NIST guides target e-mail, patches
- By Diane Frank
- Apr 03, 2002
Draft Special Publication 800-45: Guidelines on Electronic Mail Security
The National Institute of Standards and Technology released new draft guidance
April 3 for dealing with two of the most common sources of security breaches:
poorly configured e-mail servers and the failure to apply software patches.
The two draft guides are part of a series of guidance developed by NIST's
Computer Security Division and are available through its Computer Security
Resource Center Web site (csrc.nist.gov). NIST serves
as the primary technical security resource for civilian agencies under the
Computer Security Act of 1987.
Other than Web servers, most viruses, worms and other malicious code
are written for e-mail applications. Beyond disrupting e-mail service, attackers
often will use e-mail to obtain or change sensitive information and even
to gain access to the rest of an organization's network, according to the
guide.
NIST's e-mail guide is very technical and is intended for systems administrators
who are responsible for installing, configuring and maintaining e-mail servers
and clients. It includes general information on securing any e-mail application,
but it also provides specifics for securing the most popular e-mail applications
Microsoft Corp.'s Exchange Server and Linux and Unix sendmail.
Comments on the e-mail guide are due to Wayne Jansen ([email protected]) by April 30.
NIST's draft guide on patches is intended for both managers and systems
administrators.
The guide addresses the low implementation rate of commercial software
patches, which experts attribute to the success of most security attacks.
Cyberattackers take advantage of known vulnerabilities, gaining access because
systems administrators have not applied free patches that are available
from multiple sources
Several efforts are under way in government to help agencies apply the
patches they need, including a new program available through the General
Services Administration's Federal Computer Incident Response Center. But
the basic problem cited by public- and private-sector experts is the lack
of any standard process for applying the patches and the lack of oversight
from managers to enforce the application.
The NIST guide outlines a "systematic, accountable and documented process
for handling security patches and vulnerabilities," according to NIST. IT
also offers specific advice on regularly identifying vulnerabilities and
obtaining patches; testing the effectiveness of the patches; and installing
the patches on all necessary systems.
Comments on this guide are due back to Peter Mell ([email protected]) by May 2.