[ISN] Government devises computer security standards to fight most common Internet threats

From: InfoSec News (isnat_private)
Date: Wed Jul 17 2002 - 06:44:46 PDT

  • Next message: InfoSec News: "[ISN] IT security spending disappoints"

    July 16, 2002
    WASHINGTON (AP) - Creating a ``Good Housekeeping'' approval seal of
    sorts, the government is releasing standards and a software program
    that will help computer users configure their systems for maximum
    security against hackers and thieves.
    The program will be made available free to anyone and mandated for
    some federal agencies.
    The Pentagon, National Security Agency and other agencies will join
    with private partners Wednesday in announcing the security standards
    for computers that run Microsoft's Windows 2000. The operating system
    is commonly used by businesses and government.
    The seal of approval comes in the form of a small program that probes
    computers for known security flaws and makes suggestions on how to
    eliminate holes used by hackers.
    The unprecedented effort will have immediate impact.
    All Defense Department computers will have to meet the standards
    immediately. The White House is considering making the rest of the
    government follow suit.
    Experts say the keys to success will be extending the standards to
    home and business users, making them simple enough for the public to
    understand and ensuring they stay ahead of increasingly sophisticated
    computer attackers.
    ``If it's just government, it won't have as much value as if it's
    government and the private sector,'' said Richard Clarke, President
    Bush's computer security adviser.
    The private partners in the project have their eyes set on broadening
    the standards to other operating systems, including the Windows
    products most commonly used at home.
    ``It's a massive problem,'' said Clint Kreitner, head of the Center
    for Internet Security, a nonprofit partnership of companies and
    American and Canadian government agencies. ``They slap their systems
    on the Net and get ready to go, then wonder why they get breached in
    the next 10 minutes.''
    The effort has brought together some of the biggest names in business,
    including computer chipmaker Intel Corp., Chevron and Visa -- part of
    the group that helped create the standards and is encouraging their
    Microsoft, which is embarking on its own efforts to makes its software
    more secure, has reviewed the standards and made suggestions.
    The standards have developed slowly, in part because security in the
    past frequently has been handled through technical security bulletins
    written for engineers.
    ``You'd give a 200-page document to a system administrator, and say,
    'Have a nice day,''' Clarke said. ``So no one did it.''
    The breadth of the problem is staggering. The technology research firm
    Gartner recently projected that through 2005, 90 percent of computer
    attacks will use known security flaws for which a solution is
    available but not installed.
    Most recent attacks were written and released by bored youngsters
    testing their skills, but the government is becoming more concerned
    about organized attacks against federal computers from terrorists or
    foreign governments.
    Several government agencies have had their own security standards for
    some time. What is new about Wednesday's announcement is that the
    various agencies have agreed on a single standard -- a difficult task
    that occurred about three months ago.
    Experts at the CIS, the NSA and Commerce's National Institute for
    Standards and Technology had three different candidates for standards
    at first. On April 18, the authors met in a room at NIST offices in
    ``They were told they could leave as soon as they came to an
    agreement,'' said Alan Paller of the Sans Institute, a research and
    education group involved in the announcement.
    That night, they had a document several hundred pages long describing
    how to make Windows 2000 secure, but still usable.
    That was only half the battle, though. Clarke, the White House
    adviser, said they wanted to make it easy for federal network
    engineers to make the changes.
    To fix that, the government created the software tool that grades
    computer security so that everyone, from the engineers to top
    executives, understands how secure their computers are. The tool then
    recommends changes.
    Some government agencies, including the Air Force, plan to use their
    procurement power to require that vendors offer more secure versions
    of their software based on the standards.
    ``Now we can go to Microsoft and others to say that this is our common
    set of expectations,'' said John Gilligan, the Air Force's chief
    information officer. ``Right now, we're doing the work.''
    On the Net:
    Center for Internet Security: http://www.cisecurity.org
    National Security Agency: http://www.nsa.gov
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 10:11:26 PDT