If you thought Y2K was bad, wait until cyber-security hits

Sean Donelan sean at donelan.com
Sun Jul 21 08:31:18 UTC 2002



On Sat, 20 Jul 2002 Valdis.Kletnieks at vt.edu wrote:
> I didn't get involved in that one, but I've been working on the Unixoid
> stuff with CIS and SANS.  We make no claims that if you do everything on
> the checklist that you're secure - the claim is that *failure* to do
> everything is demonstrably *insecure*.

The CIS/W2Kpro checklist is not that.  Failure to do everything on the
W2K checklist is not "ispo facto" evidence a computer is insecure. Many
items on the CIS/W2Kpro checklist are of the form if you aren't using
this item, you should disable it.  That is a good security practice.  But
it does not follow if you are using the item (i.e. its enabled), your
machine is insecure.  Unfortunately the CIS/W2Kpro scoring tool can't
tell the difference.

As a list of things to consider, and a free tool to check a computer's
configuration, the CIS/W2Kpro checklist is a great addition to the
security toolbox.  Just don't try to push it too hard. Not following the
CIS/W2Kpro checklist is not evidence of security malpractice.  The puffery
in the accompaning press releases and news articles was more than the
CIS/W2Kpro checklist can support.


A blast from the past.

Internet security woes inflated, experts say
By Gary H. Anthes
OCT 16, 1995

http://www.computerworld.com/news/1995/story/0,11280,9990,00.html






More information about the NANOG mailing list