Agencies are own worst enemy BY Diane Frank 04/28/2000 ORLANDO, Fla. - The largest security danger facing federal agencies still is the lack of proper security procedures, leaving known vulnerabilities in place to be exploited by attackers, federal and industry experts said Thursday.

Statistics gathered by the Defense Departments Computer Emergency Response Team and Carnegie Mellon Universitys CERT Coordination Center show that 94 percent to 98 percent of the security incidents reported by federal agencies happen because the agencies did not use widely available patches for known vulnerabilities in their software applications and operating systems.

"Were our own worst enemy," said Maj. Gen. John Campbell, commander of the DOD Joint Task Force for Computer Network Defense, at the Information Processing Interagency Conference here.

The CERT/CC serves as the operational arm for the Federal Computer Incident Response Capability, the civilian agencies coordinating incident response group. And while the number of reported incidents is getting larger every year, agencies are still being attacked using the same security holes, said Katherine Fithen, manager of the CERT/CC.

But known software holes are not the only problem, Campbell said. Many times, the vulnerability comes from system administrators or users not bothering to change a default password or not taking the time to close off all the openings left by an applications default configuration.

http://www.fcw.com/fcw/articles/2000/0424/web-ipic-04-28-00.asp

-- Martin Thompson (mthom1927@aol.com), April 28, 2000