NIST guides target e-mail, patches

  • By Diane Frank
  • Apr 03, 2002

Draft Special Publication 800-45: Guidelines on Electronic Mail Security

Related Links

Draft Special Publication 800-40: Procedures for Handling Security Patches

"Patch system in the works"

The National Institute of Standards and Technology released new draft guidance April 3 for dealing with two of the most common sources of security breaches: poorly configured e-mail servers and the failure to apply software patches.

The two draft guides are part of a series of guidance developed by NIST's Computer Security Division and are available through its Computer Security Resource Center Web site (csrc.nist.gov). NIST serves as the primary technical security resource for civilian agencies under the Computer Security Act of 1987.

Other than Web servers, most viruses, worms and other malicious code are written for e-mail applications. Beyond disrupting e-mail service, attackers often will use e-mail to obtain or change sensitive information and even to gain access to the rest of an organization's network, according to the guide.

NIST's e-mail guide is very technical and is intended for systems administrators who are responsible for installing, configuring and maintaining e-mail servers and clients. It includes general information on securing any e-mail application, but it also provides specifics for securing the most popular e-mail applications — Microsoft Corp.'s Exchange Server and Linux and Unix sendmail.

Comments on the e-mail guide are due to Wayne Jansen ([email protected]) by April 30.

NIST's draft guide on patches is intended for both managers and systems administrators.

The guide addresses the low implementation rate of commercial software patches, which experts attribute to the success of most security attacks. Cyberattackers take advantage of known vulnerabilities, gaining access because systems administrators have not applied free patches that are available from multiple sources

Several efforts are under way in government to help agencies apply the patches they need, including a new program available through the General Services Administration's Federal Computer Incident Response Center. But the basic problem cited by public- and private-sector experts is the lack of any standard process for applying the patches and the lack of oversight from managers to enforce the application.

The NIST guide outlines a "systematic, accountable and documented process for handling security patches and vulnerabilities," according to NIST. IT also offers specific advice on regularly identifying vulnerabilities and obtaining patches; testing the effectiveness of the patches; and installing the patches on all necessary systems.

Comments on this guide are due back to Peter Mell ([email protected]) by May 2.

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.