December 28, 2000, 1:49 PM — No amount of preflight checks can guarantee that a plane won't fall out of the sky, and yet the airline industry is required to conduct those checks before takeoff. It's a condition of doing business that the airlines and their customers understand and accept.
Soon, the same may be true for companies that want to connect their computer systems to the Internet.
The Bethesda, Md.-based Center for Internet Security (CIS), a nonprofit cooperative enterprise, plans to release a series of global benchmarks that will let firms measure and monitor the security status of systems connected to the Internet. The CIS was formed less than two months ago by more than 80 private companies, government agencies, academic institutions and consulting firms.
These benchmarks, or security rulers, will enable companies to select a specific level of security and then use certified third-party tools to validate that their systems meet minimum standards of operation.
The CIS will release its first benchmark for Sun Microsystems Inc.'s Solaris operating system in the next few weeks, according to Clint Kreitner, CIS president and CEO, who at a meeting in Washington last week encouraged a group of government and industry security professionals to join. Future releases will cover Linux, Windows 2000, Windows NT, HP-UX, IBM's AIX, Silicon Graphics Inc.'s Irix and eventually, individual applications.
The CIS is based on the notion of collective action, said Kreitner, adding that charter member companies get to review, comment and vote on the draft benchmarks. "None of us can do this by ourselves," he said. "The necessity of collective action is clear."
Charter memberships are available through December at $20,000 for consultants or suppliers, $5,000 for user organizations and $1,000 for individuals, said Kreitner.
A senior White House official who attended the meeting called the CIS a unique effort to create a security consortium of Internet users. "We have all sorts of consortiums for vendors, but nobody has ever created a consortium that represents the interests of users," said the official, who requested anonymity.
Users were less enthusiastic, however, about another plan by the center -- to make available an anonymous database that would allow companies to compare their security status with that of their peers. Some users who attended the briefing expressed concern about the database and the potential for leaks of sensitive or proprietary information. They said they are concerned that the automated tools used to report their "anonymous" configuration data might also inadvertently capture network maps and other data.