Ex-Antiterrorism Czar Offers Cyberspace Security Tips

8/30/04

Clarke listed 10 steps for enterprises to follow:

1. Establish automatic monitoring of compliance and auditing capabilities of networks. "Every day you can see if you're secure," he said.

2. Acquire a patch-management system and service. Noting that 50 or 60 patches are issued each week by software providers, Clarke called patching "the number one headache of CIOs."

3. Set up an identity-access-management system, preferably a two-factor password-ID system. He noted that, today, "almost any password can be broken" by programs easily available on the Internet.

4. Data should be encrypted in sensitive areas. He said proposed California legislation calls for many IT organizations to encrypt data.

5. Participate in an early-warning system, preferably with an organization with a set of detect sensors.

6. Establish rigorous security-oriented service-level agreements (SLAs) with ISPs. Clarke indicated that the FCC is considering making this provision mandatory for certain IT users.

7. Institute an IT security-awareness program, a sort of catch-all program that would educate staff on widespread security aspects of their networks.

8. Software should be systematically tested--and not just Microsoft software. He noted that buffer-overflow problems have been cited for years, but little has been done to correct the problem. He said there is a need for "software products that test software."

9. Secure the physical part the IT organization to make sure that intruders can't just walk in and violate security.

10. Address "the road-warrior problem," as illustrated by network users logging in from remote locations, who unknowingly have infected software, typically on laptops.

Clarke also addressed the possible security threat posed by the offshore outsourcing of IT operations. "I don't think it's a problem," Clarke said. "Some Indian companies do a better job than U. S. companies."