NIST guides target e-mail, patches

  • By Diane Frank
  • Apr 03, 2002

Draft Special Publication 800-45: Guidelines on Electronic Mail Security

Related Links

Draft Special Publication 800-40: Procedures for Handling Security Patches

"Patch system in the works"

The National Institute of Standards and Technology released new draft guidance April 3 for dealing with two of the most common sources of security breaches: poorly configured e-mail servers and the failure to apply software patches.

The two draft guides are part of a series of guidance developed by NIST's Computer Security Division and are available through its Computer Security Resource Center Web site (csrc.nist.gov). NIST serves as the primary technical security resource for civilian agencies under the Computer Security Act of 1987.

Other than Web servers, most viruses, worms and other malicious code are written for e-mail applications. Beyond disrupting e-mail service, attackers often will use e-mail to obtain or change sensitive information and even to gain access to the rest of an organization's network, according to the guide.

NIST's e-mail guide is very technical and is intended for systems administrators who are responsible for installing, configuring and maintaining e-mail servers and clients. It includes general information on securing any e-mail application, but it also provides specifics for securing the most popular e-mail applications — Microsoft Corp.'s Exchange Server and Linux and Unix sendmail.

Comments on the e-mail guide are due to Wayne Jansen (jansen@nist.gov) by April 30.

NIST's draft guide on patches is intended for both managers and systems administrators.

The guide addresses the low implementation rate of commercial software patches, which experts attribute to the success of most security attacks. Cyberattackers take advantage of known vulnerabilities, gaining access because systems administrators have not applied free patches that are available from multiple sources

Several efforts are under way in government to help agencies apply the patches they need, including a new program available through the General Services Administration's Federal Computer Incident Response Center. But the basic problem cited by public- and private-sector experts is the lack of any standard process for applying the patches and the lack of oversight from managers to enforce the application.

The NIST guide outlines a "systematic, accountable and documented process for handling security patches and vulnerabilities," according to NIST. IT also offers specific advice on regularly identifying vulnerabilities and obtaining patches; testing the effectiveness of the patches; and installing the patches on all necessary systems.

Comments on this guide are due back to Peter Mell (peter.mell@nist.gov) by May 2.

Featured

  • Cybersecurity
    malware detection (Alexander Yakimov/Shutterstock.com)

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.