Agencies say security is a bigger task than Y2K

The extent of network security vulnerabilities will dwarf the year 2000 problem,
predicted industry and agency officials late last month at a General Services
Administration seminar in Washington.


Readying systems for 2000 has monopolized agency resources. Now the crisis in Kosovo,
computer virus attacks and insider leaks of U.S. nuclear secrets are spotlighting security
instead.


“The first problem of the next millennium will be security,” said Peter
Goldman, federal sales manager for Secure Computing Corp. of San Jose, Calif.


The standing-room-only crowd at the seminar heard a litany of disturbing statistics:


“It’s an external problem now,” said Mark Fabro, Secure Computing’s
director of professional services.


A Transportation Department official at the meeting said the Federal Aviation
Administration is forming a security council much like the White House council that heads
up the year 2000 effort.


Unlike the year 2000 problem, which has a firm deadline, security is a never-ending
race to stay one step ahead of hackers, said the official, who asked not to be identified.
He said the intrusion statistics did not surprise him.


“The worst is yet to come,” Fabro predicted. He said there has been “no
progress” on Presidential Decision Directive 63 for establishing critical
infrastructure protection.


Part of the reason has been the diversion of information technology resources to date
code repair. Fabro said he has seen a marked increase in federal awareness of security
problems, and an encouraging willingness on the part of federal administrators to talk
about them. He predicted a wave of security spending early next year.


One vendor said that although year 2000 preparations have stifled spending on security,
they have raised awareness governmentwide.


“What Y2K taught us was: I don’t know what’s on my network and I have a
lot of vulnerabilities I didn’t know about,” said Cress Carter, president of L3
Network Security, a division of L3 Communications Corp. of Denver. “We have seen a
surge of interest in the last eight months.”


According to Fabro, the top vulnerabilities of government networks are poorly
configured Web servers and firewalls, Web servers that handle more than Hypertext Transfer
Protocol requests, guest accounts on Unix servers, log-in assistance menus on dial-in
servers and Microsoft Windows NT platforms installed straight out of the box.


“NT has the capability of being very secure,” Fabro said, but “you have
to reach for it and go the extra mile. Nothing should come out of the box and be put
online.”


All hardware and software settings must be configured for particular users’
security needs to ensure that loopholes and back doors have been closed, he said.


Fabro advised administrators, “You must secure what you have chosen to
deploy.” Those who fail to do so at the start will have no time to catch up later, he
said. 


About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above