Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] IT security checklist focuses on consequences of breaches

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] IT security checklist focuses on consequences of breaches
Date: Thu, 27 Apr 2006 00:43:10 -0500 (CDT) 
Forwarded from: William Knowles <wk@c4i.org>

http://www.gcn.com/online/vol1_no1/40564-1.html

By William Jackson
GCN Staff
04/26/06

A small office of the Homeland Security Department has released a
draft cybersecurity checklist intended to help enterprises focus on
the real-world consequences of security breaches.

The U.S. Cyber Consequences Unit was created by DHS to provide
analysis of economic and strategic consequences of cyberattacks on
critical infrastructure and to evaluate the cost-effectiveness of
countermeasures. As part of this work, director and chief economist
Scott Borg and research director John Baumgarner began on-site visits
to evaluate systems in critical industry sectors.

"We started seeing huge vulnerabilities," Borg said Wednesday at the
GovSec conference in Washington, where the draft document was
released. Most of the systems were compliant with current security
checklists and best practices. "And portions of those systems were
extraordinarily secure. But they were Maginot Lines," susceptible to
being outflanked.

The problem is that existing best practices are static lists based on
outdated data. The new USCCU list shifts the focus from perimeter
security to monitoring and maintaining internal systems. The problem
with perimeter security is that there is always some way to circumvent
it, Borg said.

"We are way into diminishing returns on our investments in perimeter
defense," he said. "To deal with it now, you have to think of the
problem of cybersecurity not from a technical standpoint, but by
focusing on what the systems do, what you could do with them and
what... the consequences [would] be."

The list is based on real-world experience and on economic analysis of
breaches. Surprisingly, the researchers found that simply shutting a
system down is not the biggest threat in most areas of critical
infrastructure.

"Shutting things down for two or three days is not that costly," Borg
said. The larger threat is disruption of systems in ways that are not
immediately evident.

The checklist contains 478 questions grouped into six categories:  
hardware, software, networks, automation, humans and suppliers.

"All of the things we are talking about are already under way," Borg
said, but some of the items in the checklist have no cost-effective
commercial solutions. Borg said he hopes industry will step up to the
plate to create solutions, and that government will adapt its
acquisition policies to create incentives for these developments.

Borg said there is no schedule for final DHS approval of the draft.  
Additional information about the checklist is available from Borg at
mailto: scott.borg (at) usccu.us.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] IT security checklist focuses on consequences of breaches, InfoSec News <=
Previous by Date:  [ISN] Hacking: Sparks anger among Boca teens, InfoSec News
Next by Date:  [ISN] ITL Bulletin for April 2006, InfoSec News
Previous by Thread:  [ISN] Hacking: Sparks anger among Boca teens, InfoSec News
Next by Thread:  [ISN] ITL Bulletin for April 2006, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]