Re: If you thought Y2K was bad, wait until cyber-security hits

[Valdis.Kletnieks () vt edu]

On Sat, 20 Jul 2002 17:28:20 PDT, Scott Francis <darkuncle () darkuncle net>  said:

> _Microsoft_ managed to get a security 'Gold Standard' for one of its
> products? This must be for some non-golden value of gold ...

Microsoft didn't do anything (take that as you may).  The CIS and SANS crew did
up their W2K benchmark - the news here is that the NSA, GSA, and NIST are all
throwing their backing of it as a Good Thing.

It's a *long* checklist of everything you need to do to W2K to beat it into
submission security-wise.  Basically, *after* you do everything on the list, it
will require a *skilled* hacker or a script kiddie with an actual 0day exploit
to 0wn you.

I didn't get involved in that one, but I've been working on the Unixoid
stuff with CIS and SANS.  We make no claims that if you do everything on
the checklist that you're secure - the claim is that *failure* to do
everything is demonstrably *insecure*.

Yes, you read it and every single item will strike you as "any sysadmin
who didn't just fall out of a tree knows THAT".  The oft-overlooked point
is that most sysadmins DID just fall out of trees - often landing on their
head in the process.

Think of it as recognition that "Your Clue Must Be --->THIS<--- Tall To Ride
The Internet".  It's about time...
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: