Free vulnerability testing for SANS top 20

In its quest to plug the top 20 Internet security holes, the SANS Institute of Bethesda, Md., has enlisted two California vendors to offer free network audits to government agencies.

Foundstone Inc. of Mission Viejo gives a 21-day free trial of its single-license Foundstone Managed Service. The service normally costs $2,500 per year for five live IP addresses; more addresses cost extra. Small organizations can try out Foundstone Professional free, also for 21 days.

Qualys Inc. of Redwood Shores posts a form to try out its QualysGuard on-demand auditing service. There is no software to install; the unlimited audit service normally costs $3,495 for five IP addresses.

SANS research director Alan Paller introduced representatives of both companies this week at a Washington briefing about the institute's top 20 vulnerabilities.

Alan Deane, vice president of Foundstone, said the company has been working with Lisa Schlosser, the Transportation Department's associate CIO for IT security, 'to use the top 20 as a baseline for a security posture.'

The SANS list does not yet include user practices or router vulnerabilities, Paller said. Some of those are covered in filings required by the Federal Information Security Management Act, he said, and others are on self-assessment checklists for commercial software, being compiled by the National Institute of Standards and Technology.

Paller said getting agency systems certified and accredited is the most critical step in winning Office of Management and Budget approval of FISMA filings. 'For the first time it engages the system owner'not just a security officer'to sign off on risk. You cannot get a passing grade unless you are at Level 4, which means 90 percent completion of system accreditations,' Paller said.

Accreditation, however, is very costly. He estimated a large department with 600 systems would have to fork over more than $25 million for the job.

'The most useful way to get system owners to put up the money,' he said, 'is to form a partnership between the CIO and the chief financial officer. Post the security metrics by division in the deputy secretary's office. Don't allow system owners to budget for fiscal 2005 if they haven't put the money up to get the certification and accreditation work done.'

inside gcn

  • HPE SGI 8600

    New supercomputers headed to DOD

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group