Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Gaps in Security Plan

    By
    Dennis Fisher
    -
    November 19, 2001
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft Corp.s vulnerability-handling plan is a good start but may end up being insufficient as the specter of government regulation of Internet security looms, according to security experts.

      As IT security administrators and CIOs were absorbing the details of Microsofts plan last week (see “Cracking Down on Hackers”), the U.S. House Committee on Energy and Department of Commerces Subcommittee on Commerce Trade and Consumer Protection was holding hearings to determine whether the industry was doing everything possible to secure the nations computing infrastructure.

      Top executives from Internet Security Systems Inc., Microsoft, Oracle Corp. and others testified last week. The consensus reached was one of a public-private partnership, with several of the witnesses insisting legislation was not the answer to Internet security.

      “The private sector can do a lot. We have to work proactively to prevent future attacks, and I believe the private sector can do that,” said David McCurdy, executive director of the Internet Security Alliance, in Arlington, Va.

      Some House members hinted that action may be forthcoming nevertheless.

      “I think its only logical that Congress should address the fact that future [terrorist] attacks could exploit vulnerabilities in our cyber-security networks,” said Rep. Mike Doyle, D-Pa. “I hope that this committee will soon take action.”

      One witness, Mary Ann Davidson, director of security product management at Oracle, in Redwood Shores, Calif., insinuated that the industrys security problems are largely the fault of its largest member, Microsoft.

      “You dont get good products in a monopoly market,” Davidson said.

      Meanwhile, reaction to Microsofts plan to develop a standard for the handling of security vulnerabilities continues to be mixed. Observers said that the time has come for some sort of limited-disclosure plan but that Microsoft shouldnt be the one to manage the process.

      “It seems to make sense for information about security vulnerabilities to be closely held,” said J.B. Fields, a Washington-based consultant, network trouble-shooter and president of J.B. Fields and Associates LLC. “It seems clear that the indiscriminate publication of information about vulnerabilities is irresponsible. The notion of a secure news group or forum for discussions and meetings between members also seems fitting. I would not be so comfortable with corporate control of such forums.”

      That sentiment prevails among security industry insiders, many of whom have little love for Microsoft, a company they believe has caused most of its own security problems.

      “The reason this move by Microsoft is so dangerous is that it might result in the Balkanization of the security industry even more than it already is, and that could lead to legislation,” said Elias Levy, chief technology officer of SecurityFocus, in San Mateo, Calif. “It would allow Microsoft to shift the liability from themselves and have it encoded in the law that people who release details are liable. Theyre on the hot seat, and they had to do something.”

      Some critics also charge that the Microsoft plan contains nothing new.

      “What Microsoft said theyd do last week is what theyve done for the last three years. And in that time, weve had Code Red, Nimda, Sircam and a bunch of other problems,” said Russ Cooper, surgeon general at TruSecure Corp., in Herndon, Va. “Nothing has changed. Its not even part of a solution. Its status quo.” Cooper recently published a proposal for a group called the Responsible Disclosure Forum, which is similar in some respects to Microsofts plan. Microsoft officials maintain that they are taking charge of the effort only because no one else has been willing to do so.

      “Someone has to lead. Our role is to catalyze people into working for a solution,” said Scott Culp, manager of the Microsoft Security Response Center, in Redmond, Wash.

      Dennis Fisher
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×