North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: If you thought Y2K was bad, wait until cyber-security hits
On Sat, 20 Jul 2002 [email protected] wrote: > I didn't get involved in that one, but I've been working on the Unixoid > stuff with CIS and SANS. We make no claims that if you do everything on > the checklist that you're secure - the claim is that *failure* to do > everything is demonstrably *insecure*. The CIS/W2Kpro checklist is not that. Failure to do everything on the W2K checklist is not "ispo facto" evidence a computer is insecure. Many items on the CIS/W2Kpro checklist are of the form if you aren't using this item, you should disable it. That is a good security practice. But it does not follow if you are using the item (i.e. its enabled), your machine is insecure. Unfortunately the CIS/W2Kpro scoring tool can't tell the difference. As a list of things to consider, and a free tool to check a computer's configuration, the CIS/W2Kpro checklist is a great addition to the security toolbox. Just don't try to push it too hard. Not following the CIS/W2Kpro checklist is not evidence of security malpractice. The puffery in the accompaning press releases and news articles was more than the CIS/W2Kpro checklist can support. A blast from the past. Internet security woes inflated, experts say By Gary H. Anthes OCT 16, 1995 http://www.computerworld.com/news/1995/story/0,11280,9990,00.html
|