Group crafts rating system for server security

The newly formed Center for Internet Security is creating a suite of tests that will give computer owners a rating--on a scale of 1 to 10--of how good their security is.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
2 min read
Are your servers as secure as Fort Knox or as open as a revolving door?

The newly formed Center for Internet Security hopes to answer that question by creating a suite of tests that would give computer owners a rating--on a scale of 1 to 10--of how good their security is.

A level-10 server could protect an e-commerce company's virtual gold, while a level-1 server would be an online vandal's playground.

"Our members are just saying that they would like to see global benchmarks," said Alan Paller, director of research for the Systems Administration Networking and Security (SANS) Institute and a founding member of the 71-member center. "The banks want these types of benchmarks. The government wants these types of benchmarks. The center's work is a guide that people will use."

Such a rating system is necessary for the industry to gauge how secure their virtual assets are, Paller said.

In the future, insurance companies could base the cost of so-called hacking policies on the rating.

The government may require financial institutions to meet a minimum rating, and companies that don't meet the minimum may find themselves the target of a liability lawsuit, he said.

The center's members are working together to create a rating system for Solaris, Linux and Windows 2000, Paller said. The guidelines could be completed as early as March 2001.

But can such a global, all-in-one rating work?

"It's very difficult to assign a single number to represent how secure a server is," said "Weld Pond," the research director for security firm @Stake, who prefers to use his hacker handle.

For example, while Underwriter Laboratories has a single number for safes--representing how many hours an expert safe cracker would need to break in--that model doesn't work in computer security, he said.

However, giving people an idea of how many holes they have plugged is a good idea, he said. "People generally have no idea about how to check their computers for security problems. If this group can do this in an easy way, that's a good thing.

"The only problem I see is it finds only well-known problems in the most mainstream of software," he added. "Many times it's the somewhat obscure application that opens a computer up to be compromised. Even a server that rates a 9 out of 10 could be compromised in a short time if an attacker knew the single flaw on the system."

The Center--founded Nov. 1--consists of a total of 71 companies, academic institutions and government organizations, including the Department of Defense, the National Institute of Standards and Technology, Intel, Visa International, Chevron and AT&T.

Paller said the actual creators of operating systems are not welcome--yet.

"Early members asked that the vendors not be involved," he said, for fear they might "hijack the process."