Computer Crime Research Center


Let's Get Serious About Cybersecurity

Date: October 19, 2004

Last week, there were two stories that indicated how complacency is abroad and well in both the business and Government environments. The SysAdmin, Audit, Network Security (SANS) Institute specializes in information security training and certification. Last week in London, it unveiled its SANS Top-20 2004 on the most critical Internet threats facing organizations at a conference held at the Department of Trade and Industry, noting that on-line extortion was widespread.

Alan Paller, director of Research, said that 6,000 to 7,000 organizations were paying out, and that the epidemic was growing. He said that the problems were not publicized because people were too embarrassed to talk about getting caught out. The other report that caught my attention concerned the departure of the latest U.S. Cybersecurity Chief. Amit Yoran, formerly an executive with Symantec Corp., was the third holder of the post to depart in less than two years.

The post was incorporated into the Department of Homeland Security, which on the face of things was the logical place for it. However, instead of reporting to Tom Ridge, who is in charge of the department, the post was downgraded. This compares very unfavorably to when Richard Clarke held the post; he was a special adviser to the President.


The SANS Top-20 2004 comprises the 10 most commonly exploited vulnerable services in Windows and the 10 most commonly exploited vulnerable services in Unix and Linux. The organization says that the many security incidents each year that affect these operating systems are mainly targeted at one or more of these vulnerable services.

According to SANS, one example is that every on-line gambling site is paying extortion to hackers who use Denial of Service attacks and then demand money to refrain from doing it again. Without the sharing of information about such attacks because of embarrassment, this surely results in vulnerabilities remaining open for hackers and criminals to continue to carry out their extortion and cause mayhem. After 9/11, the U.S. Government appeared to be taking the threat of cyberterrorism very seriously.

However, back in early 2003, the former special adviser to President Bush, Richard Clarke, warned that there was no top-level official in the Administration that was responsible full-time for the protection of the U.S. information infrastructure. It appears that the protection of cyberspace has been overshadowed by the protection of physical infrastructure in the Department of Homeland Security. Of course, some point to the impending U.S. election as a reason for the lack of attention to cybersecurity, as the protection of the information infrastructure does not have the same public appeal at the ballot box as other, more immediately vote-worthy, matters.


Unless we are members of either the criminal or terrorist communities, it is in all our interests that information about vulnerabilities are shared, and that governments take all possible steps to protect cyberspace.

Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo