再保险:你的法律顾问在击败DDOS攻击

许多好的反应从董事会到这个提议。只是想添加一些想法我也有。我想我们达到这一点,我们必须要有一些的“标准”如果你愿意来判断或衡量一个公司,以确保他们所做的“由于勤奋而“信任之前您的业务。考虑传统的并行,non-wired世界....在你和你想了解的人做生意的事务将,他们将如何照顾你的财产,你的车在车库,或你的钱在银行。有标准建立的每一个评价。如果你的制造业务将取决于供应商零件然后你将评估他们的操作,以确保它们符合适当标准或你不会和他们做生意。这里没有太长的蜿蜒....我认为,我们正在向一些的信息——或者NIST-like标准,我们可以测量遵循适当的程序(不管这些将成为)。如果一个软件公司或电子商务公司做生意,他们符合标准,他们做了“由于勤奋而”,如果不是他们最终会从市场上消失,没有人会与他们的贸易。 Who is going to set these standards, enforce them....I don't know the answer to that one. Do we have "big government" set the standards? That's how BS7799 is being driven in Britian, but how would that fly elsewhere? Do we make the standards voluntary? Anyone who wants to abide by them can, those that don't won't....no teeth, how do you enforce those? Somewhere in between is my best guess. I don't have the answers, just questions and thoughts. But, I feel it will be necessary to address this issue eventually as well, maybe sooner than later. Just my $.02 worth -mike -----Original Message----- From: Steven M. Christey [mailto: coley@LINUS.MITRE.ORG发送:周四,2000年2月17日,33点到:cve-editorial-board-list@lists.mitre.org Cc: gjg@MITRE.ORG;wrg@MITRE.ORG;ptasker@MITRE.ORG;ckrause@MITRE。ORG主题:Re:你的法律顾问在击败DDOS攻击艾伦,我们几个人在斜方聚在一起,对你的建议有以下评论。在我们看来,尽管其中的一些建议可能是“梦幻”克雷格所说,额外的关注安全现在可以帮助建立或后续文档作为一个“最佳实践”的建议可以执行——通过尴尬帕斯卡提出,通过法律措施公司强制攻击受害者赔偿损失,因为他们没有执行尽职调查,或为政府和大型组织使用他们自己的需求(如不购买产品如果操作系统供应商不配置系统安全开箱即用的,或如果软件供应商不遵守某些安全编程实践)。——史蒂夫= = = = = = = = = = = = = = = = = = = =主要趋势部分= = = = = = = = = = = = = = = = = = = =这里有些建议修改。我们相互参照一些这些点来减轻他们的融入。添加- - - - - - - - - - - - 1)很多时候,机器首先妥协,因为程序员不知道如何编写安全的代码,或安全是牺牲了的新功能。2)新的互动模式被广泛部署没有足够重视安全与控制。 (E.g. the Melissa virus and mobile code in general). 3) The volume and variety of information available, from a wide number of sources, is extremely difficult for a system administrator to deal with. In addition, the size and diversity of computer networks makes keeping up-to-date with security extremely difficult. "Owner carelessness" is not the only problem. 4) Often, security is not a corporate priority, which means that it is under-supported financially. Modifications ------------- 6th bullet - Many systems are configured to run unnecessary services by default. In turn this makes them useful as attack points. Many "everyday users" may thus become unwitting participants. ======================= Immediate Steps Section ======================= Additional Steps ---------------- Problem 4 (Unprotected computers): 1) Disable all unnecessary services on your systems. While it's not a panacea, a large number of systems have vulnerabilities in services that aren't even necessary. 2) Each enterprise should create their own "top 20 list" of the most important vulnerabilities that MUST be fixed by the enterprise. (This is more of a grassroots approach than creating a top 20 list based on community consensus, which could be difficult to define for all/most networks.) Modifications ------------- Problem 4 (Unprotected computers): 3rd bullet - All software vendors should (a) establish clear, easy-to-use methods of distributing all security-related patches, and (b) provide a distinct public acknowledgement when a problem arises. This is currently the case with most major OS vendors (at least for most significant problems) although it does not necessarily scale well, but it is a problem with third party and minor vendors. ========================= Long Term Efforts Section ========================= Additions --------- 1) Encourage the widespread use of strong authentication. Encryption is mentioned in the proposal, but not authentication. 2) Programmers are strongly recommended to use or build tools that help them to detect and avoid vulnerabilities during the software development cycle. 3) Fund research into security assessment tools which are as easy to use and deploy as anti-virus checkers (this is a long-term approach to producing "system-hardening scripts" as described in the immediate steps section). Modifications ------------- 1st bullet (IP v6) - If you want to keep this paper strictly related to DDoS (instead of including how to secure zombie/slave systems in general), then consider removing or reprioritizing this bullet, which doesn't curb spoofing or DDoS attacks. Some of these ideas are the result of email exchanges with various Board members. All Board members, please feel free to add your comments. - Steve