Cyber Eye: NIST opens a portal to security
NIST opens a portal to security
- By William Jackson
- Mar 26, 2002
There's no silver bullet for better security, but csrc.nist.gov
, a one-stop online resource developed by the National Institute of Standards and Technology's IT Lab, has plenty of other ammunition.
Anyone responsible for securing federal networks or systems ought to look at the wealth of material about new security alerts. The site has a searchable index of vulnerabilities and patches, as well as draft documents and proposed standards for IT security.
The lab's computer security group works on cryptographic standards and applications and does security research and outreach. It develops standards for sensitive but unclassified systems, and it runs testing programs for commercial products.
If you want to know what your fellow administrators are doing to protect their systems, follow the site's link to the Federal Agency Security Practices page. FASP grew out of the CIO Council's Best Security Practices pilot to disseminate the best methods agencies have identified. In addition to the original set of best practices, the FASP site posts agency policies and procedures and a lengthy Q&A section about security.
Among other resources is the ICAT security metabase, developed at NIST several years ago. It indexes vulnerabilities and patches gathered from the Federal Computer Incident Response Capability, the CIRC Coordination Center, and other government and independent tracking organizations.
ICAT uses the CVE taxonomy of common vulnerabilities and exposures, developed by Mitre Corp. of Bedford, Mass., to bring order to the chaos of security reporting. ICAT is searchable by vendor, product or keyword, and it can filter searches in several categories.
The publications section has draft documents on everything from guidance for securing public Web servers to administering networks with Microsoft Windows 2000 operating systems.
The site recommends that agencies 'give substantial consideration to buying products and services compatible with the CVE naming scheme.'
As the point agency in developing standards for government information security, NIST has accumulated plenty of practical tips. Now it's easy for those who need them to find them.
Check it out.
William Jackson is freelance writer and the author of the CyberEye blog.