[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Security means keeping the system up
By Sara Michael
Sept. 4, 2003
When it comes to technological security, officials should shift their
focus from guarding with the latest features to ensuring that critical
processes keep running in the face of attacks, an expert said this
"We've spent a lot of effort in building interconnected systems, but
not a lot of effort in how to secure those systems and ensure
continuance of critical operations," said Tim Shimeall of Carnegie
Mellon University's CERT Analysis Center.
Shimeall spoke Wednesday at the Interagency Resources Management
Conference 2003 in Cambridge, Md.
Security officials previously focused on how to protect one machine or
a single system, Shimeall said. But as networks expand, boundaries
blur and more agencies are using interoperable and connected systems.
"As we involve more and more organizations, we step back from this
centralized control, Shimeall said. "We need to consider that our
network isn't limited. The network we care about is more than the
network we own."
Information technology personnel should stop viewing networks purely
as centrally-managed, independent entities, Shimeall said. The growth
of the Internet has led to complex connections, which can make systems
vulnerable, he said.
Attacks on government networks can have far-reaching effects on the
public, such as exposing private information, and e-government
initiatives are relying more and more on the Internet, Shimeall said.
As a result, building a security wall to protect networks isn't good
enough anymore, since hackers will go around it, Shimeall said.
Instead, agencies need to identify what operations matter to an
organization and determine how they can maintain these processes even
during an ongoing attack.
"The number one thing you can do is first shift your thinking,"
Shimeall said. "Number two is ask the right questions and listen to
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.