September 30, 2002, 10:30 AM — The focus will be on fixes this Wednesday when the U.S. General Services Administration (GSA) unveils its list of the top 20 Internet security vulnerabilities to a gathering of government chief information officers (CIO) and IT professionals. The meeting, which is to be held Wednesday at the offices of the GSA in Washington, is expected to be attended by around 350 people, most from within the ranks of the government IT community.
This is the third year that the list has been released to the public. Compiled by the nonprofit SANS (Sysadmin, Audit, Network, Security) Institute Inc. and the U.S. Federal Bureau of Investigation's (FBI) National Infrastructure Protection Center (NIPC), the list is intended to raise awareness of serious computer vulnerabilities and provide IT administrators with a way to prioritize vulnerabilities, encouraging them to patch the most dangerous holes in their computer infrastructure.
Past lists have been segmented into three categories: general vulnerabilities, Windows vulnerabilities and Unix vulnerabilities. Security vulnerabilities that made previous editions of the list have ranged from very broad issues such as the failure to maintain complete system backups, to very specific platform and product vulnerabilities such as programming flaws in the Remote Data Services (RDS) component of Microsoft Corp.'s Internet Information Server.
Unlike past years, however, this year's conference will do more than just raise red flags. Underscoring the Bush administration's stated desire to enlist the private sector in the job of securing the nation's IT infrastructure, representatives from leading network vulnerability assessment companies such as Qualys Inc., Foundstone Inc. and Internet Security Systems Inc. will be on hand at the GSA conference to unveil a list of specific tools and services their companies offer that can detect and remove many of the leading common vulnerabilities and exposures -- or CVEs -- on this year's list, according to a source involved in planning the event.
Those companies, as well as others, have worked closely with the SANS Institute and agencies within the government over the past four months to compile the list, according to the source.
Apart from the announcements about vulnerabilities, the conference will highlight NASA's program to thwart Internet attacks on their network of over 120,000 machines, according to the source. That program relies on sharing information about vulnerabilities and attacks between different IT groups within an organization, creating a transparent and competitive environment in which IT managers are judged by the security of their systems.
The GSA is expected to hold up the NASA's program as a model which other government agencies and private companies could use to reduce the number of attacks on their own systems.