Tech leaders unveil top computer security weaknesses
The federal government and information security experts on Wednesday identified what they called the top 20 vulnerabilities in computer networks and tools to help officials mitigate those weaknesses.
Two weeks after the Bush administration released a national cybersecurity strategy, the General Services Administration's (GSA) Federal Incident Response Center (FedCIRC), the National Infrastructure Protection Center and the SysAdmin, Audit, Networking and Security Institute updated the list of vulnerabilities that threaten Unix and Microsoft's Windows-two prevalent operating systems that could leave countless government machines open to hackers and computer viruses.
Securing computer networks and information requires pre-emptive action, White House cybersecurity adviser Richard Clarke said. "You need to get on the job before the threat comes in," he told federal information technology administrators. "Begin to look at your own system the way an attacker would. ... The tools that we are announcing today will allow federal agencies to look for vulnerabilities in a much easier way than they ever have in the past."
About 70 organizations and vendors collaborated to identify the most critical vulnerabilities, which include commonly known and newly discovered holes in software such as Microsoft's Internet Explorer and SQL Server, as well as Unix-based services such as the Apache Web server and the Sendmail e-mail program.
Five technology firms pledged to provide tools to enable government agencies to search their systems for the vulnerabilities. Cybersecurity officials in the United Kingdom and Canada also are unveiling the vulnerability list as part of a global effort.
GSA is developing a system for agencies to easily obtain security repairs or "patches" for their computer and information networks. But Clarke warned that individuals who discover new vulnerabilities must not publicly declare their findings lest they encourage more hacking.
"It is irresponsible when you find a new vulnerability to tell everyone in the world about it," he said. "As soon as you post in a chatroom or on the Web ... it is going to spread like wildfire through the hacker community."
Instead, he said agencies should alert NIPC, FedCIRC and technology vendors to develop a patch for the security hole. But if all else fails, "call me," he told federal attendees.
Howard Schmidt, vice chairman of the White House Critical Infrastructure Protection Board, is studying whether to issue the policy in writing, Clarke said.
Sallie McDonald, GSA's assistant commissioner for information assurance and critical infrastructure protection, said the new tools create an architecture that will help agencies comply with federal laws to perform IT security assessments.
GSA plans to award a contract to an unnamed company to develop the security-patch system. Agencies would enroll in the system, receive alerts when a security hole is discovered and subsequently receive necessary software to repair the hole.