Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] NIST makes lists

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] NIST makes lists
Date: Fri, 20 Aug 2004 03:26:38 -0500 (CDT) 
http://www.fcw.com/fcw/articles/2004/0816/web-nist-08-19-04.asp

By Florence Olsen 
Aug. 19, 2004

A program that experts have said is the missing piece in federal 
efforts to promote secure computing will be ready later this year.

Officials at the National Institute of Standards and Technology 
announced that a security configuration checklists program for 
information technology products, including a logo that vendors can put 
on their wares, [1] is on track for completion before the end of 2004.

A security configuration checklist describes the software options and 
settings that users can choose to minimize the security risks 
associated with a particular type of hardware or software. More 
commonly referred to as lockdown guides or security benchmarks, 
security checklists are basically documents for securing IT hardware 
or software in different settings. Security checklists for home 
computer users, for example, would be different from those for federal 
computer users handling sensitive data.

A checklist could include scripts, templates and pointers to Web sites 
where users can download software updates or firmware upgrades to make 
products more secure from attack by viruses and other malicious code 
spread via the Web.

NIST officials said they plan to distribute the lists through a Web 
portal, checklists.nist.gov. The role of NIST employees will be to 
screen checklists to see that they meet the program's requirements, 
publish the checklists for public review and, finally, to add 
checklists to the repository and remove them when they become 
outdated.

NIST officials have already published two security checklists, one for 
Microsoft Corp.'s Windows 2000 and XP Professional. They can be 
downloaded from a NIST Web site: csrc.nist.gov/itsec.

NIST officials will work with other organizations that produce 
security checklists, including the Defense Information Systems Agency 
and National Security Agency, and the nonprofit Center for Internet 
Security. The checklist program, however, has no connection to the 
federal government's National Information Assurance Partnership, a 
security program for testing products in a laboratory setting.

The scope of the security checklist program is broad, officials said, 
and will include operating systems, database software, Web servers, 
e-mail servers, routers, intrusion-detection systems, virtual private 
networks, biometric devices, smart cards, telecommunications switches 
and Web browsers.

To locate a particular checklist, users will be able to search with at 
least 14 different fields, including checklist point of contact, 
product manufacturer name, product name, product version and platforms 
on which the checklist was tested.

NIST officials envision the portal being used by everyone, including 
product developers, government agencies, businesses and citizens.

NIST's authority for creating the security checklist program comes 
from a 2002 law, the Cyber Security Research and Development Act. The 
Homeland Security Department is listed on NIST's Web site as a program 
sponsor.

[1] http://csrc.nist.gov/publications/drafts.html



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] NIST makes lists, InfoSec News <=
Previous by Date:  [ISN] Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard, InfoSec News
Next by Date:  [ISN] Microsoft fixes XP SP2 patching flaw, InfoSec News
Previous by Thread:  [ISN] Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard, InfoSec News
Next by Thread:  [ISN] Microsoft fixes XP SP2 patching flaw, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]