Return-Path: <sentto-279987-2429-1001599288-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 27 Sep 2001 07:04:08 -0700 (PDT) Received: (qmail 31329 invoked by uid 510); 27 Sep 2001 14:03:05 -0000 Received: from n20.groups.yahoo.com (216.115.96.70) by 204.181.12.215 with SMTP; 27 Sep 2001 14:03:05 -0000 X-eGroups-Return: sentto-279987-2429-1001599288-fc=all.net@returns.onelist.com Received: from [10.1.1.220] by n20.onelist.org with NNFMP; 27 Sep 2001 14:02:48 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 27 Sep 2001 14:01:27 -0000 Received: (qmail 25865 invoked from network); 27 Sep 2001 14:01:26 -0000 Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 27 Sep 2001 14:01:26 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 27 Sep 2001 14:02:47 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id HAA12522 for iwar@onelist.com; Thu, 27 Sep 2001 07:02:46 -0700 Message-Id: <200109271402.HAA12522@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 27 Sep 2001 07:02:46 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] Comments on the Dartmouth Security Study Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Some comments on the study cc'd to this list yesterday... based only on an initial overview. > Executive summary: Executive comments: > CRITICAL CYBER SECURITY MEASURES DURING THE WAR ON TERRORISM: > > 1. Raise and maintain a heightened level of cyber alert and logging > levels in times of acute crisis (Page 19) Increased logging takes increased resources - time and space. During time of heavy attack, there is substantially more traffic and there are substantially more events to log. This means that you are taking a double hit on resources that are already inadequate to the task. In addition, the heightenned awareness level causes many more 'fales positives' as users report things that are not important or become afraid of the slightest things. This again strains support infrastructure. Considering the current economic situaiton, increased cost and decreased worker productivity is probably not the best combination for success. Perhaps a better approach would be to avoid such crises by reviewing design and implementaiton and preparing reasonable disaster and other event response plans. > 2. Report of suspicious activity to law enforcement immediately to > facilitate the warning and investigative processes (Page 19) As in (1) above, this is likely to further overburden law enforcement and create an inability to differentiate or respond to the most important events. In addition, it can be used for reflexive control against law enforcement. Perhaps a better approach would be for law enforcement to identify the most critical things to lok for (over time) and generate reports on those events while providing a lower priority level of reporting for other events and letting those who run systems (and criminals) know that most crimes will go uninvestigated because of the strain on resources. > 3. Apply and follow standard 'best practices' for computer and physical > security; apply regular software updates, and install worm protection, > intrusion detection systems and firewalls (Page 19) Unfortunately, there are no 'best practices' that can be reasonably applied across the board, and 'best practices' that do exist tend to be 'most expensive' practices in many cases and require 'best expertise' to do well. Since resources are constrained, we need a better risk management approach (risk management is of course part of 'best practices') > 4. Secure critical information assets by implementing recommended > measures against known exploits and back up all vital systems and > information (Page 20) If this is not already being done, it is an outrage - and of course it is not being done everywhere and it is outrageous. > 5. Utilize ingress and egress filtering to protect against Distributed > Denial of Service (DDoS) attacks (Page 20) Common filtering of this sort will not stop current DDoS. There are, however, products that can do this far better and they should be applied. In addition, these are hardly the most important things to consider doing at this point and they are extremely non-specific. More later... FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc@all.net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:50 PDT