Firewalls are still vulnerable
- By Bill Murray
- Apr 12, 1999
Computer security products are worthless unless installed properly, a security
expert told a FOSE trade show audience in Washington last month.
Agencies should devise a checklist of effective security practices, recompute their
technology risks every two weeks and constantly verify that their systems are reasonably
secure, advised Peter S. Tippett, president of the International Computer Security
Association Inc. of Carlisle, Pa.
ICSA has tested and certified 54 network firewall products, whose combined market share
totals 99.9 percent, Tippett said. Nevertheless, more than 70 percent of sites with
ICSA-certified firewalls are vulnerable to automated Internet attacks, he said.
Tippett discussed four recent hacks of federal Web sites, including Air Force and CIA
sites. He said hackers have defaced a total of about 5,000 Web sites in the past 12
All the sites had firewalls, and their webmasters could have prevented attacks by
implementing an integrated, multilayer, ICSA-sponsored security program called TruSecure,
he said. Some sites were vulnerable because of their network operating systems, others had
fallible Domain Name System scripts, and still others had vulnerable Common Gateway
Interface scripts, Tippett said.
To demonstrate that most managers do not know where their Web sites DNS
scripts are, Tippett asked audience members to raise their hands if they knew. Almost none
It doesnt help to have a better air bag if its installed under the
back seat, Tippett said.
He said computer geeks think computers are perfect and that we therefore get
perfect computer security, which he called a social science. We tend to think
of computers attacking other computers. Its humans who attack computers.
A Defense Department security expert spoke about security threats from insiders. In one
survey, 70 percent of security problems were caused by insiders, said Col. Robert L.
Simmons, deputy chief information officer of the Joint Chiefs of Staffs IRM Office.
Simmons discussed how the Joint Staff evaluates commercial security products. If
we can, we try to avoid products from foreign-owned information security companies,
Large software vendors can win the Joint Staffs trust by submitting their
products for third-party certifications and by having a large pool of users test the
products and report any security problems with them, Simmons said.
The Joint Staff works with security software contractors as well as with niche vendors,
such as a small company whose product rates classification levels of Microsoft Exchange
e-mail messages on classified networks, he said.
DOD agencies should re-evaluate prohibiting use of Java applets across firewalls,
Simmons said. That may have to change because of the sharing of information,
he said. Senior DOD leaders, for example, like to use Java code to extract information
from databases for decision-making, he said.
Judith Spencer, director of government-wide security at the General Service
Administrations Office of Information Security, said firewalls are one component of
an effective security system but not foolproof.
For every innovative mousetrap, there exists a smarter mouse, Spencer said.
She urged agencies to set realistic security expectations to limit their losses in case