Free vulnerability testing for SANS top 20
- By Susan M. Menke
- Oct 10, 2003
In its quest to plug the top 20 Internet security holes, the SANS Institute of Bethesda, Md., has enlisted two California vendors to offer free network audits to government agencies.
Foundstone Inc. of Mission Viejo gives a 21-day free trial of its single-license Foundstone Managed Service
. The service normally costs $2,500 per year for five live IP addresses; more addresses cost extra. Small organizations can try out Foundstone Professional free, also for 21 days.
Qualys Inc. of Redwood Shores posts a form
to try out its QualysGuard on-demand auditing service. There is no software to install; the unlimited audit service normally costs $3,495 for five IP addresses.
SANS research director Alan Paller introduced representatives of both companies this week at a Washington briefing about the institute's top 20 vulnerabilities.
Alan Deane, vice president of Foundstone, said the company has been working with Lisa Schlosser, the Transportation Department's associate CIO for IT security, 'to use the top 20 as a baseline for a security posture.'
The SANS list
does not yet include user practices or router vulnerabilities, Paller said. Some of those are covered in filings required by the Federal Information Security Management Act, he said, and others are on self-assessment checklists for commercial software, being compiled
by the National Institute of Standards and Technology.
Paller said getting agency systems certified and accredited is the most critical step in winning Office of Management and Budget approval of FISMA filings. 'For the first time it engages the system owner'not just a security officer'to sign off on risk. You cannot get a passing grade unless you are at Level 4, which means 90 percent completion of system accreditations,' Paller said.
Accreditation, however, is very costly. He estimated a large department with 600 systems would have to fork over more than $25 million for the job.
'The most useful way to get system owners to put up the money,' he said, 'is to form a partnership between the CIO and the chief financial officer. Post the security metrics by division in the deputy secretary's office. Don't allow system owners to budget for fiscal 2005 if they haven't put the money up to get the certification and accreditation work done.'