ComputerWorld: Web site attacks offer hard lesson: Tighten securityFeb 21, 2000, 15:33 (5 Talkback[s])
(Other stories by Alan Paller)
"...what should the e-commerce community do about it? Four sets of actions will turn the tide.
First, users and Internet service providers should apply a four-pronged approach. One, they should block deliberately misaddressed packets. Two, they can try to block broadcast-address processing, a technical action that stops attackers from hiding the identities of the machines from which they launch attacks. Three, users and providers should use firewalls with 'deny all/ allow some' rules -- as opposed to current 'allow all/deny some' rules -- which will cause traffic to be stopped unless it fits known patterns. And four, they can apply security patches to operating systems and applications."
"Second, users, auditors and executives should insist that their systems be managed by people with certified information-security skills."
"Third, apply hardening scripts (programs that turn off unnecessary services and close known holes) to every system connected to the Internet and remove all nonhardened systems from the Net until they're protected. Sun Microsystems users have taken the lead in creating hardening scripts, with the active help of Sun itself. Linux users are also making progress. Sadly, other operating system software vendors are far behind.
Finally, we must stop accepting the excuse of 'There's nothing worth protecting on my systems.' Maybe there's no critical data there, but a system connected to the Internet is a loaded weapon, and it shouldn't be left out where criminals can use it to attack others."