September 30, 2002 5:50 PM PDT
FBI to release computer-security updates
The FBI's National Infrastructure Protection Center and the SysAdmin, Audit, Networking and Security (SANS) Institute, a research and education organization made up of government, corporate and academic experts, will unveil the initiatives Wednesday, exactly two weeks after the Bush Administration released a draft for comment of the National Strategy for Securing Cyberspace.
The SANS-FBI efforts will try to improve how companies deal with the multitude of security flaws software companies announce every week. The focus of the initiatives is on identifying security holes and delivering tools so companies can plug them, a practical approach outlined in the Administration's cybersecurity plan, said Alan Paller, director of research for SANS.
"We have to get rid of the emphasis on threat analysis and work on vulnerability analysis," Paller said. "That's because we can fix the vulnerabilities, but if we wait until the threat is clear, we will be too late."
While Paller wouldn't provide specifics, News.com has learned that in addition to releasing its latest annual list of the Top 20 vulnerabilities for Windows and Unix systems, the two groups will, within the next four months, release an expanded list of the most common and dangerous software flaws.
The organizations may also release a critical vulnerability analysis (CVA) report on a weekly basis, which would describe newly discovered flaws and how companies have dealt with them. The plans for the weekly report are currently in flux, however, and Paller would not comment on its status.
Eliminating the Top 20 flaws
Although he wouldn't name specific companies, Paller said five security firms will participate by building new features into their systems to scan corporate networks for vulnerabilities on the Top 20 list. News.com has learned that Internet Security Systems, Foundstone, Qualys, and TippingPoint are four of the five.
Gerhard Eschelbeck, vice president of engineering for security service provider Qualys, said the company would offer a free scan for the SANS-FBI Top 20 vulnerabilities to any network owner. While he didn't comment on whether Qualys would support the expanded list of flaws the organizations plan to release later, Eschelbeck did stress that it wouldn't be hard to do so.
"The beauty of the service-based model that we have is that we can distribute signatures with a click of a mouse," Eschelbeck said.
Network-protection company Internet Security Systems, which has built scanning support for the vulnerabilities included in the previous lists released by SANS will do so again, said Dan Ingevaldson, leader of ISS's research and development team.
"There are a lot more vendors involved this year," Ingevaldson said. "A whole bunch got together and made a choice over what should be included in the list."
This will be the third year that the SANS Institute has released a list of top flaws. In June 2000, the organization listed its Top 10. It updated that to a Top 20 in October 2001. Companies that eliminate the vulnerabilities on the Top 20 list from their networks will have made themselves immune to approximately 80 percent of all attacks on the Internet, Paller said.
To show how effective such tools can be, the SANS Institute and the FBI will point to system administrators at NASA, who used a vulnerability-focused approach to eliminate security problems with their network. Details from that study haven't yet been released.
"NASA is the poster child for this," said Paller.
In addition, the Federal Computer Incident Response Center (FedCIRC) will take part in the announcement.
Lists of confusion
Not everyone is enamored of the new initiatives, however.
At least one security consultant familiar with the announcement worried that the planned expansion of the list from 20 to perhaps as many as 100 vulnerabilities could just cause more confusion.
"We just have too many databases already," he said, asking not to be named.
Purdue University maintains the Common Vulnerability Database, and most security companies have their own databases as well. In addition, the Common Vulnerability Encyclopedia, run by the Mitre Group, is a central repository and Rosetta stone that links together the various definitions companies create for the same vulnerabilities.
But Paller said that's exactly why such lists are needed. He stressed that the new list would direct companies to the most-serious of the three dozen or so vulnerabilities that appear each week and add depth to the other databases.
The databases "all look at this elephant from a slightly different perspective," Paller said.