Expert: Feds, industry must team to fight vulnerabilities
- By Michael Arnone
- Nov 23, 2005
Government and industry must cooperate to keep new vulnerabilities from entering computer systems, an information security expert recommends.
Collaboration is essential to keep new weaknesses from spreading and make the Herculean task of finding all the malicious software already out there more manageable, said Alan Paller, director of research at the SANS Institute, a training and education organization for security professionals.
“The big, untold story about federal computers is the number of systems that have already been penetrated,” Paller said. Unknown amounts of malicious software is observing federal data and copying and sending it to unauthorized users, he said.
The good news is that the Air Force is leading the way toward a solution to manage the changing threat landscape, Paller said. Fed up with buying vulnerable Microsoft software and the company’s delays in security patching, the Air Force is working with Microsoft to develop a more secure version of Windows and other software.
This partnership heralds the future, Paller said. The government, leading by example, invests its money to help industry develop secure systems for government use. Those fortified systems will eventually reach the consumer market.
The institute released its latest update to its 20 Most Critical Internet Security Vulnerabilities in 2005 report on Nov. 22.
Ten of the vulnerabilities were in cross-platform applications installed on millions of systems, including backup software, antivirus software, database software and media players. Three affected network operating systems that control routers, switches and other devices that form the Internet’s backbone. All 13 appeared as critical threats for the first time in the past year.
The move from server-side attacks to client-side attacks in 2005 has given cybercriminals a tremendous advantage in their attacks on government and industry, Paller said. Most client applications are not updated automatically with security patches, leaving large swathes of critical data unprotected.