Benchmarking System Security: A new assessment tool can help auditors measure computer security against established benchmarks - Computers & Auditing

Internal Auditor, Feb, 2002 by Brian Spindel

NTIL NOW, THERE HAVE been no established standards for network security. Every business or organization has maintained and measured security in its own way, fending off infiltrations and breaches as best it can. The Center for Internet Security (CIS), a not-for-profit organization committed to helping organizations worldwide manage risks associated with information security, says this is much like climbing behind the wheel of a vehicle that hasn't met federal safety requirements or taking a prescription drug that has not been approved, for example, by the U.S. Food & Drug Administration. It's as if we're laboratory rats in a worldwide experiment, and no one can anticipate what might happen next.

In light of this situation, CIS has been pushing for the establishment of universally recognized benchmarks that detail how computer operating systems should be configured and operated to provide the most effective security. The group recently released its first attempt at a benchmark for the Windows 2000 operating system, and I was able to try the new assessment tool that CIS developed to measure compliance with that benchmark. The tool is easy to use and comes with documentation that walks users through the installation, operation, and remediation process.

ABOUT THE TOOL

The Windows 2000 Benchmark is part of a download package that includes a software tool that allows users to compare their computer's security settings against the CIS benchmarks. Available to anyone free of charge on CIS's Web site (www.cisecurity.org), the package is intended for individual users, small businesses, large corporations, governments, or any organization that relies on the security of a network of Windows 2000 machines.

Released in November 2001, the Windows 2000 Benchmark represents a combination of best practices published by the System Administration, Networking, and Security Institute; the U.S. National Security Agency; and he U.S. Department of Defense; plus advice from members of the CIS. To establish benchmarks, the center looks at three factors of Internet-based attacks and disruptions: technology, which includes hardware and software; process, which includes system and network administration; and people, which takes into account the end user and management of the organization. The CIS benchmarks and the scoring tool are intended to be used for improving the "out of the box" security of common operating system software.

As with any other benchmark, the Windows 2000 scoring tool gives users point-in-time view of where something stands in relation to the standard. After completing the assessment, it assigns a score between zero and 10.

The tool looks at three security-related criteria:

* SERVICE PACKS AND HOT FIXES. Operating-system manufacturers periodically issue upgrades for their product. Microsoft's so-called hot fixes are issued as soon as any "holes" or "bugs" are found in a Windows operating system. Service packs are sent out periodically to incorporate bundles of hot fixes into a system for those who have missed the hot fixes. System administrators often do not take time to install every hot fix, which leaves networks with many different configurations, and, consequently, with many differing levels of resilience to attacks.

* ACCOUNT AND AUDITING POLICIES. These are standards set up by the individual organization. Account policies address such issues as the required length of passwords and the amount of time passwords can remain valid. Auditing policies determine what system, application, or security errors or events are recorded into an electronic log.

* SECURITY SETTINGS. These are system configurations determined by individual organizations and their information technology staffs. The configurations control the behavior of the operating system and regulate issues such as whether or not users are allowed to install software and hardware.

The Benchmark tool assigns an equal value of one-third to each of these criteria. CIS says the initial point distribution pattern is only a beginning and that the point allocations probably will change over time as the Benchmark tool is enhanced.

SETTING UP THE TOOL

I was able to download the Windows 2000 Benchmark and Scoring Tool, install the package, and obtain my first results in less than an hour. Thorough, illustrated instructions guided me step-by-step from download to interpretation of the results.

Installing the tool was similar to installing any other Windows software. After downloading the package, I uncompressed it using WinZip, which is available freely at www.winzip.com, and then double-clicked the "setup.exe" file and followed the prompts.

Once the tool is installed, users can enter the name of any Windows 2000 computer on the local area network that they want to test. The software immediately attempts to connect to Microsoft's Web site to check for new service packs or hot fixes; it then performs the assessment and returns a numeric score. The whole process takes only minutes.