NIST guides target e-mail, patches

  • By Diane Frank
  • Apr 03, 2002

Draft Special Publication 800-45: Guidelines on Electronic Mail Security

Related Links

Draft Special Publication 800-40: Procedures for Handling Security Patches

"Patch system in the works"

The National Institute of Standards and Technology released new draft guidance April 3 for dealing with two of the most common sources of security breaches: poorly configured e-mail servers and the failure to apply software patches.

The two draft guides are part of a series of guidance developed by NIST's Computer Security Division and are available through its Computer Security Resource Center Web site (csrc.nist.gov). NIST serves as the primary technical security resource for civilian agencies under the Computer Security Act of 1987.

Other than Web servers, most viruses, worms and other malicious code are written for e-mail applications. Beyond disrupting e-mail service, attackers often will use e-mail to obtain or change sensitive information and even to gain access to the rest of an organization's network, according to the guide.

NIST's e-mail guide is very technical and is intended for systems administrators who are responsible for installing, configuring and maintaining e-mail servers and clients. It includes general information on securing any e-mail application, but it also provides specifics for securing the most popular e-mail applications — Microsoft Corp.'s Exchange Server and Linux and Unix sendmail.

Comments on the e-mail guide are due to Wayne Jansen ([email protected]) by April 30.

NIST's draft guide on patches is intended for both managers and systems administrators.

The guide addresses the low implementation rate of commercial software patches, which experts attribute to the success of most security attacks. Cyberattackers take advantage of known vulnerabilities, gaining access because systems administrators have not applied free patches that are available from multiple sources

Several efforts are under way in government to help agencies apply the patches they need, including a new program available through the General Services Administration's Federal Computer Incident Response Center. But the basic problem cited by public- and private-sector experts is the lack of any standard process for applying the patches and the lack of oversight from managers to enforce the application.

The NIST guide outlines a "systematic, accountable and documented process for handling security patches and vulnerabilities," according to NIST. IT also offers specific advice on regularly identifying vulnerabilities and obtaining patches; testing the effectiveness of the patches; and installing the patches on all necessary systems.

Comments on this guide are due back to Peter Mell ([email protected]) by May 2.

Featured

  • CLOUD
    pentagon cloud

    Court orders temporary block on JEDI

    JEDI, the Defense Department’s multi-billion-dollar cloud procurement, is officially on hold, according to a federal court announcement Feb. 13.

  • Defense
    mock-up of the shore-based Aegis Combat Information Center

    Pentagon focuses on research, cyber in 2021 budget request

    The Defense Department wants to significantly increase funds for research, cyber, and cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.