Users mold security benchmark

Sold on SOA Sign up to receive Security Resource Alerts

May 14, 2001 (Computerworld) -- The problem with IT security benchmarks is that the reference point is a constantly shifting target as new technologies and threats emerge.

Benchmark Overview The Center for Internet Security (www.cisecurity.org) will release its Solaris systems benchmark next month. What will be available: The CIS will offer public access to the benchmark ruler, which will define security settings for Solaris systems, depending on level of security sought. The full benchmark, which will include supporting information and references, will be available to members. The CIS is considering becoming a subscription-based service rather than a membership-based organization. What’s up next: It’s next benchmarks include Windows 2000 and NT; Unix variants, including IBM’s AIX; and Linux.

And that's an especially difficult problem to overcome, said corporate security systems managers. They are examining the fruits of a relatively new cooperative effort that this week will yield the near-final version of a systems security benchmark for Sun Microsystems Inc.'s Solaris.

But despite concern about the benchmark's continued usefulness, end-user members of the Center for Internet Security said the organization's technical benchmark for securing Solaris systems will be key to their security efforts.

"To me, this is a great economic package for us," said Iris Patton, who heads security for the Americas at Houston-based Shell Services International Inc., the IT unit of Royal Dutch/ Shell Group. In return for the $5,000 membership fee the company paid to the CIS, it's receiving technical information that's good enough to serve as a substitute for high-priced consultants, she said.

The CIS is a nonprofit, cooperative group in Bethesda, Md., that was formed last October. Its members include more than 140 companies, government agencies and consulting firms.

The benchmark outlines a list of specific operational actions and settings for securing systems at different levels of protection. It was developed through a collaborative effort that involved ongoing feedback on the benchmark's drafts from technicians at some of the member companies, such as Shell's Unix gurus.

Donna Francis, who manages compliance security and policy for the IT group at Subaru of America Inc. in Cherry Hill, N.J., said the benchmark's collaborative approach will help fill security knowledge gaps.

"A [single] company can't always experience all the things that go wrong," she said. "It's just impossible."

But the true test of the benchmark will be its usefulness over time, said Francis. "How are they going to keep it updated?" she said.

"How are people going to add their experience next year or in the coming months as things change?"

Clint Kreitner, the CIS's president and CEO, said the goal is to keep Solaris current through information it gets from members, vendors and others. The CIS will also certify tools.

Other planned benchmarks will deal with Linux and Microsoft Corp.'s Windows 2000 and NT. The organization intends to release the Solaris benchmark next month.

"This is a consensus effort," said Kreitner. "We're not a commercial organization with something to sell. The knowledge is out there; it's just unevenly distributed."

The value to companies will vary. Deborah Eagan, security coordinator at Lincoln Electric System, a Nebraska-based utility with about 110,000 customers, said that as a smaller company, Lincoln Electric will still have to use consultants. But Eagan said she believes the standard will enable the utility to "get much more out of the consulting experience."

Carmen Banks, information security manager at Hallmark Cards Inc. in Kansas City, Mo., said the benchmark will be helpful as a standard to measure subsidiary and business-partnership security.


Related stories:

• Sun releases update to Solaris 8 OS, April 28, 2001
• Sun/IBM face-off may benefit users , April 23, 2001
• Sun readies launch of midrange UltraSPARC III servers, March 9, 2001

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"IBM's old AS400 technology is fading fast, if product names are any indication...." Read more... "Systems support pilot fish starts getting reports that a special Y2k tool has stopped working — in early 2008...." Read more... Read more Development posts or See all Blogs

Microsoft promises four patches next week Google gives away home-cooked Web application security scanner Storm botnet stages Fourth of July attacks More top stories...

Microsoft trumpets security additions in upcoming IE8 Apple cuts price of high-end SSD MacBook Air by $500 Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Sold on SOA (Source: Computerworld) It's the hot technology for most large companies, but business, technical and cultural issues must be addressed for a successful SOA implementation. Get the whole story, from the big picture to the how-to-do-it details, in this Executive Bulletin. Download this Executive Bulletin (a $49.95 value) for Free, compliments of Fujitsu. Download this executive briefing  Virtualization Everywhere Download this white paper, free, compliments of Citrix. (Source: Citrix) Adoption of virtualization is concentrated among large enterprises, while adoption by mid-sized companies has been much slower. For these companies, the cost and complexity of server virtualization solutions has been a barrier. In this paper, we'll discuss how Citrix XenServer" provides simple, economical server virtualization for any size company. Download now! Download this white paper  Why SaaS is Vital to Email and Web Security Why SaaS is Vital to Email and Web Security Download this webcast, free, compilments of Webroot Software Go to the webcast  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Microsoft promises four patches next week
• Google gives away home-cooked Web application security scanner
• Storm botnet stages Fourth of July attacks
• More top stories 

XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. Request free trial now

Detect, identify, and locate RF interference in 802.11 WLANs. AnalyzeAir software provides IT network professionals with the vision they need into the hidden world of RF, providing them with the ability to see the spectrum in a visible and intelligible format. AnalyzeAir software lets you see, monitor, analyze, and manage all the RF sources and wireless devices that influence your Wi-Fi network's performance and security, even if those devices are unauthorized or transient. AnalyzeAir Trial Software v3.1 highlights the features found in AnalyzeAir Software using a set of saved spectrum files. Replay the data and experience the visibility that AnalyzeAir Wi-Fi Spectrum Analyzer provides. Note: The trial software is limited to a player version only. It does not communicate with an AnalyzeAir PC card so it does not collect actual spectrum data. Register for this trial now.