A US cybersecurity task force has advised IT
suppliers to improve default security settings in their
products.
The National Cyber Security Partnership Task Force's Technical
Standards and Common Criteria committee released its
recommendations yesterday, with the group of academics, government
officials, IT suppliers and customers requesting stronger
"out-of-the-box" security configurations and support of at least
one configuration profile that provides a baseline security
level.
The 104-page committee report, available at
http://www.cyberpartnership.org/TF4TechReport.pdf,
is intended to put more pressure on suppliers about default
security settings and raise awareness about best practices and
security audits, said Mary Ann Davidson, chief security officer at
Oracle and co-chairwoman of the committee.
The recommendations included:
- Suppliers should provide more substantive security
recommendations, configuration checklists and best practices to
customers;
- The US government, user groups and customers should encourage
more independent security evaluations of IT products;
- The US government should help offset the costs of an IT
supplier going through a Common Criteria security evaluation
through tax credits or other methods;
- The US government should fund the development of code-scanning
tools that detect flaws in software code.
However, many of the recommendations place the responsibility
for cybersecurity on suppliers. "As an industry, we corporately
need to do a better job of security infrastructure," Davidson
said.
Davidson will take the recommendations, as well as others from
NCSP, back to Oracle to see how her company can improve
security.
"Most of us want to take it to the next level and show concrete
progress," she said.
The National Cyber Security Partnership was established to
develop shared strategies and programs to secure and enhance
America's critical information infrastructure, following the
release of the White House National Strategy to Secure Cyberspace
in February 2003 and the National Cyber Security Summit in
December.
The partnership is led by TechNet, the Business Software
Alliance, the Information Technology Association of America and the
US Chamber of Commerce.
Grant Gross writes for IDG News
Service