IP: SANS NewsBites Vol. 3 Num. 42

[David Farber <dave () farber net>]

> To:   Dave Farber (SD545661)
> From: Alan for the SANS NewsBites service
> Re:   October 17 SANS NewsBites
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Federal officials have awakened to the realization that they may have
> funded the computers most likely to be used in terrorist cyberattacks.
> Universities that deployed the vulnerable systems have gotten the same
> message. The first step in solving the problem is to add language to
> federal contracts and grants requiring technical security standards
> be met on all federally supported computers. If you are involved in
> security of university-based computers, your comments and suggestions
> can help. Please review the draft language in the RFC at the end of
> this NewsBites and get back to us by Friday.
> \

<snip>

========
SANS Internet Security Request For Comment.
SRFC 01-201
Securing Federally-Funded University Computers
Draft October 16, 2001
Background: The largest and most visible distributed denial of
service attacks were launched primarily from computers in research
facilities in American universities. Most of these computers were
funded in whole or part by federal grants. Universities and other
research centers have used federal money to deploy tens of thousands of
powerful computers, on high-speed networks, directly connected to the
Internet, without even minimal security configuration or maintenance.
These systems create a significant and immediate threat to other users
of the Internet and to the economic well-being of the developed world.
Some researchers who control these computers have claimed that
they believe they should not be subjected to even minimal security
requirements because the federal grants they received do not explicitly
require security. This RFC proposes language federal granting agencies
can add to their contractual documents to remove any uncertainty
about security responsibilities of federal grant recipients.

Proposed Language To Be Includes In Federal Research Grant Documents
Any Internet-connected information technology acquired or otherwise
supported using funds from this grant must be configured in compliance
with minimum security benchmarks such as those published by the Center
for Internet Security and must have applicable operating system and
application security patches and updates installed within seven days
of their availability on the vendor's web site.
The institution receiving the grant will maintain automated records
containing compliance scores and patch history information for each
of the systems supported under this grant. This information should
be available to the granting agency upon request.
==end==

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans () sans org with the subject: Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sans () sans org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.








For archives see: http://lists.elistx.com/archives/interesting-people/