Awareness of increased threats of Internet attacks has some state and local government officials concerned about the security of their systems and frustrated over the lack of standards or guidelines for safeguarding those applications. Vendors, they say, deliver unprotected systems, and some believe those vendors should ship security-enabled products. Instead, securing the product is left to the consumer, who in many cases has neither the resources nor the insight to accomplish the task.
One source called vendors "unscrupulous," and said state and local agencies are "caught in a trap" in accepting systems that are not secure. "If we continue to buy products that aren't certified, they'll never begin certifying them," he said.
Public sector voices call for solutions that include an authoritative body to issue a set of security guidelines for state and local governments to follow when configuring systems. Some suggest legislation that would require vendors to ship secure products.
Vendors agree somewhat, saying that without standards or guidelines it would be impossible to ship secure systems that fit everyone's needs. But vendors add saying that selling "locked down" systems would limit those systems' functionality.
In a partial solution, the Center for Internet Security (CIS) has released a set of "Gold Standards" - benchmarks and scoring tools for securely configuring Windows 2000 Professional workstations. The benchmarks are available on the CIS Web site to members and nonmembers alike. Members of the nonprofit organization pay upwards of $2,000 for additional advantages, including a voice in developing benchmarks and the ability to distribute the benchmarks.
The CIS standards are the result of work by a group of government agencies and private businesses that sought to develop a set of standards and software for public and private sector use. The group included representatives from the Pentagon, the National Security Agency, the National Institute of Standards and Technology (NIST), Intel, Pacific Gas & Electric and Visa. It also gathered input from Microsoft, the Washington State Department of Health and others.
The program they created probes computers for security flaws then alerts the user of vulnerabilities in the system via a printed report. It also makes suggestions on how to patch those holes. State IT officials said the CIS program is useful for protecting government computing resources.
"We start with something like this, a published standard or tool, then we tweak it until it works for us," said Kip Peters, Iowa's chief information security officer. "These [benchmarks] are valuable for any agency at all levels of government or private entity, especially if you look at who was involved in the development."
Though the tools and benchmarks are freely available, some government agencies are still working under the perception that they are for CIS members only. One government agency source, when asked to examine the tools, replied, "Nice, but too expensive to join."
This could be attributed to the beginnings of the CIS.
"From the onset of CIS, it appeared that it was a 'members-only' resource," Peters said. "My guess is that maybe they've been pressured by the White House to make them available to nonmembers."
The CIS site stipulates, however, that nonmembers who use the tools can't distribute the tools or make them available on a Web site.
"We'd have to provide a link to the CIS site instead," Peters said.
The Solutions Exist
The program provides a list of configuration settings for Windows 2000 and a scoring tool - a program run on the computer to verify the settings have been made and the standard has been met. The program offers a section on passwords that includes the complexity requirements passwords should meet, criteria for minimum and maximum password length, and other recommendations for password use.