http://www.gcn.com/online/vol1_no1/44972-1.html
By William Jackson
09/06/07
The National Institute of Standards and Technology has updated its
security guidelines for dealing with active content, providing an
overview for active content and mobile code in use today and laying out
a framework for making security decisions about its use within an
organization.
A draft of Special Publication 800-28 Revision 2 [1], titled “Guidelines
on Active Content and Mobile Code,” has been released for public
comment.
NIST also has released its Common Vulnerability Scoring System (CVSS), a
scheme for developing common descriptors of information technology
vulnerabilities. CVSS scores are used in the National Vulnerability
Database.
In SP 800-28, NIST defines active content as “broadly speaking …
electronic documents that can carry out or trigger actions automatically
without an individual directly or knowingly invoking the actions.”
Incorporating active content such as Java applets, JavaScript and other
scripts, and macros can add to the functionality of documents, e-mails,
Web pages and files in a wide variety of formats, but NIST calls their
security vulnerabilities “insidious.” The expanding use of these
technologies is becoming common in a range of products and services, on
desktop computers, servers and gateway devices.
NIST offers four broad guidelines for organizations in dealing with
active content:
* Understand the concept of active content and how it affects the
security of their systems
* Develop policies for active content, including both its creation
within the organization and its reception from outside
* Be aware of the specific benefits from using active content and
balance them against the associated risks and
* Maintain consistent systemwide security when configuring and
integrating products involving active content in their
environments.
Comments on version 2, SP 800-28 should be e-mailed by Oct. 12 to
800-28comments (at) nist.gov with “Comments on SP 800-28” typed into the
subject line.
The Common Vulnerability Scoring System [2] is being released in its
final form. The scheme includes scores for vulnerabilities of from 0 to
10 in each of three groups: a base score that represents the intrinsic
threat represented by the vulnerability; a temporal group that reflects
characteristics of a vulnerability that change over time; and an
environmental group reflecting the characteristics of a vulnerability
unique to a user’s environment.
CVSS scores can be used with security categories defined in Federal
Information Processing Standard 199 to obtain impact scores tailored to
an agency’s environment.
[1] http://csrc.nist.gov/publications/drafts/sp800-28-rev2/Draft-SP800-28v2.pdf
[2] http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf
____________________________________
Visit the InfoSec News Bookstore
http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Sep 07 2007 - 03:59:54 PDT