- Email: [email protected]
CERT to sell security alerts
NESE June.qxd
6/20/01
1:54 PM
Page 5
reports
US Set To Improve Federal Websites, Establish CIO Barbara Gengler A bipartisan group of US Senators launched an online, interactive project to accelerate next generation government as its citizens are finding it too difficult to access public information. The E-government Act of 2001 will coordinate and improve federal websites while creating a federal chief information officer that would operate out of the Office of Management and Budget (OMB). The bill, introduced by Senator Joseph Lieberman, is co-sponsored by the cochairmen of the Senate Internet Caucus, Conrad Burns and Patrick Leahy, as well as nine other senators. “The private sector has benefited tremendously from the application of information technology,” Lieberman said. “Now it's the government's turn.” He said the federal Government must take advantage of the Internet and other technologies to overcome arbitrary boundaries between agencies, “so government can provide the public with seamless, secure online services.”
Specifically, the E-government Act legislation would establish a federal chief information officer (CIO) to promote Egovernment and implement Government wide information policy. The legislation would also authorize $200 million a year for an E-government fund to support inter-agency projects and uses of IT. The federal CIO would act as a coordinator to see that federal agencies were working together and would also work with state and local governments and the private sector. The Bush administration has not rejected the idea of a CIO and Lieberman said that there have been discussions with the administration on the issue. According to Lieberman, “E-government is a loose-knit mix of ideals, projects and affiliations which are often uncoordinated, sometimes overlapping
CERT to sell security alerts John Sterlicchi Computer security organization CERT has said it will sell its security warnings to multinational corporations — a service it provides to US Government agencies for free. The move comes as the US taxpayerfunded CERT Coordination Center, formerly the Computer Emergency Response Team at Carnegie Mellon University, joins the Electronic Industries Alliance (EIA) to launch the Internet Security Alliance (ISA). The new organization will distribute up-to-the-minute warnings to international corporations about cyber-threats, offer security advice and establish a seal programme to certify the security of companies' computer networks.
Members, paying from $2500 to $70 000 each year, depending on their revenue, will receive warnings roughly 45 days before the information is available to the public. TRW, Nasdaq, Mellon Bank and VeriSign have signed up as members and more than 30 corporations have expressed interest in the services. “There are opportunities here to build on 13 years of experience in this area,” CERT spokesman Bill Pollack said.
and too frequently redundant in their costs.” The bill contains a broad framework of measures that would promote the use of the Internet in the regulatory process, and encourage compatibility of electronic signatures as well as providing strong new privacy protections. In addition, the legislation would improve the centralized online portal, establish an online directory of federal websites and indexes of resources. It would institute an online national library and require federal courts to post opinions online. Lieberman said: “A functional approach to E-government focuses on delivering services to the citizen without regard to agency jurisdictions.” Sponsors of the legislation made it clear that the initiative could not succeed without the help of the private sector. Burns said the telecommunications sector will be key, and the government will have to have the support of the entire IT industry, hardware and software, to make this happen. Last year Lieberman and Senator Fred Thompson set up a website where interested citizens can provide their ideas on how federal Web services can be streamlined. Pollack also said they had been limited by the fact that the large majority of funding comes from the US Government. CERT currently receives about $3.5 million from the Government, most of which comes from the Defense Department. He also pointed out that CERT joined the alliance because it had “been looking for a vehicle to allow us to work more closely with the private sector for some time, since both public and private sector companies face the same threats.” Dave McCurdy, president of EIA, said the difference is the ISA is open to businesses regardless of sector. “Our mission is to increase the awareness within corporate leadership of the risk and help them provide the tools to manage those risks. This is a way to leverage the CERT.”
5
NESE June.qxd
6/20/01
1:54 PM
Page 6
reports will also offer them to alliances members. Critics of the new alliance said it risks duplicating Internet-security efforts already under way including organizations established under order from US President Clinton in 1998 such as the Information Sharing and Analysis Centers. Yet McCurdy said
he believes the new alliance can co-exist with these groups. “Industry needs to ascertain and determine the requirements first,” McCurdy said. “We're working to develop best practices that are common to the Internet community, not just one sector of the industry.”
Flawed Mobile Protocol Delays Release of Standard
IPv6 is the right thing to do. The problem is that it is a different way of speaking over the network and it's not easy to convert a network.” Leung also said if global networks use different standards, it could stall Internet traffic. “There would be a performance impact and it is not a desirable scenario.” Gartner believes that five years from now, North American businesses will still favour networks based on IPv4 because they would face too much pain to convert to IPv6. IPv6 addresses will be important for wireless devices that connect directly to the Internet, Gartner said, however, where devices gain Internet access by way of corporate gateways, as is the case for wired PCs, proven IPv4 address-management principles will still apply. Despite its promise, IPv6 has been slow to catch on because it requires a costly and time-consuming upgrade to the Internet's backbone and edge systems. The IETF finalized IPv6 in 1998 but only a handful of IPv6-enabled products are shipping today from Nortel Networks, Cisco Systems, Sun Microsystems and IBM and others.
McCurdy also said the ISA will focus on higher-level issues that managers should be concerned about. “It will be looking more at issues like policy and standards.” As part of the new agreement, CERT will continue to provide the early warnings to the Defense Department and the General Services Administration, and
Allan Donnelly The discovery of security flaws in the proposed mobile protocol upgrade means an industry task force will have to develop a new method for authenticating roaming devices that use IPv6 addresses. IPv6 uses 128-bit addresses that can yet been deployed, and IPSec also requires support a virtually unlimited number of heavy processing by end devices. Al Javed, CTO for wireless Internet at computers and devices connected to the Internet, while the current technology Nortel Networks, said that the wireless IPv4 uses 32-bit addresses and can sup- industry is interested only in the addressport approximately four billion connec- ing features of IPv6 and not in its security and quality-of-service. tions. “The demand we see for IPv6 is primarAt a recent Internet Engineering Task Force (IETF) meeting, the working ily in Europe and Japan and it's primarily group discovered security flaws in the related to address space,” Javed said. Mobile IPv6 problems are not expected proposed Mobile IPv6 protocol, which will mean delays of months for Mobile to delay the European wireless community's Third Generation Partnership Project IPv6. The working group initially planned to (3GPP). A European Union task force use the existing protocol IP Security that was formed earlier this year to accel(IPSec) to secure binding update messages. erate a switch to the new standards, said it But IETF security experts recently discov- plans to use IPv6 because it has its own ered that IPSec would not work for these security architecture. Lydia Leung, an analyst at Gartner, messages. They found that IPSec depends on a public-key infrastructure that has not said: “Everybody, I think, agrees that
Vulnerability Database Tops 1000 Flaws Vulnerability monitoring service Qualys has this month announced that it has 1000 flaws on record in its database. This means that there are now 1000+ vulnerability assessment signatures that can be used to remotely detect and evaluate network security risks. Since the company was founded in 1999, it has built up a database of vulnerabilities. It is currently running at a rate of 10 new ones per week.
6
Other similar data stores include PGP(Cybercop), which has about 750 on record and Nessus which is running at roughly 650.
Ed Skoudis at network security and consulting firm Predictive Systems is using Qualys to develop online scanning capabilities to extend its ethical hacking services. Skoudis said, "Qualys provides a ready-made global scanning platform of impressive range and intelligence. We think automated security auditing is the 'new big thing' in network security and we are leveraging Qualys to deliver delivering fast, accurate and convenient Internet-based auditing services."
6/20/01
1:54 PM
Page 5
reports
US Set To Improve Federal Websites, Establish CIO Barbara Gengler A bipartisan group of US Senators launched an online, interactive project to accelerate next generation government as its citizens are finding it too difficult to access public information. The E-government Act of 2001 will coordinate and improve federal websites while creating a federal chief information officer that would operate out of the Office of Management and Budget (OMB). The bill, introduced by Senator Joseph Lieberman, is co-sponsored by the cochairmen of the Senate Internet Caucus, Conrad Burns and Patrick Leahy, as well as nine other senators. “The private sector has benefited tremendously from the application of information technology,” Lieberman said. “Now it's the government's turn.” He said the federal Government must take advantage of the Internet and other technologies to overcome arbitrary boundaries between agencies, “so government can provide the public with seamless, secure online services.”
Specifically, the E-government Act legislation would establish a federal chief information officer (CIO) to promote Egovernment and implement Government wide information policy. The legislation would also authorize $200 million a year for an E-government fund to support inter-agency projects and uses of IT. The federal CIO would act as a coordinator to see that federal agencies were working together and would also work with state and local governments and the private sector. The Bush administration has not rejected the idea of a CIO and Lieberman said that there have been discussions with the administration on the issue. According to Lieberman, “E-government is a loose-knit mix of ideals, projects and affiliations which are often uncoordinated, sometimes overlapping
CERT to sell security alerts John Sterlicchi Computer security organization CERT has said it will sell its security warnings to multinational corporations — a service it provides to US Government agencies for free. The move comes as the US taxpayerfunded CERT Coordination Center, formerly the Computer Emergency Response Team at Carnegie Mellon University, joins the Electronic Industries Alliance (EIA) to launch the Internet Security Alliance (ISA). The new organization will distribute up-to-the-minute warnings to international corporations about cyber-threats, offer security advice and establish a seal programme to certify the security of companies' computer networks.
Members, paying from $2500 to $70 000 each year, depending on their revenue, will receive warnings roughly 45 days before the information is available to the public. TRW, Nasdaq, Mellon Bank and VeriSign have signed up as members and more than 30 corporations have expressed interest in the services. “There are opportunities here to build on 13 years of experience in this area,” CERT spokesman Bill Pollack said.
and too frequently redundant in their costs.” The bill contains a broad framework of measures that would promote the use of the Internet in the regulatory process, and encourage compatibility of electronic signatures as well as providing strong new privacy protections. In addition, the legislation would improve the centralized online portal, establish an online directory of federal websites and indexes of resources. It would institute an online national library and require federal courts to post opinions online. Lieberman said: “A functional approach to E-government focuses on delivering services to the citizen without regard to agency jurisdictions.” Sponsors of the legislation made it clear that the initiative could not succeed without the help of the private sector. Burns said the telecommunications sector will be key, and the government will have to have the support of the entire IT industry, hardware and software, to make this happen. Last year Lieberman and Senator Fred Thompson set up a website where interested citizens can provide their ideas on how federal Web services can be streamlined. Pollack also said they had been limited by the fact that the large majority of funding comes from the US Government. CERT currently receives about $3.5 million from the Government, most of which comes from the Defense Department. He also pointed out that CERT joined the alliance because it had “been looking for a vehicle to allow us to work more closely with the private sector for some time, since both public and private sector companies face the same threats.” Dave McCurdy, president of EIA, said the difference is the ISA is open to businesses regardless of sector. “Our mission is to increase the awareness within corporate leadership of the risk and help them provide the tools to manage those risks. This is a way to leverage the CERT.”
5
NESE June.qxd
6/20/01
1:54 PM
Page 6
reports will also offer them to alliances members. Critics of the new alliance said it risks duplicating Internet-security efforts already under way including organizations established under order from US President Clinton in 1998 such as the Information Sharing and Analysis Centers. Yet McCurdy said
he believes the new alliance can co-exist with these groups. “Industry needs to ascertain and determine the requirements first,” McCurdy said. “We're working to develop best practices that are common to the Internet community, not just one sector of the industry.”
Flawed Mobile Protocol Delays Release of Standard
IPv6 is the right thing to do. The problem is that it is a different way of speaking over the network and it's not easy to convert a network.” Leung also said if global networks use different standards, it could stall Internet traffic. “There would be a performance impact and it is not a desirable scenario.” Gartner believes that five years from now, North American businesses will still favour networks based on IPv4 because they would face too much pain to convert to IPv6. IPv6 addresses will be important for wireless devices that connect directly to the Internet, Gartner said, however, where devices gain Internet access by way of corporate gateways, as is the case for wired PCs, proven IPv4 address-management principles will still apply. Despite its promise, IPv6 has been slow to catch on because it requires a costly and time-consuming upgrade to the Internet's backbone and edge systems. The IETF finalized IPv6 in 1998 but only a handful of IPv6-enabled products are shipping today from Nortel Networks, Cisco Systems, Sun Microsystems and IBM and others.
McCurdy also said the ISA will focus on higher-level issues that managers should be concerned about. “It will be looking more at issues like policy and standards.” As part of the new agreement, CERT will continue to provide the early warnings to the Defense Department and the General Services Administration, and
Allan Donnelly The discovery of security flaws in the proposed mobile protocol upgrade means an industry task force will have to develop a new method for authenticating roaming devices that use IPv6 addresses. IPv6 uses 128-bit addresses that can yet been deployed, and IPSec also requires support a virtually unlimited number of heavy processing by end devices. Al Javed, CTO for wireless Internet at computers and devices connected to the Internet, while the current technology Nortel Networks, said that the wireless IPv4 uses 32-bit addresses and can sup- industry is interested only in the addressport approximately four billion connec- ing features of IPv6 and not in its security and quality-of-service. tions. “The demand we see for IPv6 is primarAt a recent Internet Engineering Task Force (IETF) meeting, the working ily in Europe and Japan and it's primarily group discovered security flaws in the related to address space,” Javed said. Mobile IPv6 problems are not expected proposed Mobile IPv6 protocol, which will mean delays of months for Mobile to delay the European wireless community's Third Generation Partnership Project IPv6. The working group initially planned to (3GPP). A European Union task force use the existing protocol IP Security that was formed earlier this year to accel(IPSec) to secure binding update messages. erate a switch to the new standards, said it But IETF security experts recently discov- plans to use IPv6 because it has its own ered that IPSec would not work for these security architecture. Lydia Leung, an analyst at Gartner, messages. They found that IPSec depends on a public-key infrastructure that has not said: “Everybody, I think, agrees that
Vulnerability Database Tops 1000 Flaws Vulnerability monitoring service Qualys has this month announced that it has 1000 flaws on record in its database. This means that there are now 1000+ vulnerability assessment signatures that can be used to remotely detect and evaluate network security risks. Since the company was founded in 1999, it has built up a database of vulnerabilities. It is currently running at a rate of 10 new ones per week.
6
Other similar data stores include PGP(Cybercop), which has about 750 on record and Nessus which is running at roughly 650.
Ed Skoudis at network security and consulting firm Predictive Systems is using Qualys to develop online scanning capabilities to extend its ethical hacking services. Skoudis said, "Qualys provides a ready-made global scanning platform of impressive range and intelligence. We think automated security auditing is the 'new big thing' in network security and we are leveraging Qualys to deliver delivering fast, accurate and convenient Internet-based auditing services."