ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

FBI, DOJ issue list of worst Net threats

Industry Standard

June 2, 2000
Web posted at: 10:35 a.m. EDT (1435 GMT)

(IDG) -- The FBI, the Department of Justice and the System Administration, Networking and Security Institute are jointly releasing a list detailing the 10 most critical Internet security threats and how to eliminate them.

While those threats are mostly of concern to network administrators, the SANS Institute also released a list of the five worst security mistakes committed by average computer users.

Not surprisingly, at the top of that list is opening unsolicited e-mail attachments without verifying their source or checking their content. Apparently, people haven't yet learned the security lessons of the "ILoveYou" virus, as messages containing the virus are still being sent -- nearly a month after it was unleashed -- causing an estimated $6.7 billion worth in damage.


No. 2 on the list is failing to install security patches, especially for Microsoft Office, Microsoft Internet Explorer and Netscape browsers. Installing screen savers or games from unknown sources is next, followed by not making and testing backups, and then using a modem while connected through a local area network.

But average computer users aren't the only ones leaving themselves open to attack. The SANS Institute also points an accusatory finger at senior executives and information technology experts.

The Institute's research found that senior executives often are guilty of: assigning untrained people to maintain security, of failing to see the consequences of poor security, of failing to make fixes or follow up on them, of relying primarily on a firewall for security, of failing to realize how much money their "information and organizational reputations are worth," of authorizing short-term fixes and of pretending that problems will go away if they are ignored.

  TechInformer: The Thinking Internaut's Guide to the Tech Industry
  10 awesome security utilities
  Fine-tuning your Internet security
  Reviews & in-depth info at
  Industry Standard email newsletters
  Questions about computers? Let's editors help you
  Industry Standard daily Media Grok
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

The list of security blunders common among IT workers, who bear the brunt of most of the problems that plague computer systems, surprisingly is even longer. According to the SANS Institute, IT workers all too often connect systems to the Internet before hardening them; connect test systems to the Internet with default accounts or passwords; fail to update systems when security holes are found; use telnet and other unencrypted protocols for managing systems, routers, firewalls and public key infrastructures; give out passwords to users over the phone or change passwords without verifying the legitimacy of the request; fail to maintain and test backups; implement firewalls that don't stop malicious or dangerous traffic; fail to update virus detection software; fail to educate users about security problems; and allow untrained users to take responsibility for securing important systems.

The researchers found that most of the successful attacks on computer systems could be traced to one of a small number of security flaws.

"A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic -- taking the easiest and most convenient route," the report states. "They count on organizations not fixing the problems, and they often attack indiscriminately by scanning the Internet for vulnerable systems."

Meanwhile, system administrators typically say they're too busy to correct the simple flaws and argue that they don't know which of more than 500 potential problems are the most dangerous and, hence, a top priority, according to the report.

There shouldn't be any excuse for such excuses now. The top 10 list of the most critical Internet security threats reads like a technical document, but gives easy-to-understand advice about fixing flaws.

The Unix and Linux platforms, which abound in universities and other large organizations, were found to be the most frequently affected by vulnerabilities. But several security holes were found to be indiscriminate of the various systems, network devices and Web servers in use.

Senate eyes Guard for info security
June 1, 2000
Top 10 security utilities
May 22, 2000
Intel standard aims to tighten notebook security
May 15, 2000
Win 2000 at center of security storm
May 10, 2000
Microsoft issues fixes for Win2000 security holes
February 1, 2000

Senate eyes Guard for info security
Spreading viruses is a crime in Pennsylvania
Learning from the Love Bug
(PC World)
Experts lecture feds on cybersecurity
Fine-tuning your Internet security
10 awesome security utilities
(PC World)
Is the 'moral panic' over Internet security a treatable condition?
(The Industry Standard)
Security concerns draw federal funds

Microsoft Corporation

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.