Firewalls are still vulnerable
Connecting state and local government leaders
Computer security products are worthless unless installed properly, a security expert told a FOSE trade show audience in Washington last month. Agencies should devise a checklist of effective security practices, recompute their technology risks every two weeks and constantly verify that their systems are reasonably secure, advised Peter S. Tippett, president of the International Computer Security Association Inc. of Carlisle, Pa.
Computer security products are worthless unless installed properly, a security
expert told a FOSE trade show audience in Washington last month.
Agencies should devise a checklist of effective security practices, recompute their
technology risks every two weeks and constantly verify that their systems are reasonably
secure, advised Peter S. Tippett, president of the International Computer Security
Association Inc. of Carlisle, Pa.
ICSA has tested and certified 54 network firewall products, whose combined market share
totals 99.9 percent, Tippett said. Nevertheless, more than 70 percent of sites with
ICSA-certified firewalls are vulnerable to automated Internet attacks, he said.
Tippett discussed four recent hacks of federal Web sites, including Air Force and CIA
sites. He said hackers have defaced a total of about 5,000 Web sites in the past 12
months.
All the sites had firewalls, and their webmasters could have prevented attacks by
implementing an integrated, multilayer, ICSA-sponsored security program called TruSecure,
he said. Some sites were vulnerable because of their network operating systems, others had
fallible Domain Name System scripts, and still others had vulnerable Common Gateway
Interface scripts, Tippett said.
To demonstrate that most managers do not know where their Web sites DNS It doesnt help to have a better air bag if its installed under the He said computer geeks think computers are perfect and that we therefore get A Defense Department security expert spoke about security threats from insiders. In one Simmons discussed how the Joint Staff evaluates commercial security products. If Large software vendors can win the Joint Staffs trust by submitting their The Joint Staff works with security software contractors as well as with niche vendors, DOD agencies should re-evaluate prohibiting use of Java applets across firewalls, Judith Spencer, director of government-wide security at the General Service For every innovative mousetrap, there exists a smarter mouse, Spencer said. She urged agencies to set realistic security expectations to limit their losses in case
scripts are, Tippett asked audience members to raise their hands if they knew. Almost none
did.
back seat, Tippett said.
perfect computer security, which he called a social science. We tend to think
of computers attacking other computers. Its humans who attack computers.
survey, 70 percent of security problems were caused by insiders, said Col. Robert L.
Simmons, deputy chief information officer of the Joint Chiefs of Staffs IRM Office.
we can, we try to avoid products from foreign-owned information security companies,
he said.
products for third-party certifications and by having a large pool of users test the
products and report any security problems with them, Simmons said.
such as a small company whose product rates classification levels of Microsoft Exchange
e-mail messages on classified networks, he said.
Simmons said. That may have to change because of the sharing of information,
he said. Senior DOD leaders, for example, like to use Java code to extract information
from databases for decision-making, he said.
Administrations Office of Information Security, said firewalls are one component of
an effective security system but not foolproof.
of break-ins.