If you thought Y2K was bad, wait until cyber-security hits
Sean Donelan
sean at donelan.com
Sun Jul 21 08:31:18 UTC 2002
On Sat, 20 Jul 2002 Valdis.Kletnieks at vt.edu wrote:
> I didn't get involved in that one, but I've been working on the Unixoid
> stuff with CIS and SANS. We make no claims that if you do everything on
> the checklist that you're secure - the claim is that *failure* to do
> everything is demonstrably *insecure*.
The CIS/W2Kpro checklist is not that. Failure to do everything on the
W2K checklist is not "ispo facto" evidence a computer is insecure. Many
items on the CIS/W2Kpro checklist are of the form if you aren't using
this item, you should disable it. That is a good security practice. But
it does not follow if you are using the item (i.e. its enabled), your
machine is insecure. Unfortunately the CIS/W2Kpro scoring tool can't
tell the difference.
As a list of things to consider, and a free tool to check a computer's
configuration, the CIS/W2Kpro checklist is a great addition to the
security toolbox. Just don't try to push it too hard. Not following the
CIS/W2Kpro checklist is not evidence of security malpractice. The puffery
in the accompaning press releases and news articles was more than the
CIS/W2Kpro checklist can support.
A blast from the past.
Internet security woes inflated, experts say
By Gary H. Anthes
OCT 16, 1995
http://www.computerworld.com/news/1995/story/0,11280,9990,00.html
More information about the NANOG
mailing list