FDCC's role in staying a step ahead of the hackers
- By William Jackson
- Oct 06, 2008
Regardless of the lists and rankings of top security threats, the most dangerous vulnerability is always the one still in your system.
Patching, removing or working around a vulnerability quickly is crucial to good information technology security, but deploying fixes within an enterprise can be a time-consuming process.
Following the principle of 'first, do no harm,' IT and security administrators must ensure before applying a fix that it does not make things worse. Deploying a patch in a heterogeneous environment can easily take three to six weeks, and lapses of three to six months are not uncommon.
One way to ease this problem is configuration management. The fewer hardware platforms and software images there are in an enterprise, the quicker administrators can test and apply patches, helping to close the window of vulnerability.
The federal government is moving toward a standardized environment with the Federal Desktop Core Configuration, which gives a standardized list of settings for Microsoft operating systems. The Security Content Automation Protocol (SCAP) validates that configurations have not been altered from FDCC and checks for other security issues and settings.
The National Institute of Standards and Technology, in cooperation with the Defense and Homeland Security departments and Mitre, developed SCAP. It provides technical specifications for identifying, enumerating, assigning and sharing security-related data. Vendors have developed tools using the protocol to help automate security operations, but as with any protocol, proper implementation requires validation.
Vendors 'must use SCAP-validated tools as they become available to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations,' the Office of Management and Budget said.
NIST established a SCAP validation program last year and has accredited nine independent laboratories to certify evaluation products.
To date, 11 scanning products from nine companies have been certified under SCAP for FDCC scanning. A page hosted on NIST's National Vulnerability Database Web site (GCN.com/1218) lists validated products.
William Jackson is freelance writer and the author of the CyberEye blog.