A Consensus on Standards?

Private and public entities collaborate to publish benchmarks for Internet security.

by / November 21, 2002
Awareness of increased threats of Internet attacks has some state and local government officials concerned about the security of their systems and frustrated over the lack of standards or guidelines for safeguarding those applications. Vendors, they say, deliver unprotected systems, and some believe those vendors should ship security-enabled products. Instead, securing the product is left to the consumer, who in many cases has neither the resources nor the insight to accomplish the task.

One source called vendors "unscrupulous," and said state and local agencies are "caught in a trap" in accepting systems that are not secure. "If we continue to buy products that aren't certified, they'll never begin certifying them," he said.

Public sector voices call for solutions that include an authoritative body to issue a set of security guidelines for state and local governments to follow when configuring systems. Some suggest legislation that would require vendors to ship secure products.

Vendors agree somewhat, saying that without standards or guidelines it would be impossible to ship secure systems that fit everyone's needs. But vendors add saying that selling "locked down" systems would limit those systems' functionality.

In a partial solution, the Center for Internet Security (CIS) has released a set of "Gold Standards" - benchmarks and scoring tools for securely configuring Windows 2000 Professional workstations. The benchmarks are available on the CIS Web site to members and nonmembers alike. Members of the nonprofit organization pay upwards of $2,000 for additional advantages, including a voice in developing benchmarks and the ability to distribute the benchmarks.

The CIS standards are the result of work by a group of government agencies and private businesses that sought to develop a set of standards and software for public and private sector use. The group included representatives from the Pentagon, the National Security Agency, the National Institute of Standards and Technology (NIST), Intel, Pacific Gas & Electric and Visa. It also gathered input from Microsoft, the Washington State Department of Health and others.

The program they created probes computers for security flaws then alerts the user of vulnerabilities in the system via a printed report. It also makes suggestions on how to patch those holes. State IT officials said the CIS program is useful for protecting government computing resources.

"We start with something like this, a published standard or tool, then we tweak it until it works for us," said Kip Peters, Iowa's chief information security officer. "These [benchmarks] are valuable for any agency at all levels of government or private entity, especially if you look at who was involved in the development."

Though the tools and benchmarks are freely available, some government agencies are still working under the perception that they are for CIS members only. One government agency source, when asked to examine the tools, replied, "Nice, but too expensive to join."

This could be attributed to the beginnings of the CIS.

"From the onset of CIS, it appeared that it was a 'members-only' resource," Peters said. "My guess is that maybe they've been pressured by the White House to make them available to nonmembers."

The CIS site stipulates, however, that nonmembers who use the tools can't distribute the tools or make them available on a Web site.

"We'd have to provide a link to the CIS site instead," Peters said.

The Solutions Exist
The program provides a list of configuration settings for Windows 2000 and a scoring tool - a program run on the computer to verify the settings have been made and the standard has been met. The program offers a section on passwords that includes the complexity requirements passwords should meet, criteria for minimum and maximum password length, and other recommendations for password use.

There is a section on lockout policies: How long is an account locked out if there have been three or four unsuccessful attempts to log on? There's also a list of auditing policies and user rights assignments, such as who has the right to load and unload device drivers?

The program, according to CIS President and CEO Clint Kreitner, is an assemblage of solutions that exist but are being used by few organizations. "It's not that we don't know how to solve the problem collectively, it's that we're not doing it even though we know how to do it."

Research appears to confirm Kreitner's opinion. According to the Gartner Group, nearly 90 percent of successful breaches of systems through 2005 will occur because those systems are not properly configured or have outdated patches.

"The problem is that properly securing these systems requires a substantial amount of technical knowledge and time that most organizations don't have," Kreitner said. "Initial research shows that we're beginning to build a pretty good basis for concluding that somewhere between 80 to 90 percent of the common vulnerabilities that are exploited by hackers can be blocked by implementing the security settings and these baseline configurations."

But what about the internal breaches, which experts say compose upwards of 70 percent of reported breaches of security?

"Internal activity can be problematic because people have access to more information," said Kreitner. "But a significant number of the intrusions that are made by internal folks exploit the same vulnerabilities as the external hackers. The problem is the vulnerabilities."

In Washington state, the havoc caused by the Nimbda virus spurred officials there to address security issues. "At first it was, 'We don't have time to do this,'" said Robert Boorman, assistant secretary of the Washington Department of Health. "But when Nimbda hit, we were down for 10 days, and that was definitely not kosher. Now people are saying, 'Well, a couple of people got fired from that incident; we need to get our act together."'

Boorman helped develop the benchmarks by reviewing and commenting on drafts of the project, and his home state has adopted the guidelines, using the tool to help secure each new installation.

"I have one shared drive up on the network that the tool gets run from," he said, adding that it takes about four minutes to run the program and receive a printout that outlines what areas need fixing. "Things that we thought were pretty well secure really weren't, and it helped us tremendously in running the benchmarks occasionally against a new software upgrade or whatnot on our routers."

A Car Without Brakes
What would happen if General Motors sold a car without brakes? That's what some at the local and state agency level ask when the discussion turns to vendors selling computer systems that are not secure.

"When they're shipped by the vendors to the user, the security features of the software that runs on those systems are turned off," Kreitner said. "So when you and I take delivery of a system it's like taking delivery of a car with anti-lock brakes, the airbags, the seatbelts and everything disabled or uninstalled. It would be up to us to try and make it functional."

The vendors say they ship systems with safeguards turned off because their customers have long clamored for functionality, not security. Vendors also argue it's the customers who need to secure the systems to fit their needs.

"The danger with some of these things is you get so secure you have difficulty functioning as you're used to," Iowa's Peters said.

Security is about managing risk, he added, and if systems are made too secure, users run into trouble making the systems work. Still, Peters said he believes in starting out as secure as possible, then opening up the systems to fit the institution's needs.

"Every operation should start with something like this," he said. "It's always better to start as locked down as possible and go the other way if necessary."

The CIS' Kreitner said a benefit of involving the private sector in developing the benchmarks is that vendors may be more inclined to ship more security-enabled products.

"Now we're a step closer to where companies like Microsoft can begin to deliver systems that are at least minimally secure, as opposed to wide open," he said.

Vendors said they welcome communication with the public sector on the issue, but caution that security is an ongoing process and there is no silver-bullet solution.

"Certainly, I think there is a desire to make security simple," said Shannon Kellogg, vice president of information security programs and policy for the Information Technology Association of America (ITAA). "But it's not just measuring technology; it's measuring people as well. Even setting technology-based standards does not resolve the issue."

That's why a policy on behalf of the agency to go along with a common standard is crucial.

"The tool will say, 'Here's what you can do to solve this problem if it is a problem according to your policy,'" Boorman said. "We can't just use these tools by themselves, you still need the policy and some knowledge of the infrastructure."

Boorman said security tools are at the disposal of anybody who needs them, but the issue, in many cases, is policy. The tendency of some, he said, is to be content sitting behind a firewall because that's the way it's always been done.

"They need to be able to look past the politics," he said. "I know I'll get slapped for saying that, but the politics come into play, and that becomes the issue. Everybody has the tools, but the politics that are being put into play are so horrible that nothing is getting done."

Some on Capitol Hill believe legislation requiring vendors to deliver security-enabled products is the answer. The Bush administration was due to release a national cyber-security plan late this summer that would have required providers to bundle firewall and other security technologies along with the systems they sell. The plan was overhauled just before its release and that requirement was eliminated.

"We've seen some folks move in that direction - where they try to legislate specific technology or standards that could eventually become procurement specs," the ITAA's Kellogg said. "But that's saying, 'If you configure a product this way you're going to have a secure system.'"

Though nobody agrees on who's responsible for security and how it should be implemented, everyone seems to agree that these benchmarks, along with sound policy, certainly can't hurt.

"If you go back to the original statement of the problem - that people don't have the resources, the knowledge or the time to secure their systems - well, now they do, and it's free," Kreitner said.
Jim McKay, Justice and Public Safety Editor Justice and Public Safety Editor