martedì 13 maggio 2008

pubblicazione nist (SP 800-123) 

Interessante lettura:

http://csrc.nist.gov/publications/drafts/800-123/Draft-SP800-123.pdf

NIST Special Publication 800-123 [1], "Guide to General Server
Security," makes recommendations for securing server operating systems
and softwarein addition to maintaining a secure configuration with
patches and software upgrades, security testing, log monitoring and
backups of data and operating system files.

The document addresses common servers that use general operating systems
and are deployed in outward- and inward-facing locations. The
recommendations apply to a variety of typical servers, such as Web,
e-mail, database, infrastructure management and file servers. Much of
the content was derived from SP 800-44 Version 2, "Guidelines on
Securing Public Web Servers," and SP 800-45 Version 2, "Guidelines on
Electronic Mail Security."

Common security threats addressed include exploitation of software bugs
to gain unauthorized access, denial-of-service attacks, exposure or
corruption of sensitive data, unsecured transmission of data, use of a
server breach to gain access to other network resources and use of a
compromised server to launch attacks.

NIST recommended that security plans be considered from the initial
planning stage because addressing security is more difficult after
deployment. "Organizations are more likely to make decisions about
configuring computers appropriately and consistently when they develop
and use a detailed, well-designed deployment plan," the document said.
It also advised agencies to consider human resources required for
deployment and operational phases, including training requirements.

To ensure the security of a server and the supporting network
infrastructure, NIST recommends:

 * Organizationwide information system security policy.
 * Configuration/change control and management.
 * Risk assessment and management.
 * Standardized software configurations that satisfy the information
   system security policy.
 * Security awareness and training.
 * Contingency planning, continuity-of-operations and disaster
   recovery planning.
 * Certification and accreditation.

Pubblicato da Gaetano Zappulla a 13.13

Etichette: , , , , , ,

0 commenti:

Posta un commento

Iscriviti a: Commenti sul post (Atom)