[ISN] NIST guides target e-mail, patches

From: InfoSec News (isnat_private)
Date: Fri Apr 05 2002 - 00:35:41 PST

  • Next message: InfoSec News: "Re: [ISN] Army security expert emphasizes vigilance and training"

    http://www.fcw.com/fcw/articles/2002/0401/web-nist-04-04-02.asp
    
    By Diane Frank 
    April 4, 2002
    
    The National Institute of Standards and Technology released new draft
    guidance April 3 for dealing with two of the most common sources of
    security breaches: poorly configured e-mail servers and the failure to
    apply software patches.
    
    The two draft guides are part of a series of guidance developed by
    NIST's Computer Security Division and are available through its
    Computer Security Resource Center Web site (csrc.nist.gov). NIST
    serves as the primary technical security resource for civilian
    agencies under the Computer Security Act of 1987.
    
    Other than Web servers, most viruses, worms and other malicious code
    are written for e-mail applications. Beyond disrupting e-mail service,
    attackers often will use e-mail to obtain or change sensitive
    information and even to gain access to the rest of an organization's
    network, according to the guide.
    
    NIST's e-mail guide is very technical and is intended for systems
    administrators who are responsible for installing, configuring and
    maintaining e-mail servers and clients. It includes general
    information on securing any e-mail application, but it also provides
    specifics for securing the most popular e-mail applications 
    Microsoft Corp.'s Exchange Server and Linux and Unix sendmail.
    
    Comments on the e-mail guide are due to Wayne Jansen (jansenat_private)  
    by April 30.
    
    NIST's draft guide on patches is intended for both managers and
    systems administrators.
    
    The guide addresses the low implementation rate of commercial software
    patches, which experts attribute to the success of most security
    attacks. Cyberattackers take advantage of known vulnerabilities,
    gaining access because systems administrators have not applied free
    patches that are available from multiple sources
    
    Several efforts are under way in government to help agencies apply the
    patches they need, including a new program available through the
    General Services Administration's Federal Computer Incident Response
    Center. But the basic problem cited by public- and private-sector
    experts is the lack of any standard process for applying the patches
    and the lack of oversight from managers to enforce the application.
    
    The NIST guide outlines a "systematic, accountable and documented
    process for handling security patches and vulnerabilities," according
    to NIST. IT also offers specific advice on regularly identifying
    vulnerabilities and obtaining patches; testing the effectiveness of
    the patches; and installing the patches on all necessary systems.
    
    Comments on this guide are due back to Peter Mell
    (peter.mellat_private) by May 2.
     
      
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Apr 05 2002 - 03:15:11 PST