NIST guide gets into security routine
- By Diane Frank
- Feb 06, 2002
"Guideline on Network Security Testing"
The National Institute of Standards and Technology released a draft guide
Feb. 4 with recommendations for network administrators on when and how to
test for security vulnerabilities within the life cycle of a system or network.
The NIST Computer Security Division's draft "Guideline on Network Security
Testing" provides basic information about security testing that can enable
administrators to prioritize requirements in accordance with the limited
budgets agencies have available for this function.
This is particularly helpful as agencies continue to work toward the
security management requirements in the Government Information Security
Reform Act. Agencies turned in their first GISRA assessments in October
2001, and the Office of Management and Budget plans to release its review
of the assessments this week.
The NIST draft guide includes links to and descriptions of common testing
tools, a chart comparing the strengths and weaknesses of the different testing
techniques outlined in the guide and a summary table.
It is intended for more technical officials because it focuses on security
testing of firewalls, routers and switches, intrusion detection systems,
Web and e-mail servers, and other servers. But many of the explanations
of the testing techniques are aimed at program officials as well.
"The primary aim of the document is to help administrators and managers
get started with a program for testing on a routine basis," according to
the Computer Security Division's site. "The methodology recommends focusing
first on those systems that are accessible externally, e.g., firewalls,
Web servers, etc., and then moving on to other systems as resources permit."
Comments are due by March 6 to John Wack at email@example.com, and the division is particularly interested in comments
on whether the recommended testing schedules are realistic within agencies'
NIST also this week announced the final publication of two guides: Special
Publication 800-33, "Underlying Technical Models for Information Technology
Security"; and Special Publication 800-30, "Risk Management Guide for Information
The first is intended to provide a description of lessons learned, good
practices and technical considerations that should go into the design and
development of security capabilities. The second provides an overview of
the risk management process including how it fits into the system development
life cycle and the roles for personnel involved in the process and describes
a risk assessment methodology for agencies to follow.