Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Fortifying DOD's network defenses

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Fortifying DOD's network defenses
Date: Tue, 27 Sep 2005 01:09:33 -0500 (CDT) 
http://www.fcw.com/article90899-09-26-05

By Frank Tiboni
Sept. 26, 2005 

Defense Department officials can implement a mixture of technologies
and procedures to fortify the department's computer networks, but real
protection requires designing a new generation of systems and security
tools, a leading computer scientist said.

Eugene Spafford, a computer sciences professor at Purdue University
who has testified before Congress on cybersecurity, questions whether
it's possible to develop new systems without investing in long-term
research.

Attacks on DOD computer networks are on the rise as adversaries
attempt to bypass the United States' formidable defenses and launch
attacks from the inside out, experts say.

Defending DOD's networks will require a combination of efforts,
Spafford said.

He outlined six steps DOD could take to strengthen the department's
network defenses. They are:


* Buying systems based on security features rather than cost.

* Limiting access to systems.

* Removing systems from networks unless those systems are absolutely
  necessary.

* Restricting who can add hardware and software to networks.

* Requiring proper training and supervision for network managers and
  computer users.

* Establishing careful network-monitoring practices.


But Spafford said incremental changes will not strengthen existing
networks and a whole new approach is needed.

"Unfortunately, the government is not funding much research in
cybersecurity and almost none in long-range research," said Spafford,
who is also executive director of Purdue's Center for Education and
Research in Information Assurance and Security. He cited President
Bush's decision in June to let the President's Information Technology
Advisory Committee expire without reappointing current members or
selecting new ones.

Spafford said the threat to DOD networks is varied and complex. "In
large part, the systems used are based on commercial products that
were never written for high-security environments," he added.

Spafford said misconfigured or misapplied patches create
vulnerabilities that are exacerbated by having systems linked
together.

"It means that any weak point can be accessed from all sorts of places
and can in turn reach out to damage lots of other military systems,"  
he said.

Clint Kreitner, president and chief executive officer of the Center
for Internet Security, a nonprofit organization that helps government
and industry officials better manage computer security risks, said DOD
should limit access to certain networks.

Alan Paller, director of research at the SANS Institute, said
government and industry should avoid using new information assurance
technologies that vendors claim are impervious to attacks. Instead, he
said, they should anticipate new threats 18 months in advance and
develop technologies and policies to address them.

A Defense Information Systems Agency official said DOD relies on a
sophisticated approach to information assurance. The official added
that the department is changing how it builds systems by moving to a
service-oriented architecture that will make IT services widely
available on the network and improve data sharing governmentwide.

"We are doing this in order to make more and better data available to
more people in DOD and to our partners, and as a way of increasing our
agility and our ability to innovate in the development of warfighting
processes based on these services," the DISA official said.

DOD also changed its approach to network operations. The official said
the department has moved to a structure that puts the Joint Task
Force-Global Network Operations in charge of operating, managing and
defending DOD's information infrastructure, with organizations in the
military services reporting to the joint task force.

DOD relies on its global networks and IT to achieve its mission, and
the country's adversaries recognize DOD's dependence on networks and
electronic information, the DISA official said.

"The DOD networks are very large," the official said. "So we have many
challenges in synchronizing the many IT efforts and security for these
across this vast infrastructure."



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Fortifying DOD's network defenses, InfoSec News <=
Previous by Date:  [ISN] Troubled CardSystems to be sold, InfoSec News
Next by Date:  [ISN] Information security standards highlighted after Tech Fest, InfoSec News
Previous by Thread:  [ISN] Troubled CardSystems to be sold, InfoSec News
Next by Thread:  [ISN] Information security standards highlighted after Tech Fest, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]