The number of federal sites was not released.
The firewall profile is the first step in a broader survey of network
vulnerabilities, Tippett said. This survey will monitor attempted intrusions
at 1,000 sites to find out who does the probing and what tools they use.
"Most of the knowledge we have in the world of computer security is
conjecture," Tippett said.
The NCSA charges over eight thousand dollars to certify your SINGLE
web server, and then you get to read this: "Most of the knowledge we
have in the world of computer security is conjecture..
NCSA already has amassed a fair amount of information, however. It
has monitored online security discussion groups on computer bulletin boards
and the Net for three years, gathering gigabytes of information taht is
indexed every day for subscribers.
Three years? Vulnerabilities in my personal database date back
to the mid 80's if not earlier.
NCSA also has infiltrated hacker discussion groups to find out what tools
and techniques they use.
Infiltrated? Most hacker discussion groups are public.
One of its newest efforts is its Web Certification program, which
annually certifies servers and World Wide Web sites that meet standards for
protecting data and resisting intrusion.
Candidates must meet a lengthy checklist of requirements for privacy and
physical site security.
After the site and server owners sign off on these requirements, NCSA
runs a batter of 150 online tests. Then a consultant performs an on-site
inspection. Sites are spot-checked three times a year.
About 100 companies with 800 sites are in the certification process,
Tippett said, and several federal agencies have expressed interest.
The service starts at $8,500 for a single Web site. Benefits of
certification include reduced rates for Internet security liability and
electronic commerce insurance.
Tippett said certification of baseline security standards will foster
public acceptance of the Web as a transaction medium.