The focus will be on fixes this Wednesday when the U.S. General Services Administration (GSA) unveils its list of the top 20 Internet security vulnerabilities to a gathering of government chief information officers (CIO) and IT professionals. The meeting, which is to be held Wednesday at the offices of the GSA in Washington, is expected to be attended by around 350 people, most from within the ranks of the government IT community.
This is the third year that the list has been released to the public. Compiled by the nonprofit SANS (Sysadmin, Audit, Network, Security) Institute Inc. and the U.S. Federal Bureau of Investigation's (FBI) National Infrastructure Protection Center (NIPC), the list is intended to raise awareness of serious computer vulnerabilities and provide IT administrators with a way to prioritize vulnerabilities, encouraging them to patch the most dangerous holes in their computer infrastructure.
Past lists have been segmented into three categories: general vulnerabilities, Windows vulnerabilities and Unix vulnerabilities. Security vulnerabilities that made previous editions of the list have ranged from very broad issues such as the failure to maintain complete system backups, to very specific platform and product vulnerabilities such as programming flaws in the Remote Data Services (RDS) component of Microsoft Corp.'s Internet Information Server.
Unlike past years, however, this year's conference will do more than just raise red flags. Underscoring the Bush administration's stated desire to enlist the private sector in the job of securing the nation's IT infrastructure, representatives from leading network vulnerability assessment companies such as Qualys Inc., Foundstone Inc. and Internet Security Systems Inc. will be on hand at the GSA conference to unveil a list of specific tools and services their companies offer that can detect and remove many of the leading common vulnerabilities and exposures -- or CVEs -- on this year's list, according to a source involved in planning the event.
Those companies, as well as others, have worked closely with the SANS Institute and agencies within the government over the past four months to compile the list, according to the source.
Apart from the announcements about vulnerabilities, the conference will highlight NASA's program to thwart Internet attacks on their network of over 120,000 machines, according to the source. That program relies on sharing information about vulnerabilities and attacks between different IT groups within an organization, creating a transparent and competitive environment in which IT managers are judged by the security of their systems.
The GSA is expected to hold up the NASA's program as a model which other government agencies and private companies could use to reduce the number of attacks on their own systems.
Also at the conference, the GSA will announce an initiative to expand the government's Safeguard program to help audit the government's own systems for common vulnerabilities, according to a press release from the GSA dated Sept. 30, 2002.
The Safeguard program is run by the Center for Information Security Services (CISS) and provides professional services and products to agencies of the federal government to help protect those agencies against potential threats.
Although targeted at IT professionals working within the federal government, the yearly announcement of the 20 top Internet vulnerabilities from the FBI and SANS is recognized by many within the security industry as a benchmark of sorts -- a list of vulnerabilities, many of them targeted by high-profile worms or viruses such as Code Red and this year's Slapper, that must be addressed for a Web site or corporate network to be considered secure.