With crackers attacking US administration web sites to protest the bombing of the Chinese embassy in Belgrade, research organization the SANS Institute took the opportunity of this week’s Federal Computer Security Conference (FCSC) to poll attendees on what management errors they believe made those sites vulnerable. One hundred representatives of government agencies, universities and the private sector were asked to rate eleven information security problems in order of their significance as contributors to the attacks.
Third most important, they said, was the sites’ failure to deal with the operation aspects of security. Such sites make a few fixes and then do not allow the follow-through necessary to ensure that problems stay fixed. The second most important contributing factor was deemed to be a failure to understand the relationship of information security to the business problem. Sites in this class understand physical security well enough, the experts said, but they do not see the consequences of poor information security.
The most important contributing factor in the attacks, as identified by the FCSC attendees, was the assignation of untrained people to maintain security and the failure of organizations to provide either training or time to make it possible to do the job. In other words, for as long as government departments to skimp on labor costs in an increasingly competitive market for information security professionals, they can expect their political opponents to seek out and expose their vulnerabilities. á
