Alan Paller Quotes (26 Quotes)

The mature model at CDC could offer some wonderful guidelines for long-term planning at NIPC,

This illustrates that even technologically savvy people have a hard time fighting off denial of service attacks.

The bottom line is that security has been set back nearly six years in the past 18 months. Six years ago, attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching prot

Microsoft's delay is inexcusable. There's no excuse other than incompetence and negligence.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., said he also didn't see any ulterior motives in the NIPC's new warning. Everything I know says that's exactly wrong, ... the largest criminal Internet attack to date.

If an early infectee had an e-mail list with reporters at all the major news services, that would start the cascade. News organizations do not have radical e-mail attachment limits (like a rule banning all picture attachments) because they get legitimate pictures.

It gives anyone on the Internet who comes in as a browsing user the ability to take control of your site. Instead of looking at Web pages, they can make your computer do whatever they want.

all the new PCs and the new Web servers, multiplied by the fear of top management about security breaches and business-stopping system failures, kept these salaries growing three times as fast as salaries across all industries.

We have made enormous progress over the past five years by forcing the vendors to deliver automated patching. Now the bad guys are saying 'You did that, now we're going after the applications.' Now we have to start all over again.

Most large organizations have a big investment in Symantec tools and wouldn't normally consider switching. This year, however, Symantec's products have repeatedly shown up on the list of the software with critical new security vulnerabilities. Many corporate IT managers are angry and frustrated that their security vendor is as careless as the operating system vendors in writing bad code. And Microsoft has succeeded in persuading many of them that they are far ahead of other software vendors in improving the situation for new products.

There is a wave of people looking for infected machines. We are getting into the second wave of infections. We haven't figured what they are doing. But we are seeing a very big wave of scanning.

In the past 12 to 15 months, attackers have made a massive shift to attack applications. Automated patching started making it harder to find new vulnerable systems, so they went after applications that users are just not patching.

Fundamentally, it's an organization that is behind in making security part of its regular operations. It's very dangerous for health care data.

Of course it's the government. Governments will pay anything for control of other governments' computers. All governments will pay anything. It's so much better than tapping a phone.

Systems integrators pick and choose the parts of the FAR they pay attention to,

That could be a real wave of traffic that the Internet has not dealt with.

Alan Paller, director of the SANS Institute in Bethesda, Md., isn't so optimistic about how the new money would be used, however. My concern would be the skill with which Washington consultants and IT vendors in particular might package every pet project as 'security-enhancing,' ... If there were a tough, rational culling process ... I'd be a fan.

There are no credit card numbers ... no Defense Department secrets. Although it would be terribly embarrassing for that data to get out, it's not terribly valuable ... unless somebody's trying to embarrass people.

American corporations are being riddled by (computer) attacks they are being defended very badly.

It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks. Most agencies are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified.

People have discovered that systems administrators have unfettered access to all the most private information being passed through their systems, ... With it comes a sense that there ought to be some controls on what they see and what they do with it. However, I have not yet seen any consensus on what they are going to do about these new discoveries.

CDC's prevention work, such as administering flu shots, is especially important, and I see a push by NIPC in that direction as well,

The shortcut to improved security is universal, repeatable monitoring, ... The Army is now trying Harris STAT. The big difference is that NASA picked the most critical vulnerabilities rather than looking at all 2,000. The latter always leads to overload and lack of action. NASA's approach works.

Right now, there are 120,000 Internet Protocol addresses out searching for systems to infect.

The only viruses using the hole aren't very malicious, but that has nothing to do with tomorrow.

Data I have says that 20 of the Internet is vulnerable to this, and that's a huge, huge percentage of the BIND servers, ... no reason why it won't skip to other Unix versions.