Published: 28 Jul 2005
"We're with the government, and we're here to help."
Not the most reassuring words, unless you need strong security guidance or want to conduct a security risk assessment--then the federal government is indeed your friend. The National Institute of Standards and Technology (NIST) has a computer security division that creates security standards, policies and procedures used by the government to secure its federal IT systems. Even if you are not working for the feds, these security standards provide a solid starting point to secure your enterprise and analyze your security posture.
Of the many guides NIST provides as part of its special publication's 800 series (http://csrc.nist. gov/publications/nistpubs/), I have found two guides particularly easy to read and useful:
The Computer Security Incident Handling Guide (800-61) covers everything from organizing an incident response team before an event to putting preventive measures in place and providing checklists for use in the heat of the battle. Incident planning includes how to handle malicious code and deal with unauthorized access. It provides containment, eradication and recovery strategies, and supplies a list of recommendations to prevent recurrence.
However, since guides can't anticipate every conceivable possibility within every system, its advice is somewhat high-level. For example, the text states that a compromise may force the organization to require all users of an application, system or trust domain--or perhaps the entire organization--to change their passwords, but it doesn't state precisely when all users should be forced to make the change.
The Security Self-Assessment Guide for Informa-tion Technology Systems (800-26) takes users through the review process, checking for proper security controls and ranking the maturity level of those processes.
The checklist portion of the self-assessment more specifically addresses three major areas--management, operational and technical controls--and covers everything from risk management and system security plans to data integrity, security awareness training and incident response capabilities. For example, the "Audit Trails" section asks whether activity involves access to and modification of sensitive or critical files logged. Does the audit trail provide a trace of user actions? Is offline storage of audit logs retained for a period of time, and, if so, is access to the logs strictly controlled? If you can answer "yes" to these procedural questions, you can probably sleep a little better at night.
Other time-savers are the NIST checklists, based on Defense Information Systems Agency guidelines (http://csrc.nist.gov/pcig/cig.html). These guidelines provide recommended configurations on everything from how a Cisco Systems IOS router should be securely configured to setting up a DNS server.
One more suggestion: If you need rock solid configuration guidance, head over to the Center for Information Security (www.cisecurity.com). CIS has walk-throughs on platforms ranging from Windows XP to Solaris 10, Linux to BSD. It also has guidelines for securely setting up Oracle and Apache for use in a public-facing production environment, and provides benchmark and scoring tools to work out how secure your systems have been configured.
All of these tools could save you a ton of time and money. Check them out.