Interesting People mailing list archives
IP: SANS NewsBites Vol. 3 Num. 42
From: David Farber <dave () farber net>
Date: Wed, 17 Oct 2001 15:46:33 -0400
To: Dave Farber (SD545661) From: Alan for the SANS NewsBites service Re: October 17 SANS NewsBites -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Federal officials have awakened to the realization that they may have funded the computers most likely to be used in terrorist cyberattacks. Universities that deployed the vulnerable systems have gotten the same message. The first step in solving the problem is to add language to federal contracts and grants requiring technical security standards be met on all federally supported computers. If you are involved in security of university-based computers, your comments and suggestions can help. Please review the draft language in the RFC at the end of this NewsBites and get back to us by Friday. \
<snip> ======== SANS Internet Security Request For Comment. SRFC 01-201 Securing Federally-Funded University Computers Draft October 16, 2001 Background: The largest and most visible distributed denial of service attacks were launched primarily from computers in research facilities in American universities. Most of these computers were funded in whole or part by federal grants. Universities and other research centers have used federal money to deploy tens of thousands of powerful computers, on high-speed networks, directly connected to the Internet, without even minimal security configuration or maintenance. These systems create a significant and immediate threat to other users of the Internet and to the economic well-being of the developed world. Some researchers who control these computers have claimed that they believe they should not be subjected to even minimal security requirements because the federal grants they received do not explicitly require security. This RFC proposes language federal granting agencies can add to their contractual documents to remove any uncertainty about security responsibilities of federal grant recipients. Proposed Language To Be Includes In Federal Research Grant Documents Any Internet-connected information technology acquired or otherwise supported using funds from this grant must be configured in compliance with minimum security benchmarks such as those published by the Center for Internet Security and must have applicable operating system and application security patches and updates installed within seven days of their availability on the vendor's web site. The institution receiving the grant will maintain automated records containing compliance scores and patch history information for each of the systems supported under this grant. This information should be available to the granting agency upon request. ==end== Please feel free to share this with interested parties via email (not on bulletin boards). For a free subscription, (and for free posters) e-mail sans () sans org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email <sans () sans org> with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments. For archives see: http://lists.elistx.com/archives/interesting-people/
Current thread:
- IP: SANS NewsBites Vol. 3 Num. 42 David Farber (Oct 17)