Computer Security Standards Ready

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A15910-2002Jul16&notFound=true

By Shannon Henry
Washington Post Staff Writer
Wednesday, July 17, 2002; Page E05 

In a high-tech, high-powered version of a neighborhood watch, a group
of government agencies and private businesses plan to announce today a
common set of standards and software to fight computer hacking.

The Pentagon, the National Security Agency, the National Institute of
Standards and Technology, and other agencies are joining forces with
such corporations as Intel Corp., Allstate Insurance Co., First Union
Corp., Visa and Pacific Gas & Electric Co. to agree on technical
actions to stem computer fraud and theft.

"It's support for the homeland security strategy," said Clint
Kreitner, president and chief executive of the Center for Internet
Security (CIS), the nonprofit group of agencies and companies that is
coordinating the effort. "We forged a technical consensus."

The announcement comes as there is increased concern over computer
security since Sept. 11. Computer hacking, much of which has been
caused by mischievous teenagers, has become more pervasive and
destructive. The perceived threat of cyber-terrorism from countries or
terrorist groups has raised the stakes. Richard Clarke, who was
appointed the nation's cyber-security adviser late last year, has said
he worries about a "digital Pearl Harbor," where the country's vital
networks could be attacked.

While some government agencies and corporations have installed
rigorous security provisions, others lag behind, failing to use even
commonly available patches. There has not even been a commonly
agreed-upon set of fixes to install; the decision about how a computer
system will be protected usually falls to the person in charge of
installing the protection.

Representatives of those agreeing to the standards had an initial
meeting on April 18, said Kreitner, that was followed by a flurry of
e-mails.

"The challenge here is to get the significant experts in this field to
agree on the steps to achieve security," Kreitner said. He admits that
it's not an easy task, which is why so few such agreements have been
reached. "Everybody has their own opinion," he said.

What the group came up with is a series of specific technical actions
designed to heighten security, recommended to all organizations that
use Microsoft Windows 2000, a common operating system, although not
the newest one. A software "scoring" program has been created by CIS
members that would then check to ensure those settings are in place.  
The software, which also checks to see if patches are up to date, will
be available free to anyone who wants it, said Kreitner, although it's
not currently aimed at individuals. All CIS members, which cover many
industries, were invited to participate in the creation of the
standards.

Several of the top technology executives in America, including
Microsoft Corp.'s Bill Gates and Oracle Corp.'s Larry Ellison, this
year have said they are also working to make their products tougher to
break into.

Shannon Kellogg, vice president of the Information Technology
Association of America, a trade association, cautioned that the
agreement would only be successful if it concentrates on
performance-based standards, not on specific technologies that could
stifle innovation. And, he added, it requires much more communication.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.