[SECURITY-L] NIST guides target e-mail, patches

[Daniela Regina Barbetti Silva]

----- Forwarded message from Nelson Murilo <nelson em pangeia.com.br> -----

From: Nelson Murilo <nelson em pangeia.com.br>
Subject: [S] NIST guides target e-mail, patches
To: seguranca em pangeia.com.br
Date: Fri, 5 Apr 2002 09:05:27 -0300


[http://www.fcw.com/fcw/articles/2002/0401/web-nist-04-04-02.asp]

By Diane Frank 
April 4, 2002

The National Institute of Standards and Technology released new draft
guidance April 3 for dealing with two of the most common sources of
security breaches: poorly configured e-mail servers and the failure to
apply software patches.

The two draft guides are part of a series of guidance developed by
NIST's Computer Security Division and are available through its
Computer Security Resource Center Web site (csrc.nist.gov). NIST
serves as the primary technical security resource for civilian
agencies under the Computer Security Act of 1987.

Other than Web servers, most viruses, worms and other malicious code
are written for e-mail applications. Beyond disrupting e-mail service,
attackers often will use e-mail to obtain or change sensitive
information and even to gain access to the rest of an organization's
network, according to the guide.

NIST's e-mail guide is very technical and is intended for systems
administrators who are responsible for installing, configuring and
maintaining e-mail servers and clients. It includes general
information on securing any e-mail application, but it also provides
specifics for securing the most popular e-mail applications —
Microsoft Corp.'s Exchange Server and Linux and Unix sendmail.

Comments on the e-mail guide are due to Wayne Jansen (jansen em nist.gov)  
by April 30.

NIST's draft guide on patches is intended for both managers and
systems administrators.

The guide addresses the low implementation rate of commercial software
patches, which experts attribute to the success of most security
attacks. Cyberattackers take advantage of known vulnerabilities,
gaining access because systems administrators have not applied free
patches that are available from multiple sources

Several efforts are under way in government to help agencies apply the
patches they need, including a new program available through the
General Services Administration's Federal Computer Incident Response
Center. But the basic problem cited by public- and private-sector
experts is the lack of any standard process for applying the patches
and the lack of oversight from managers to enforce the application.

The NIST guide outlines a "systematic, accountable and documented
process for handling security patches and vulnerabilities," according
to NIST. IT also offers specific advice on regularly identifying
vulnerabilities and obtaining patches; testing the effectiveness of
the patches; and installing the patches on all necessary systems.

Comments on this guide are due back to Peter Mell
(peter.mell em nist.gov) by May 2.
 
  

----- End forwarded message -----