[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Security means keeping the system up


By Sara Michael 
Sept. 4, 2003 

When it comes to technological security, officials should shift their 
focus from guarding with the latest features to ensuring that critical 
processes keep running in the face of attacks, an expert said this 

"We've spent a lot of effort in building interconnected systems, but 
not a lot of effort in how to secure those systems and ensure 
continuance of critical operations," said Tim Shimeall of Carnegie 
Mellon University's CERT Analysis Center.

Shimeall spoke Wednesday at the Interagency Resources Management 
Conference 2003 in Cambridge, Md.

Security officials previously focused on how to protect one machine or 
a single system, Shimeall said. But as networks expand, boundaries 
blur and more agencies are using interoperable and connected systems. 

"As we involve more and more organizations, we step back from this 
centralized control, Shimeall said. "We need to consider that our 
network isn't limited. The network we care about is more than the 
network we own."

Information technology personnel should stop viewing networks purely 
as centrally-managed, independent entities, Shimeall said. The growth 
of the Internet has led to complex connections, which can make systems 
vulnerable, he said. 

Attacks on government networks can have far-reaching effects on the 
public, such as exposing private information, and e-government 
initiatives are relying more and more on the Internet, Shimeall said. 
As a result, building a security wall to protect networks isn't good 
enough anymore, since hackers will go around it, Shimeall said. 
Instead, agencies need to identify what operations matter to an 
organization and determine how they can maintain these processes even 
during an ongoing attack. 

"The number one thing you can do is first shift your thinking," 
Shimeall said. "Number two is ask the right questions and listen to 
the answers."

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.