TECH TIPS
Network security often full of holes

By Byron Acohido
USA Today

Virginia Tech's Randy Marchany used to think the network of 24,000 computers he manages for the state's largest university was adequately protected against cyberattacks.

But that was before he got his hands on new software distributed for free by an organization called the Center for Internet Security.

The software quickly found vulnerabilities in Virginia Tech's network. The center also gave Marchany a simple program to find and close common security holes, improving the network's security threefold.

"It raised the bar much higher," Marchany said.

As people rely on the Internet and computer networks more, the security of those networks is increasingly being breached — threatening the future of electronic commerce and even national security.

Software makers say they're pushing to improve security — but that's only part of the fix, experts say. Getting individuals, companies and institutions to be smarter about using software is the other part.

And the little-known Center for Internet Security has arrived with a potential silver bullet that promises to go a long way toward making that happen.

Its aim: give all computer users a set of "best practice" guidelines to secure their software — and give them the software tools to do it. That simple practice would close many of the security holes in the operating systems that drive the Internet, center officials say.

The security situation is dire. Microsoft, IBM, Sun Microsystems and other software makers have left their operating systems vulnerable while pumping out feature-rich systems configured to shift more commerce onto the Web.

The number of known security holes rose 124 percent to 2,437 last year. Computer attacks shot up 160 percent to more than 52,000, said the Computer Emergency Response Team. Last year alone, the devastating Code Red virus and its more invasive cousin, the Nimda worm, struck hundreds of thousands of computers, together causing more than $3 billion in damage.

What's more Microsoft Chairman Bill Gates recently declared security the software giant's No.1 priority.

Yet no one expects software makers alone to solve the problem. Computer users can do much to deflect cyberattacks. That's where the center comes in.

A nonprofit entity, it was conceived in 2000 by some of the best U.S. computer-security minds, which organized a meeting of 20 banking, manufacturing, government and security officials. The discussion turned to how difficult it had become to keep track of security holes and patches proliferating across networks.

The center has moved quickly to empower computer users by:

• Issuing benchmarks. The center's members hashed out "best practices benchmarks" for configuring operating systems.

The benchmarks are a response to software makers' habit of configuring software with every possible feature turned on so that every computer, for instance, could handle e-mail, host Web pages, play video files and connect with wireless devices. But that practice provides more doors for hackers to break through.

The benchmarks, drawn up and tested by center volunteers, outline steps for disabling unused features and keeping up to date on installing security patches.

• Keeping score. The center's tools also provide a security rating based on a 1 to 10 scale — so people can better quantify how secure their systems are.