Agencies are 'own worst enemy'
- By Diane Frank
- Apr 28, 2000
ORLANDO, Fla. - The largest security danger facing federal agencies still
is the lack of proper security procedures, leaving known vulnerabilities
in place to be exploited by attackers, federal and industry experts said
Statistics gathered by the Defense Department's Computer Emergency Response
Team and Carnegie Mellon University's CERT Coordination Center show that
94 percent to 98 percent of the security incidents reported by federal agencies
happen because the agencies did not use widely available patches for known
vulnerabilities in their software applications and operating systems.
"We're our own worst enemy," said Maj. Gen. John Campbell, commander
of the DOD Joint Task Force for Computer Network Defense, at the Information
Processing Interagency Conference here.
The CERT/CC serves as the operational arm for the Federal Computer Incident
Response Capability, the civilian agencies' coordinating incident response
group. And while the number of reported incidents is getting larger every
year, agencies are still being attacked using the same security holes, said
Katherine Fithen, manager of the CERT/CC.
But known software holes are not the only problem, Campbell said. Many
times, the vulnerability comes from system administrators or users not bothering
to change a default password or not taking the time to close off all the
openings left by an application's default configuration.