Government devises computer security standards to fight most common Internet threats

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/3674640.htm

July 16, 2002

WASHINGTON (AP) - Creating a ``Good Housekeeping'' approval seal of
sorts, the government is releasing standards and a software program
that will help computer users configure their systems for maximum
security against hackers and thieves.

The program will be made available free to anyone and mandated for
some federal agencies.

The Pentagon, National Security Agency and other agencies will join
with private partners Wednesday in announcing the security standards
for computers that run Microsoft's Windows 2000. The operating system
is commonly used by businesses and government.

The seal of approval comes in the form of a small program that probes
computers for known security flaws and makes suggestions on how to
eliminate holes used by hackers.

The unprecedented effort will have immediate impact.

All Defense Department computers will have to meet the standards
immediately. The White House is considering making the rest of the
government follow suit.

Experts say the keys to success will be extending the standards to
home and business users, making them simple enough for the public to
understand and ensuring they stay ahead of increasingly sophisticated
computer attackers.

``If it's just government, it won't have as much value as if it's
government and the private sector,'' said Richard Clarke, President
Bush's computer security adviser.

The private partners in the project have their eyes set on broadening
the standards to other operating systems, including the Windows
products most commonly used at home.

``It's a massive problem,'' said Clint Kreitner, head of the Center
for Internet Security, a nonprofit partnership of companies and
American and Canadian government agencies. ``They slap their systems
on the Net and get ready to go, then wonder why they get breached in
the next 10 minutes.''

The effort has brought together some of the biggest names in business,
including computer chipmaker Intel Corp., Chevron and Visa -- part of
the group that helped create the standards and is encouraging their
use.

Microsoft, which is embarking on its own efforts to makes its software
more secure, has reviewed the standards and made suggestions.

The standards have developed slowly, in part because security in the
past frequently has been handled through technical security bulletins
written for engineers.

``You'd give a 200-page document to a system administrator, and say,
'Have a nice day,''' Clarke said. ``So no one did it.''

The breadth of the problem is staggering. The technology research firm
Gartner recently projected that through 2005, 90 percent of computer
attacks will use known security flaws for which a solution is
available but not installed.

Most recent attacks were written and released by bored youngsters
testing their skills, but the government is becoming more concerned
about organized attacks against federal computers from terrorists or
foreign governments.

Several government agencies have had their own security standards for
some time. What is new about Wednesday's announcement is that the
various agencies have agreed on a single standard -- a difficult task
that occurred about three months ago.

Experts at the CIS, the NSA and Commerce's National Institute for
Standards and Technology had three different candidates for standards
at first. On April 18, the authors met in a room at NIST offices in
Maryland.

``They were told they could leave as soon as they came to an
agreement,'' said Alan Paller of the Sans Institute, a research and
education group involved in the announcement.

That night, they had a document several hundred pages long describing
how to make Windows 2000 secure, but still usable.

That was only half the battle, though. Clarke, the White House
adviser, said they wanted to make it easy for federal network
engineers to make the changes.

To fix that, the government created the software tool that grades
computer security so that everyone, from the engineers to top
executives, understands how secure their computers are. The tool then
recommends changes.

Some government agencies, including the Air Force, plan to use their
procurement power to require that vendors offer more secure versions
of their software based on the standards.

``Now we can go to Microsoft and others to say that this is our common
set of expectations,'' said John Gilligan, the Air Force's chief
information officer. ``Right now, we're doing the work.''

---

On the Net:

Center for Internet Security: http://www.cisecurity.org
National Security Agency: http://www.nsa.gov



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.