July 16, 2002 6:20 PM PDT
Group offers computer security standard
The National Security Agency, the Defense Information Systems Agency and the National Institute of Standards and Technology are among the government organizations that have teamed up with the 170 members of the Center for Internet Security (CIS) that will announce their support Wednesday for a single benchmark to measure the security of Windows 2000 workstations.
"This is the single most important development in security this year," said Alan Paller, research director for the System Administration, Networking and Security (SANS) Institute, a founding partner in the CIS. "I think a lot of people will expect (contractors) to step up to the plate and provide computers that meet the benchmark."
The security benchmarks act as a good housekeeping seal of approval, testing whether a computer meets its patch and configuration requirements. The Level 1 series for Windows 2000 workstations has more than 500 tests that aim to ensure a minimum level of security.
As reported earlier, the CIS has focused on producing benchmarks for several operating systems. The center has benchmarks for Cisco IOS operating system for routers, Windows 2000 and NT, Sun Microsystems' Solaris, Linux and HP-UX, but the government has still not settled on whether the center's specs meet their requirements.
While Windows 2000 workstations are the first benchmark--known informally as a Gold Standard--that the disparate organizations have agreed upon, others will soon follow, Paller said.
"Cisco IOS is the next important," he said. "Already the NSA and CIS agree on it."
Reaching such harmony is not easy, he added.
In the case of Windows 2000 workstation, "the center had a set of benchmarks but so did NIST, NSA and SANS," Paller said. "On April 18, the authors of all of those specifications entered a room at 9 in the morning and they were told that they couldn't leave until they agreed."
By the end of the day, the group agreed on 496 of the 500 criteria. The four remaining were required by the NSA, but considered too stringent by the others, Paller said.
While a computer that passes the benchmark's 500 tests isn't immune to attack, it can withstand the vast majority of attacks that threaten servers and PCs on the Internet.
If the standard helps to set a minimum expectation of security, "that's really a good thing," said Pradeep Khosla, director of the Center for Computer and Communication Security at Carnegie Mellon University. "We really have no standards like this."
The government may go further. According to the Associated Press, which first reported the story Tuesday, the Department of Defense may require that every computer meet or exceed the benchmark standard.