How does your Net security rate?

Are your servers as secure as Fort Knox or as open as a revolving door?

The newly-formed Center for Internet Security hopes to answer that question by creating a suite of tests that would give computer owners a rating--on a scale of 1 to 10--of how good their security is.

A level-10 server could protect an e-commerce company's virtual gold, while a level-1 would be an online vandal's playground.

"Our members are just saying that they would like to see global benchmarks," said Alan Paller, director of research for the Systems Administration Networking and Security (SANS) Institute, a founding member of the 71-member centre.

"The banks want these types of benchmarks. The government wants these types of benchmarks. The centre's work is a guide that people will use."

Such a rating system is necessary for the industry to gauge how secure their virtual assets are, said Paller. In the future, insurance companies could base the cost of so-called "hacking" policies on the rating.

The government may require financial institutions to meet a minimum rating, and companies that don't meet the minimum may find themselves the target of a liability lawsuit, he said.

Currently, the centre's members are working together to create a rating system for Solaris, Linux and Windows 2000, Paller said. The guidelines could be completed as early as March 2001.

But can such a global, all-in-one rating work?

"It's very difficult to assign a single number to represent how secure a server is," said "Weld Pond," the research director for security firm @Stake, who prefers to use his hacker handle.

For example, while Underwriter Laboratories has a single number for safes--representing how many hours an expert safe cracker would need to break in--that model doesn't work in computer security, he said.

However, giving people an idea of how many holes they have plugged, is a good idea, he said.

"People, generally, have no idea about how to check their computers for security problems. If this group can do this in an easy way, that's a good thing," said Weld Pond.

"The only problem I see is, it finds only well-known problems in the most mainstream of software," he added. "Many times it's the somewhat obscure application that opens a computer up to be compromised.

"Even a server that rates a 9 out of 10 could be compromised in short time, if an attacker knew the single flaw on the system."

The Center--founded November 1--consists of 71 companies, academic institutions and government organizations, including the Department of Defense, the National Institute of Standards and Technology, Intel, VISA International, Chevron and AT&T, among others.

The actual creators of operating systems are not welcome--yet, said Paller.

"Early members asked that the vendors not be involved," he said, for fear they might "hijack the process."

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.