http://www.eweek.com/article2/0,3959,387377,00.asp
"All the while maintaining that the government will not set IT security
requirements for the private sector, top federal IT officials today said
they expect such mandates will be imposed on federal agencies and that the
same standards will also be used by industry."
While standards are great, one-size-fits-all standards aren't. When the
government's cyber-security plan is released in September, will
there be 500 requirements that Internet Service Providers must meet?
Should ISPs be more secure than the post office or the telephone or the
bike messenger? Must Bill's Bait & Sushi Shop ISP Service meet the same
security requirements as the ISP for the White House?
ISPs come in all sorts of shapes and sizes. Consumers use cordless
phones at home, but the NSA prohibits use of cordless phones in secure
areas. Just because the government issues a security standard doesn't make
it suitable for all purposes. Some people like paying $9.95 for Internet
service from an ISP without a backup generator, and wouldn't want to pay
$29.95 for a "certified" ISP with a backup generator. If the $9.95 ISP
fails, heck they could almost afford two more for the same price as a
single "certified" ISP. Sometimes a hammer is just a hammer, and you
don't need a MIL-SPEC. If the Department of Homeland Security creates a
new security standard for ISPs, what do you think will happen to any ISP
which doesn't meet it?
The security "Gold Standard" for Microsoft 2000 was written by the
Critical Infrastructure Protection Board, the Center for Internet
Security, the National Security Agency, the General Services
Administration, the National Institute of Standards and Technology, and
the SANS Institute.
Do you know who is writing the security "Gold Standard" for Internet
Service Providers?
[snip more depressing erosion of common sense and liberties under the guise
of 'patriotism']
The security "Gold Standard" for Microsoft 2000 was written by the
Critical Infrastructure Protection Board, the Center for Internet
Security, the National Security Agency, the General Services
Administration, the National Institute of Standards and Technology, and
the SANS Institute.
_Microsoft_ managed to get a security 'Gold Standard' for one of its
products? This must be for some non-golden value of gold ...
Microsoft didn't do anything (take that as you may). The CIS and SANS crew did
up their W2K benchmark - the news here is that the NSA, GSA, and NIST are all
throwing their backing of it as a Good Thing.
It's a *long* checklist of everything you need to do to W2K to beat it into
submission security-wise. Basically, *after* you do everything on the list, it
will require a *skilled* hacker or a script kiddie with an actual 0day exploit
to 0wn you.
I didn't get involved in that one, but I've been working on the Unixoid
stuff with CIS and SANS. We make no claims that if you do everything on
the checklist that you're secure - the claim is that *failure* to do
everything is demonstrably *insecure*.
Yes, you read it and every single item will strike you as "any sysadmin
who didn't just fall out of a tree knows THAT". The oft-overlooked point
is that most sysadmins DID just fall out of trees - often landing on their
head in the process.
Think of it as recognition that "Your Clue Must Be --->THIS<--- Tall To Ride
The Internet". It's about time...
[snip]
Think of it as recognition that "Your Clue Must Be --->THIS<--- Tall To Ride
The Internet". It's about time...
Great! How long until we can extend this to users?
In the corporate environment, it's at least theoretically feasible to make
network access contingent on passing a computer literacy course (modulo the
usual concerns about the cost of training, etc).
I'll personally nominate for sainthood anybody who figures out how to make
it work for an ISP's terms of service. 
The CIS/W2Kpro checklist is not that. Failure to do everything on the
W2K checklist is not "ispo facto" evidence a computer is insecure. Many
items on the CIS/W2Kpro checklist are of the form if you aren't using
this item, you should disable it. That is a good security practice. But
it does not follow if you are using the item (i.e. its enabled), your
machine is insecure. Unfortunately the CIS/W2Kpro scoring tool can't
tell the difference.
As a list of things to consider, and a free tool to check a computer's
configuration, the CIS/W2Kpro checklist is a great addition to the
security toolbox. Just don't try to push it too hard. Not following the
CIS/W2Kpro checklist is not evidence of security malpractice. The puffery
in the accompaning press releases and news articles was more than the
CIS/W2Kpro checklist can support.
A blast from the past.
Internet security woes inflated, experts say
By Gary H. Anthes
OCT 16, 1995
http://www.computerworld.com/news/1995/story/0,11280,9990,00.html