NIST guidebooks advise agencies to get on the same security page
- By William Jackson
- Oct 18, 2002
Keep up. That's how the National Institute of Standards and Technology advises agencies to safeguard their systems.
A series of NIST special publications last month said agencies need to understand and follow the Common Vulnerabilities and Exposures naming scheme, develop security patch management procedures, and protect connections to remote users and other systems.
Special Publication 800-40 deals with security patches, 800-46 with telecommuting and broadband communications, 800-47 with interconnected systems and 800-51 with the CVE naming scheme. All are available at csrc.nist.gov/publications.
The Computer Security Act of 1987 made NIST's IT Laboratory responsible for technical advice to agencies that handle sensitive but unclassified data. Failure to update software patches 'is the most common mistake made by IT professionals,' NIST said, and it's a daunting job in view of the number of vulnerabilities being discovered and patches being released.
The guidelines recommend forming patch and vulnerability teams to track software and hardware and monitor patch installation. Such teams would not, however, 'diminish the responsibility of all systems administrators to patch systems under their control,' NIST said.Vulnerability reference book
Agencies also should consider acquiring only security products 'that are compatible with the CVE naming scheme,' NIST said.
The CVE dictionary of common names for vulnerabilities appears at cve.mitre.org. NIST's ICAT search engine, at icat.nist.gov, can search the CVE database by vendor, product name, version number and other parameters.
Agencies should periodically scan their systems for CVE-listed vulnerabilities and use the naming scheme in their own descriptions and security reporting. 'Without a consistent terminology, it is difficult to compare the coverage' of different products, NIST said.
Users or telecommuters who connect to agency networks remotely should have their client software and firewalls vetted by agency experts. Their operating systems and Web browsers need regular security updates, too.
On a larger scale, NIST recommended lifecycle management of connections between enterprise networks, from initial plans through disconnection. It gave a sample memorandum defining the responsibilities of each organization that shares a network link.
William Jackson is freelance writer and the author of the CyberEye blog.