New group to help agencies measure computer security weaknesses

Several federal agencies have joined a new non-profit organization, the Center for Internet Security, to help spread the word about best practices in federal computer security and to create benchmarks to help agencies determine their cybersecurity risks.

CIS aims to create a set of best practice benchmarks that will give systems administrators a tool to help fix their systems. CIS will also help systems administrators learn how to get the help they need to establish the level of security they require. Moreover, CIS will help agencies measure themselves against one another.

"We have to learn how to measure computer security," said CIS CEO Clint Kreitner, at a CIS meeting in Washington on Monday. "If you can't measure it, you can't manage it."

CIS already has a number of federal agencies among its charter members, including the Treasury Department's Financial Management Service, NASA, the National Institute for Standards and Technology and the Naval Surface Warfare Center.

Every systems administrator must contend with systems and applications that are delivered with known security weaknesses, said computer security expert and meeting presenter Stephen Northcutt, director of the Global Incident Analysis Center at the SANS Institute, an organization of computer security experts. "One problem we have is that systems come to us hackable--it's a feature," Northcutt said.

Among other security problems agencies face are system administrators with weak security skills, users who knowingly expose their organizations to risk and unprotected systems that commonly access government systems, Northcutt said.

Northcutt presented 37 government Web sites that had been hacked between Aug. 1 and Nov. 10, 2000. The victims include Web sites owned by NASA, the U.S Navy and the Transportation Department.