New Security Benchmarks Go ‘Down in the Weeds’ for Policy Enforcement

A large consortium of users, vendors, and insurers known as the
Center for Internet Security (CIS) will hold a meeting next week to
promote standard security settings for Microsoft’s Windows 2000.
Meanwhile, the group is testing products from Symantec, BindView,
NetIQ, and other companies for use with its own emerging set of
template-based benchmarks, meant to give network managers hands-on
tools for living up to enterprise security policies in Windows, UNIX,
and Linux environments.


The CIS benchmarks "go ‘down in the weeds,’ where detailed
operational security parameters are set, to configure workstations,
servers, routers, firewalls, and other devices," said CIS
President and CEO Clint Kreitner.


At many organizations, these devices "are either
misconfigured, or they haven’t been properly patched," according
to Kreitner.


The CIS has more than 170 members, including major insurance
companies, auditing firms, banks, government agencies, manufacturers,
hospitals, manufacturers, software vendors, and consultants.


The consortium has already completed "Level 1" security
benchmarks and scoring tools for Solaris, HP-UX, W2K, Linux, as well
as "Level 1 and 2" benchmarks and tools for Cisco IOS
routers. The finished benchmarks and tools are available for free
download on the group’s Web site, at http://www.cisecurity.org
.


The Level 1 benchmarks provide cut-and-paste command lines that
network managers, systems administrators, and other technicians can
use for setting up devices to comply with "industry best
practice" security policies.


The Level 2 benchmarks are aimed more at security consultants and
others who are "slightly more sophisticated about security,"
Kreitner said. Technicians can use the scoring tools to rate policy
compliance, as well as to help find and fix configuration errors.


The benchmarks and tools also "begin to create a language
that can be understood by both (business) managers and technical
people," according to Kreitner.


The CIS is also certifying commercial software products for use in
specific operating environments. BindView’s bv-Control has already
been certified for W2K and Solaris.


Testing will begin today on Symantec’s Enterprise Security Suite.
Vendors that will undergo certification testing in the future include
NetIQ, among others.


At the same time, the CIS is urging vendors to ship products with
preconfigured security settings.


"How can we improve security? Vendors are leaving security up
to the users, many of whom don’t have the knowledge or time to
properly deal with it. Why do we accept it when vendors (leave) all
the services widen open? We the users have to push the vendors,"
Kreitner said.


Many organizations tend to want to "get (a product) going
first. Then we worry about security, if we ever do," he added.


"Does this sound familiar? A (network) break-in occurs. A
well known vulnerability was exploited. Security staff and system
administrators argue about who was to blame. Senior management sees
the process as broken. Staffs are reorganized; managers are
reassigned. The new managers hire a consultant to do a vulnerability
analysis and penetration test. The consultant’s analysis shows an
average of up to 30 vulnerabilities per system," according to
Kreitner.


"Management writes a memo telling system administrators and
department heads to fix these vulnerabilities within xx weeks. The
work would take months; system administrators don’t make all the
fixes – not even a small fraction. At the same time, new software is
installed, and new vulnerabilities are created."


CIS benchmarks and scoring tools have already undergone more than
150,000 downloads. Users of the W2K tools include Cervalis, Tulane
University, Virginia Tech, and the US Central Credit Union, for
example. On the Solaris side, users include Agilent Technologies,
Utah State University, Mt. Clements General Hospital, and the US Air
Force Research Laboratory.


"We started with Solaris because there are so many Sun
servers in enterprise environments," Kreitner noted. The CIS has
already released an upgrade to the original set of benchmarks and
scoring tools for Solaris.


Next to come are a W2K Level 2 IIS benchmark; Solaris Apache Level
1 benchmark; IBM AIX Level 1 benchmark and scoring tools; and
Checkpoint Firewall/VPN Level 1 benchmark and tool.


Also planned for the future are benchmarks and scoring tools for
databases, applications, network appliances, printers, and copiers.


Many observers outside the CIS agree that network administrators
need practical tools for implementing enterprise security policies.


"Many security problems are due to operator error. To avoid
those kinds of mishaps, the policies and standards set by managers
should be supported by ‘keystroke to keystroke" procedures,"
said Bob Robinson of Sprint’s Security Practice.


"Any participant in the CIS is doing a great service to its
clients and customers," said Anil Phull, senior analyst for
security solutions at the Yankee Group.


The CIS was established in October, 2000 to help network users and
operators, as well as their insurers and auditors, reduce the risk of
business disruption due to technical failures or security incursions.


The five founding partners were the Information Systems Audit and
Control Association (ISACA); The American Institute of Certified
Public Accountants (AICPA); the International Information Systems
Security Certification Consortium (ISC); and the SANS Institute.


The organization’s use of benchmark and scoring tools is based on
an approach pioneered in the late 1990s by another CIS member, First
Union (recently merged with Wachovia Bank).


»


See All Articles by Columnist
Jacqueline Emigh

Latest Articles

Follow Us On Social Media

Explore More