The SANS Institute ~ System Administration, Networking and Security

 

The Center for InternetSecurity 

 

FOR IMMEDIATE RELEASE            Contact: Clint Kreitner, The Center for Internet Security

540-459-1861; cell: 540-270-8312

Government and Industry Agree on More Recommended Consensus

Baseline Security Settings

 

WASHINGTON, DCSeptember 18, 2002 – In conjunction with his announcement of the National Plan to Secure Cyberspace, Richard Clarke, Special Advisor to the President on Cyberspace Security, today cited the release of consensus Baseline Security Settings for Solaris systems and Cisco Routers as an example of a public/private partnership that supports the National Plan.

 

“These security guidelines will help government agencies and corporations better secure their systems against cyber attack in a very tangible and measureable way, and the breadth of public and private organizations involved in forging the consensus gives users confidence in the competence of these guidelines” said Clarke.

.

The collaborative effort involved security experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA), National Security Agency (NSA), System Administration, Networking and Security (SANS) Institute, and members of the Center for Internet Security (CIS).   

 

The consensus on Baseline Security Settings for Solaris and Cisco Router IOS, both widely used in corporate and government computer networks, follows the announcement by the same organizations on July 17, 2002 of having reached consensus on security settings for Windows 2000 Professional workstations.

 

“Initial research has shown that systems configured in accordance with the consensus Baseline Security Settings and up-to-date patches can block over 80 percent of known vulnerabilities, thus freeing security staffs to focus on the smaller number of remaining threats and the additional actions they can take to protect their systems against those threats,” said Alan Paller, Director of Research for The SANS Institute.

 

Until these consensus security guidelines became available, there was no broad user consensus for communicating desired security settings to vendors.  Now, these consensus security baselines enable users to order, and vendors to begin shipping systems with an enhanced level of security in place before leaving the vendor’s shipping dock.. 

 

In response to the new baseline security settings, CIS (at cisecurity.org) will be making available free of charge Security Benchmark documents reflecting the consensus settings and Scoring Tools which enable users to measure compliance with the consensus security settings.  In addition, the SANS Institute is making training courses available for organizations and individuals that want to learn how to implement the new benchmarks and use related security tools.

 

Clint Kreitner, President and CEO of CIS said, “This achievement has been possible because of the dedication of the federal agencies and the member organizations of CIS to improving security for all Internet users.  I continue to be most impressed with their commitment.”

 

About NIST

The National Institute of Standards and Technology is a non-regulatory agency of the U.S. Department of Commerce's Technology Administration.  NIST develops and promotes measurement, standards, and technology to enhance productivity, facilitate trade and improve the quality of life.  For general information about NIST, log on to www.nist.gov.  For information on NIST computer security research, tools, services, and guidance publications, including Windows 2000, log on to http://csrc.nist.gov.

 

About DISA

The Defense Information Systems Agency (DISA) is a Department of Defense (DOD) leader in network management and security and is responsible for security of the worldwide Defense Information  System  Network (DISN).  DISA has developed and maintains 25 Security Technical Information Guides that detail "best practices" for securing various network devices and computer operating systems.  For more information log on to www.disa.mil.

 

About NSA

The National Security Agency (NSA) has dual missions: to provide foreign signal intelligence and to protect vital U.S. information systems.  These missions require that NSA remain at the cutting edge of technology. To meet this challenge, NSA employs highly talented mathematicians, computer scientists, engineers, linguists, signals analysts, and intelligence analysts, and aggressively partners with high-tech industry leaders, to include local businesses.  For more information log on to www.nsa.gov.

 

About GSA

The General Services Administration (GSA) is a centralized federal procurement and property management agency created by Congress to improve government efficiency and help federal agencies better serve the public. The Federal Computer Incident Response Center (FedCIRC), is a collaborative partnership of computer incident response, security and law enforcement professionals working together to handle computer security incidents and to provide both proactive and reactive security services for the federal government.  For more information, log on to www.gsa.gov.

 

About The SANS Institute

The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than 156,000 security professionals, auditors, system administrators, and network administrators invest thousands of hours each year in research and teaching to alert the entire SANS community of security threats, news updates, special research projects and publications, in-depth educational opportunities and certification programs.  More than 30,000 system and security professionals have attended SANS immersion training in advanced network security topics.  For more information log on to www.sans.org.

 

About CIS

The Center for Internet Security (CIS) helps organizations around the world effectively manage the risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of Internet-connected systems and appliances.  For more information log on to www.cisecurity.org.

 

# # #