Suppose you took delivery on your new car and the salesman told you, as you signed the order, that the seatbelt, antilock brakes, and the airbags were in a box in the trunk and that if you want to be safer you might want to have an expensive expert install them. That would be about the time you scream a long string of epithets we cannot print here and go running from the showroom.
So how come we all allow our software to be delivered with all the safety features set to a default that allows the porno peddler in Lithuania to store his entire inventory on your computer, not to mention borrowing the username and password to your bank account? And what can we do about it?
Center for Internet Security
Those are the kinds of questions that plague men like Clint Kreitner at the Center for Internet Security (CIS). Kreitner is a Naval Academy grad – went to school with John McCain – who served his country for 13 years and then went into the private sector. He ran some very successful IT companies and a hospital. Then he was about to settle down in a sort of retirement when an old friend came along with an idea for a non-profit organization dedicated to helping make the cyber world a little safer for business and other computer users. That was eight years ago.
CIS is a 504C not-for-profit organization that, per the enabling rule, exists for the good of society. In this case it is to assist users at the enterprise level to work and live in a more secure cyber community.
“We have chosen to focus for the past eight years on the enterprise level of IT security, while at the same time influence vendor practice, because vendors have been getting away with delivering unsecured systems for a long time,” says Kreitner.
He likens the state of computer security at this point to any of us buying a car with all the safety features safely stored in the trunk – they are not in the way, but they won’t save your life either. In order for them to be of use you would have to go find and expert to install them.
IT vendors have huge impact
“IT vendor practice is in great need of improvement,” Kreitner says. When people who are not experts unpack and install systems – and it happens all the time – they usually install a system or software that has all the security features set to a default or level that most likely is not as nearly as secure as it should or could be. It is not just a matter of trying to turn on those features. Turns out, it can be a very complicated matter. Enter CIS.
“Since 2000 CIS has focused on two aspects of our mission,” says Kreitner. “One is to work with technical security experts to come to consensus on how to configure the various technologies like Windows desktops and Solaris servers to make them more secure.”
Software platforms like Windows XP or Mac OS X come from the vendor with, sometimes, hundreds of configurable security features. These may be as simple as how long your password needs to be or as complicated as helping you lock out IP numbers of a certain range or a myriad of other things. However, the features are generally not sent out in the highest or best configuration. CIS is (now) widely known as the source of immediately actionable security guidance or rules on configuring those systems.
“Guidance from other sources comes at a more abstract level and requires more elaboration prior to implementing anything. Ours is immediately useful and is available to everyone,” Kreitner explains.
If you go to Cisecurity.org it is pretty easy to find a whole series of CIS benchmarks that provide immediate guidance to hardening the security on everything from Windows to Cisco Routers to Linux hosting servers. Some are fairly simple and can help someone who is at least a mid-to-upper level enterprise user. Unfortunately, others will require the hand of someone who knows what they are doing.
The benchmarks that CIS have established are respected in the IT business because they are highly researched, tested and agreed upon by the most qualified experts in the field. They are a consensus of IT professionals who understand the vulnerability issue. Their consensus is also a call to action. This goes to the second part of the mission, that of influencing changes in the state of the state.
“We are trying to influence the shipping of systems properly configured. Now, the federal government with its desktop core configuration effort is moving in that direction by saying that they won’t buy a Windows XP or Vista box unless it is configured in accordance with our benchmarks” says Kreitner, a man with three staffers and a volunteer army doing the Quixotean business of trying to turn what amounts to a tsunami of computer insecurity.
In trying to turn the tide, one of Kreitner’s best tools is making enterprise-level users aware of what they can do to help themselves.
CIS benchmarks are effective
“Proper configuration of the secure parameters available in the systems they use is the first thing that comes to mind,” Kreitner says. “NSA did a study not long ago which indicated that if you scanned an unconfigured system for vulnerabilities, and then scanned the same system after putting the CIS benchmark configuration in place, you would find a reduction of 90 percent of those vulnerabilities.”
Kreitner says that learning about and patching software defects is another area where users can harden their fortresses.
“We as a society, being mesmerized by software, I guess, have come to accept a quality level in software that is profoundly lower then that of any other manufactured product.
“This contributes to our vulnerability, because the vast majority of software intrusions exploit either poor configuration or unpatched systems. But it is worse than that. The vast majority of those successful intrusions exploit a vulnerability for which a configuration or patch is known.
Keep current with software patches
“Too many enterprise level users don’t keep up on the patches available for their systems. They may download and install a set and then forget about the matter until they get hacked. Here is the frustration: Installing a new patch could very well reset a system to defaults that leave as vulnerable as it was without the patch. It is another case of benchmark configuration and a strong one for changing the way software publishers ship their wares.”
Kreitner is a security expert who knows that everyone connected to a computer system, local network or Internet must always ask the question, “Do they need to know?”
When allowing access to an enterprise system by username and password, everyone has to take a more disciplined approach.
“We have to ask, ‘does this person need to know’ before we grant access to information on our systems. We need to ask that question and we need do things like not give more than one person the same password for a user account, and we need to make people change passwords from time to time,” Kreitner says.
Through all of his talk of paying closer attention and hardening our security, Kreitner understands that it is fine line he and others walk as they try to keep us safe.
“The nature of security, like safety, is in constant tension between convenience, expediency, economy, productivity and profitability. And that is natural. We should say to ourselves, ‘How much inconvenience, lack of productivity or efficiency am I willing to accept in order to be secure?’ That’s the balancing act.”;
Kreitner says he has good and bad days when it comes to the prognosis of Internet and enterprise system security. Unlike airline safety where there is feedback from disasters that helps make the future safer, there is no such thing in the cyber world.
“In the cyber realm, the public and private sectors are having to learn to work together in a way that are, for them, unnatural. The government sector is generally of the opinion that all they have to do is issue some good regulations and everything will be fine. The private sector says no, no, no, we own the majority of the infrastructure and you’re not going to lay a bunch of regulations on us. So we’re in a situation where the government and private sectors are jockeying for appropriate roles,” says the CIS chief.
Meanwhile, the private sector is not forthcoming with enough (or, in some cases, any) information about breaches, which is another factor in the no feedback issue Kreitner raises. Only when we stop hiding problems and things become more transparent will security really improve. Right now, Kreitner says, there is still a lot of hiding and posturing and on days when he sees that he is discouraged.
“On the other hand, when we humans are threatened we usually rise to the challenge. I think in the long term we will. In the meantime, while we figure out how to deal with the problems, let’s be more transparent about everything and move to the solutions.”
_The Center For Internet Security is a non-profit company supported by industry partners. Volunteer IT professionals are constantly at work to provide benchmark configurations for dozens of software systems. To learn more about CIS, go to Cisecurity.org. _