[SCADASEC] Draft guidance for securing servers

Bob Radvanovsky rsradvan at unixworks.net
Mon May 12 06:58:05 CDT 2008 

> http://www.gcn.com/online/vol1_no1/46239-1.html
> 
> By William Jackson
> GCN.com
> 05/08/08
> 
> The National Institute of Standards and Technology is seeking comment on 
> its draft guidelines for securing servers, released this week.
> 
> NIST Special Publication 800-123 [1], "Guide to General Server 
> Security," makes recommendations for securing server operating systems 
> and softwarein addition to maintaining a secure configuration with 
> patches and software upgrades, security testing, log monitoring and 
> backups of data and operating system files.
> 
> The document addresses common servers that use general operating systems 
> and are deployed in outward- and inward-facing locations. The 
> recommendations apply to a variety of typical servers, such as Web, 
> e-mail, database, infrastructure management and file servers. Much of 
> the content was derived from SP 800-44 Version 2, "Guidelines on 
> Securing Public Web Servers," and SP 800-45 Version 2, "Guidelines on 
> Electronic Mail Security."
> 
> Common security threats addressed include exploitation of software bugs 
> to gain unauthorized access, denial-of-service attacks, exposure or 
> corruption of sensitive data, unsecured transmission of data, use of a 
> server breach to gain access to other network resources and use of a 
> compromised server to launch attacks.
> 
> NIST recommended that security plans be considered from the initial 
> planning stage because addressing security is more difficult after 
> deployment. "Organizations are more likely to make decisions about 
> configuring computers appropriately and consistently when they develop 
> and use a detailed, well-designed deployment plan," the document said. 
> It also advised agencies to consider human resources required for 
> deployment and operational phases, including training requirements.
> 
> To ensure the security of a server and the supporting network 
> infrastructure, NIST recommends:
> 
>     * Organizationwide information system security policy.
>     * Configuration/change control and management.
>     * Risk assessment and management.
>     * Standardized software configurations that satisfy the information 
>       system security policy.
>     * Security awareness and training.
>     * Contingency planning, continuity-of-operations and disaster 
>       recovery planning.
>     * Certification and accreditation.
> 
> In deployment server operating systems, default hardware and software 
> configurations usually must be modified to achieve adequate security 
> rather than maximum functionality and ease of use. "Because 
> manufacturers are not aware of each organization's security needs, each 
> server administrator must configure new servers to reflect their 
> organization's security requirements and reconfigure them as those 
> requirements change," NIST advised. "Using security configuration guides 
> or checklists can assist administrators in securing systems consistently 
> and efficiently."
> 
> Similar efforts are needed for server applications. "The overarching 
> principle is to install the minimal amount of services required and 
> eliminate any known vulnerabilities through patches or upgrades," the 
> document said.
> 
> Comments on the draft should be e-mailed [2] by June 13, with the phrase 
> "Comments SP 800-123" in the subject line.
> 
> [1] http://csrc.nist.gov/publications/drafts/800-123/Draft-SP800-123.pdf 
> [2] 800-123comments (at) nist.gov
>

More information about the scadasec mailing list