Feds release 'Top 20' cybersecurity holes
In a bid to plug its leaky computer systems, the US government released a list of top cybersecurity holes yesterday and unveiled a system to help government techies find and patch them.
Two weeks after the White House released its much-criticised plan to boost computer security, cybersecurity czar Richard Clarke urged federal administrators to fortify their computer systems against online attacks before they took place.
"Look at your systems the way an attacker would look at them," Clarke said.
To that end, three government agencies and the private SANS Institute released a list of the 20 most common security vulnerabilities, divided evenly between Microsoft's Windows operating system and Unix, the operating system which underpins many powerful network computers.
Some of the listed security holes, such as a default setting in Microsoft's SQL Server database software that leaves passwords blank, are new to the list.
Many others have been known for years, but remain hacker favourites because system administrators do not keep up with software fixes, or "patches," from the manufacturer, said SANS Institute's Allan Paller.
The General Services Administration, which provides support to other government agencies, soon will provide a service that will allow administrators to scan their systems for vulnerabilities and determine what patches are needed, a GSA official said.
Clarke's comprehensive cybersecurity plan, released for public comment two weeks ago, calls on Internet users and private businesses to voluntarily improve their cyberdefenses.
Security experts have criticised the plan because it imposes no requirements on the private sector, even as they praised Clarke's determination to improve the federal government's inconsistent cyberdefenses.
A congressional cybersecurity report last year gave failing grades to two-thirds of all federal agencies, including the Defense, Justice, Commerce and Treasury departments.
But improvement is possible, Paller said. NASA was able to reduce the number of successful intrusions from one out of ten to roughly one out of 200 over a two-year period by encouraging friendly competition among network administrators, he said.
"The federal government is going to do better in security," Clarke said. "We are going to walk the talk."