The U.S. government has become increasingly concerned with the
possibility of an organized strike against the nation’s critical infrastructure — communications networks, power grids, and other
systems essential to the minimum operations of the government and economy. In a step intended to limit such a threat, a coalition of
U.S. government agencies and private sector firms have created a single benchmark with which to measure the security of Windows
2000 workstations, which are among the most common computers used in both government and business.
The Pentagon, the National Security Agency (NSA), the National Institute of Standards and Technology (NIST), and other government
agencies, working with the Center for Internet Security (CIS) have devised standards for
securing the Microsoft operating system against most known vulnerabilities and flaws.
The 170-member strong CIS includes organizations like Intel, Infocomm, Visa, First Union, Pacific Gas & Electric, and the SANS
(System Administration, Networking and Security) Institute.
All Defense Department computers will be required to meet the security benchmark, and the White House is also considering requiring
all government computers to meet the standards. To make it easier for system administrators to adhere to the benchmark, CIS released a Security Scoring Tool — freely available to all — which can search computers for known security flaws and then
suggest fixes.
Known security vulnerabilities for which patches are available are a constant irritation to security watchdogs, because patches are
frequently not applied. Gartner Group recently predicted that 90 percent of all cyber attacks through 2005 will utilize known
vulnerabilities for which a patch is available.
Many government organizations already have standards to which they require computers to adhere, but this will mark the first time
the various agencies have agreed on a single standard.
The benchmark outlines a series of technical actions designed to harden security. The Security Scoring Tool is a scan/analysis program which checks to make sure all those settings are in place, as well as checking whether all patches are up to date.