Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, May 08, 2008

Draft guidance for securing servers

The National Institute of Standards and Technology is seeking comment on its draft guidelines for securing servers, released this week.  NIST Special Publication 800-123 [1], “Guide to General Server Security,” makes recommendations for securing server operating systems and softwarein addition to maintaining a secure configuration with patches and software upgrades, security testing, log monitoring and backups of data and operating system files.  The recommendations apply to a variety of typical servers, such as Web, e-mail, database, infrastructure management and file servers.

Common security threats addressed include exploitation of software bugs to gain unauthorized access, denial-of-service attacks, exposure or corruption of sensitive data, unsecured transmission of data, use of a server breach to gain access to other network resources and use of a compromised server to launch attacks.

NIST recommended that security plans be considered from the initial planning stage because addressing security is more difficult after deployment.

“Organizations are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan,” the document said.  * Standardized software configurations that satisfy the information system security policy….  Because manufacturers are not aware of each organization’s security needs, each server administrator must configure new servers to reflect their organization’s security requirements and reconfigure them as those requirements change,” NIST advised.

“The overarching principle is to install the minimal amount of services required and eliminate any known vulnerabilities through patches or upgrades,” the document said.

Posted on 05/08