OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] GAO lists security bargains

From: William Knowles (wkC4I.ORG)
Date: Fri Mar 31 2000 - 02:38:42 CST

http://www.fcw.com/fcw/articles/2000/0327/web-cheap-03-30-00.asp

BY Diane Frank
03/30/2000

Agencies can cut their information systems security risks with
low-cost and no-cost solutions, federal experts told Congress
Wednesday.

The General Accounting Office listed six steps that agencies can take
to immediately cut down on their security risks:

* Increase security awareness throughout the organization.
* Ensure that existing controls are operating effectively.
* Ensure that software patches are up-to-date.
* Use automated scanning and testing tools to quickly identify
  vulnerabilities.
* Expand the use of best practices throughout the agency.
* Ensure that the most common vulnerabilities are addressed.

In its security audits of agencies, including the departments of
Defense and Veterans Affairs, GAO found that security controls are in
place but that those controls are not being used correctly, said Jack
Brock, director of governmentwide and defense information systems at
the General Accounting Offices Accounting and Information Management
Division.

"Agencies are spending money for tools, but theyre not using those
tools," Brock testified before the House Government Reform Committees
Government Management, Information and Technology Subcommittee. "Tools
are present, but theyre not turned on, theyre not monitored, youre not
sure if theyre working or not."

One agency that has incorporated many of GAOs low-cost solutions into
its agencywide security policy is NASA, which has made many
improvements in security since its GAO audit in 1998, Brock said.

The agency has bought commercial off-the-shelf vulnerability analysis
and scanning tools, but it is augmenting them with freeware and
shareware tools from the Internet. NASA also has developed and
distributed a list of its top 50 vulnerabilities and has built those
into auditing tools at NASA centers so that they automatically scan
for those weaknesses, testified David Nelson, NASAs deputy chief
information officer.

Related link: Text of GAO's Congressional testimony on Wednesday

http://www.gao.gov/new.items/ai00135t.pdf

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".