[50168] in North American Network Operators' Group
Re: If you thought Y2K was bad, wait until cyber-security hits
daemon@ATHENA.MIT.EDU (Sean Donelan)
Sun Jul 21 04:32:55 2002
Date: Sun, 21 Jul 2002 04:31:18 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
In-Reply-To: <200207210337.g6L3btw0006839@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 20 Jul 2002 Valdis.Kletnieks@vt.edu wrote:
> I didn't get involved in that one, but I've been working on the Unixoid
> stuff with CIS and SANS. We make no claims that if you do everything on
> the checklist that you're secure - the claim is that *failure* to do
> everything is demonstrably *insecure*.
The CIS/W2Kpro checklist is not that. Failure to do everything on the
W2K checklist is not "ispo facto" evidence a computer is insecure. Many
items on the CIS/W2Kpro checklist are of the form if you aren't using
this item, you should disable it. That is a good security practice. But
it does not follow if you are using the item (i.e. its enabled), your
machine is insecure. Unfortunately the CIS/W2Kpro scoring tool can't
tell the difference.
As a list of things to consider, and a free tool to check a computer's
configuration, the CIS/W2Kpro checklist is a great addition to the
security toolbox. Just don't try to push it too hard. Not following the
CIS/W2Kpro checklist is not evidence of security malpractice. The puffery
in the accompaning press releases and news articles was more than the
CIS/W2Kpro checklist can support.
A blast from the past.
Internet security woes inflated, experts say
By Gary H. Anthes
OCT 16, 1995
http://www.computerworld.com/news/1995/story/0,11280,9990,00.html
