New Security Benchmarks Go 'Down in the Weeds' for Policy Enforcement

by Jacqueline Emigh

The Center for Internet Security hopes to ease enterprise policy compliance with a new suite of security benchmarks that bring cut-and-paste simplicity to network device configuration.

A large consortium of users, vendors, and insurers known as the Center for Internet Security (CIS) will hold a meeting next week to promote standard security settings for Microsoft's Windows 2000. Meanwhile, the group is testing products from Symantec, BindView, NetIQ, and other companies for use with its own emerging set of template-based benchmarks, meant to give network managers hands-on tools for living up to enterprise security policies in Windows, UNIX, and Linux environments.

The CIS benchmarks "go 'down in the weeds,' where detailed operational security parameters are set, to configure workstations, servers, routers, firewalls, and other devices," said CIS President and CEO Clint Kreitner.

At many organizations, these devices "are either misconfigured, or they haven't been properly patched," according to Kreitner.

The CIS has more than 170 members, including major insurance companies, auditing firms, banks, government agencies, manufacturers, hospitals, manufacturers, software vendors, and consultants.

The consortium has already completed "Level 1" security benchmarks and scoring tools for Solaris, HP-UX, W2K, Linux, as well as "Level 1 and 2" benchmarks and tools for Cisco IOS routers. The finished benchmarks and tools are available for free download on the group's Web site, at http://www.cisecurity.org .

The Level 1 benchmarks provide cut-and-paste command lines that network managers, systems administrators, and other technicians can use for setting up devices to comply with "industry best practice" security policies.

The Level 2 benchmarks are aimed more at security consultants and others who are "slightly more sophisticated about security," Kreitner said. Technicians can use the scoring tools to rate policy compliance, as well as to help find and fix configuration errors.

The benchmarks and tools also "begin to create a language that can be understood by both (business) managers and technical people," according to Kreitner.

The CIS is also certifying commercial software products for use in specific operating environments. BindView's bv-Control has already been certified for W2K and Solaris.

Testing will begin today on Symantec's Enterprise Security Suite. Vendors that will undergo certification testing in the future include NetIQ, among others.

At the same time, the CIS is urging vendors to ship products with preconfigured security settings.

"How can we improve security? Vendors are leaving security up to the users, many of whom don't have the knowledge or time to properly deal with it. Why do we accept it when vendors (leave) all the services widen open? We the users have to push the vendors," Kreitner said.

Many organizations tend to want to "get (a product) going first. Then we worry about security, if we ever do," he added.

"Does this sound familiar? A (network) break-in occurs. A well known vulnerability was exploited. Security staff and system administrators argue about who was to blame. Senior management sees the process as broken. Staffs are reorganized; managers are reassigned. The new managers hire a consultant to do a vulnerability analysis and penetration test. The consultant's analysis shows an average of up to 30 vulnerabilities per system," according to Kreitner.

"Management writes a memo telling system administrators and department heads to fix these vulnerabilities within xx weeks. The work would take months; system administrators don't make all the fixes - not even a small fraction. At the same time, new software is installed, and new vulnerabilities are created."

CIS benchmarks and scoring tools have already undergone more than 150,000 downloads. Users of the W2K tools include Cervalis, Tulane University, Virginia Tech, and the US Central Credit Union, for example. On the Solaris side, users include Agilent Technologies, Utah State University, Mt. Clements General Hospital, and the US Air Force Research Laboratory.

"We started with Solaris because there are so many Sun servers in enterprise environments," Kreitner noted. The CIS has already released an upgrade to the original set of benchmarks and scoring tools for Solaris.

Next to come are a W2K Level 2 IIS benchmark; Solaris Apache Level 1 benchmark; IBM AIX Level 1 benchmark and scoring tools; and Checkpoint Firewall/VPN Level 1 benchmark and tool.

Also planned for the future are benchmarks and scoring tools for databases, applications, network appliances, printers, and copiers.

Many observers outside the CIS agree that network administrators need practical tools for implementing enterprise security policies.

"Many security problems are due to operator error. To avoid those kinds of mishaps, the policies and standards set by managers should be supported by 'keystroke to keystroke" procedures," said Bob Robinson of Sprint's Security Practice.

"Any participant in the CIS is doing a great service to its clients and customers," said Anil Phull, senior analyst for security solutions at the Yankee Group.

The CIS was established in October, 2000 to help network users and operators, as well as their insurers and auditors, reduce the risk of business disruption due to technical failures or security incursions.

The five founding partners were the Information Systems Audit and Control Association (ISACA); The American Institute of Certified Public Accountants (AICPA); the International Information Systems Security Certification Consortium (ISC); and the SANS Institute.

The organization's use of benchmark and scoring tools is based on an approach pioneered in the late 1990s by another CIS member, First Union (recently merged with Wachovia Bank).

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Friday Apr 12th 2002