Basic steps would shore up security, officer says

Basic steps would shore up security, officer says

Maj. Gen. John Campbell says better data sharing will improve the Defense Department's security.

By Bill Murray

GCN Staff

SALT LAKE CITY'Basic security procedures could have prevented most of the serious breaches of Defense Department systems last year, the commander of the Joint Task Force for Computer Network Defense said.

To boost security, government officials must improve data sharing among themselves and with private corporations and foreign governments, Air Force Maj. Gen. John H. Campbell said last week at the Air Force Software Technology Conference.

Failure points

In an analysis of 200 root-level attacks last year, Defense officials found that hackers gained access to DOD networks and systems 117 times without immediate detection by systems administrators.

Plus, 94 percent of the attacks resulted from basic security failures, such as password compromises and poor systems maintenance, Campbell said. He soon will leave the Space Command post to join the CIA as its associate director for military support [GCN, April 17, Page 53].

Commercial organizations have similar weaknesses, Campbell said. An official at the Computer Emergency Response Team at Carnegie Mellon University said 98 percent of corporations that report to CERT have traced their root-level attacks to basic security problems, he said.

Recent lapses at DOD occurred in spite of a 1997 security exercise that demonstrated vulnerabilities in many DOD systems.

For the Eligible Receiver exercise, National Security Agency teams attacked DOD systems using hacking tools downloaded from the Internet.

The agencies received no notice that the exercise was being held.

The results helped DOD lobby for more security funding and led to the founding of the security task force, Campbell said [GCN, Aug. 23, 1999, Page 8].

Campbell described the exercise as a train wreck that demonstrated the ongoing need to shore up defense of the nation's information systems infrastructure.

Although Defense officials are using more commercial products to protect government networks, the systems administration work is not getting any easier, Campbell said.

'I'm told that Microsoft Windows NT 4.0 takes about 300 tweaks before it can be used' as the basis for a secure system, although it has received C2-level certification from the National Security Agency, he said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.