Combating Cybercrime

NASA provides model as industry attacks top 20 Internet vulnerabilities

NASA's Dave Nelson: "If you try to fix all vulnerabilities at the same time, you'll end up running yourself ragged and you give up."

Henrik G. deGyor

Widespread agreement on the top vulnerabilities not only made possibly better guidance for agency IT managers, but also development of new scanning tools, said Alan Paller, director of research at the SANS Institute.

When Dave Nelson joined NASA in 1999 as deputy chief information officer for information technology security, he knew the agency needed to improve its network security. But rather than take a scattershot approach to fixing the space agency's Internet vulnerabilities, Nelson's staff developed a list of about 50 top vulnerabilities to target first.

"If you try to fix all vulnerabilities at the same time, you end up running yourself ragged and you give up," Nelson said.

A suite of network scanning tools was purchased, and IT security staff at NASA's 10 space flight centers was trained in their use. A healthy competition developed among the centers to reduce the ratio of vulnerabilities on the agency's 80,000 computers, Nelson said. The staff's goal was fewer than one vulnerability per four computers scanned, or 0.25 vulnerabilities per system scanned.

By the end of 2000, the ratio had dropped to 0.16. By the end of 2001, the ratio was 0.0068.

NASA's success got the attention of IT security experts in the private sector and other federal agencies, who also struggle with a constant barrage of cyberattacks. Soon after, security officials began collaborating on an annual list of the top 20 vulnerabilities most often exploited by hackers and other cybercriminals.

And when this year's list was released last month, federal officials called for other agencies to follow NASA's lead.

NASA came up with "the model we were all looking for," said Alan Paller, director of research at the SANS Institute, a Bethesda, Md., research and education organization.

The 2002 top 20 list of Internet security vulnerabilities, unveiled Oct. 2 by the FBI's National Infrastructure Protection Center, the General Services Administration Federal Computer Incident Response Center and the SANS Institute, is published at

About 70 Internet security vendors participated in the top 20 identification process this year, and at least five vendors launched products specifically designed to identify the top 20, making it even easier for agencies to replicate NASA's success, security experts said.

"In the past, it was too hard to find [vulnerabilities] or determine which ones were most important," Richard Clarke, cybersecurity adviser to President Bush, told agency IT managers when the list was released. "Now you'll have a list ... and a way of finding them quickly."


The Bush administration has requested $4.5 billion in IT security funds for fiscal 2003, a 64 percent jump from the current year, according to Howard Schmidt, vice chair of the President's Critical Infrastructure Protection Board.

If the budget is approved, most of that money will go toward fixing known deficiencies, said John Pescatore, research director for Internet security at research firm Gartner Inc., Stamford, Conn.
NASA spends between $2 million and $3 million in labor annually on its security program, Nelson said, or about $30 per computer. The payoff has been great, he said, with the number of compromises decreasing substantially, even though the number of attacks has grown tremendously.

"A compromise is expensive, so avoiding even a few, you've saved lots of money," Nelson said. SANS Institute figures show that a security breach can cost from $100,000 to $500,000, he said.

Security breaches can have myriad consequences. An operating system might have to be reloaded, at a loss of several hours of productivity. Or, if data has been compromised, applications need to be rebuilt. That could take days, resulting in interruption of services, Nelson said.

Clarke's influence, as well as guidance from the Office of Management and Budget, is driving increased attention to Internet security in government, security experts said.

OMB's July 2 guidance on implementing the Government Information Security Reform Act, which requires agencies to assess and report on the security needs of their systems, gave agencies better information on how to assess vulnerabilities and report their efforts to OMB, security experts said.

Many agencies did not do comprehensive reviews of IT security last year or report the results to OMB, according to an October SANS Institute report. Under the new guidance, agencies that fail to do so will be clearly in violation of GISRA, the report said.


The 2002 list is different than previous lists because so many user organizations and vendors worked together to identify the top 20 out of about 4,000 common vulnerabilities, industry experts said.

"It's a good example of cooperation without regulation," Pescatore said.

The list details vulnerabilities of Windows and Unix systems, such as Windows Internet Information Services and Unix Apache Web Server, and offers guidance on fixing the vulnerabilities. Thousands of organizations use the list, according to the SANS Institute.

The widespread agreement on the top vulnerabilities not only made possible better guidance for agency IT managers, but also development of the new tools, Paller said. Companies offering top 20 tools include Foundstone Inc. of Mission Viejo, Calif., Internet Security Systems Inc. of Atlanta and Qualys Inc. of Redwood Shores, Calif.

Qualys is offering a free trial of its Web-based network scan to detect and eliminate the top vulnerabilities. Already, more than 2,000 people have tried the service.

"This is an overwhelming response. We are very happy," said Amer Deeba, vice president of marketing. Using the scan on an enterprise network would cost about $40,000 to $50,000 a year, he said.

"People are very aware of the [Internet security] issue and are looking for easy ways to get started," Deeba said. "That's why we think tools and guidelines like this [top 20] will drive further the cause, making solutions more accessible and bringing more awareness."

Internet Security Systems will release a component of its Internet Scanner application to target the top 20.

The company's government work worldwide has been growing for the past four years, and is now about 20 percent of its business. About 10 percent of its government work is in the United States, said Steve Cooker, vice president and general manager for ISS' public sector business. The company's revenue for 2001 was $223.5 million.

Increasingly, government agencies are showing interest in managed security services provided by vendors such as ISS, which assesses agency security and also fixes vulnerabilities, Cooker said. ISS has about 100 people looking for Internet security threats globally, he said.

"Our customers may have a view internally of what's going on, but it's more difficult for them to get a global view. Couple that with the fact that security experts are rare, and we are finding a need for government to outsource some of this," Cooker said.

Most of ISS' sales are through resellers and systems integrators, Cooker said. Recently, the company won a sizable piece of work under Northrop Grumman Corp. of Los Angeles on a managed security services contract with the Department of Health and Human Services, he said.

In the government market, new spending will be on new and better firewalls, anti-virus software protection, vulnerability testing and intrusion detection. Systems integrators, such as Unisys Corp. of Blue Bell, Pa., Electronic Data Systems Corp. of Plano, Texas, and Computer Sciences Corp. of El Segundo, Calif., will be the prime contractors, Pescatore said.

Increasingly, agencies are asking for security to be built into their IT systems, rather than added on afterward, said Tom Burke, director of information assurance for CSC's federal-sector business.

"It's something you didn't see that much of three to four years ago," Burke said.

GISRA and security assessments by the General Accounting Office and agency inspectors general have driven this new approach, Burke said. Previous cyberattacks were also a major incentive to take a proactive approach, he said.

But Burke also emphasized that agencies must remain vigilant and take an enterprise approach to security.

"Just fixing your [top 20] vulnerabilities is not going to give you the security you need," he said. "That's only a small part of it." *

Staff Writer Gail Repsher Emery can be reached at

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB