Network security is poor and is getting worse, a poll of 61 organizations finds

NCSA: Lack of security, not bandwidth, will limit Net use

William Jackson

Government Computer News

Cyberspace can be a scary place, according to a recent study by the National Computer Security Association.

NCSA profiled 61 organizations, including some federal agencies, whose computer networks are protected by firewalls. Fortyfour percent reported unauthorized users had probed their networks.

A similar percentage reported no attempted intrusions. However, industry experience suggests that it would be "unwise to give 100 percent credibility to the claim," the report said.

Nearly a quarter of those interviewed said the problem has gotten worse over the last year.

NCSA, a for-profit organization in Carlisle, PA., might appear to have a vested interest in larger numbers, since it sells product certification services to vendors. But if recent firewall announcements are any indicator, network security is weighing heavily on the minds of network administrators everywhere.

"The issue of security is jumping dramatically in every aspect of computing," said NCSA president and chief executive officer Peter Tippett. Because network bandwidth continues to broaden and transmission speeds to increase, Tippett said he believes security, not bandwidth, will become the limiting factor in using the Internet to conduct business.

NCSA officials cautioned against extrapolating the results of the firewall study, characterizing it as a profile rather than a statistically significant survey. The report came out of interviews with network security personnel. The number of federal sites was not released.

The firewall profile is the first step in a broader survey of network vulnerabilities, Tippett said. This survey will monitor attempted intrusions at 1,000 sites to find out who does the probing and what tools they use.

"Most of the knowledge we have in the world of computer security is conjecture," Tippett said.

The NCSA charges over eight thousand dollars to certify your SINGLE web server, and then you get to read this: "Most of the knowledge we have in the world of computer security is conjecture.." How is that a worthwhile certification?

NCSA already has amassed a fair amount of information, however. It has monitored online security discussion groups on computer bulletin boards and the Net for three years, gathering gigabytes of information that is indexed every day for subscribers.

Three years? Vulnerabilities in my personal database date back to the mid 80's if not earlier. If their practice and certification is based on the last three years of hacker techniques, it falls way short.

NCSA also has infiltrated hacker discussion groups to find out what tools and techniques they use.

Infiltrated? Most hacker discussion groups are public.

One of its newest efforts is its Web Certification program, which annually certifies servers and World Wide Web sites that meet standards for protecting data and resisting intrusion.

Candidates must meet a lengthy checklist of requirements for privacy and physical site security.

After the site and server owners sign off on these requirements, NCSA runs a batter of 150 online tests. Then a consultant performs an on-site inspection. Sites are spot-checked three times a year.

About 100 companies with 800 sites are in the certification process, Tippett said, and several federal agencies have expressed interest.

The service starts at $8,500 for a single Web site. Benefits of certification include reduced rates for Internet security liability and electronic commerce insurance.

Tippett said certification of baseline security standards will foster public acceptance of the Web as a transaction medium.

main page ATTRITION feedback