[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[atlarge-discuss] Report on Important Standards for Security Assessments

To: atlarge discuss list <atlarge-discuss@lists.fitug.de>
Subject: [atlarge-discuss] Report on Important Standards for Security Assessments
From: Jeff Williams <jwkckid1@ix.netcom.com>
Date: Tue, 03 Jun 2003 01:01:03 -0700
Delivered-to: mailing list atlarge-discuss@lists.fitug.de
List-help: <mailto:atlarge-discuss-help@lists.fitug.de>
List-post: <mailto:atlarge-discuss@lists.fitug.de>
List-subscribe: <mailto:atlarge-discuss-subscribe@lists.fitug.de>
List-unsubscribe: <mailto:atlarge-discuss-unsubscribe@lists.fitug.de>
Mailing-list: contact atlarge-discuss-help@lists.fitug.de; run by ezmlm
Organization: INEGroup Spokesman

All fellow members,

  For your consideration and further education.

=================== copy from sans.org follows =================
Subject:
        Status Report on Important Standards for Security Assessments
   Date: Mon, 2 Jun 2003 22:15:17 -0600 (MDT)
   From: The SANS Institute <sans@sans.org>
     To: Jeffrey Williams (SD128219) <jwkckid1@ix.netcom.com>

To: Jeffrey Williams (SD128219)
From: Alan Paller and Stephen Northcutt, the SANS Institute
Subject:  Status Report on important standards for security
assessments

We write to give you a heads up on an upcoming briefing regarding new
minimum standards of due care that are increasingly being required
for
securing US government systems subject to FISMA regulations, and for
securing commercial systems subject to ISO 17799 and other standards.
You'll find this note relevant if you:
     (1) perform security assessments,
     (2) hire consultants or assign staff to perform security
          assessments,
     (3) are responsible for securing systems subject to assessments,
     (4) oversee people in categories (1), (2), and (3).
If you know others who fit in these categories, please pass this note
along to them.

All of the new security standards will be discussed in some depth at
the National Information Assurance Leadership Conference V (NIAL) in
Washington, DC, July 21-22.  NIAL also provides the most
comprehensive Internet threat update available outside of classified
intelligence briefings.

NIAL is the one conference that brings together the speakers who won
top ratings at the other national security conferences.  Speakers
like Ed Skoudis, Eric Cole, and Richard Clarke simply have no equals.
NIAL V runs in conjunction with SANSFIRE 2003, SANS' only large security

training conference in Washington, D.C. this summer.   Many of the
SANSFIRE courses are close to capacity so please register this week
to be sure you get the class of your choice; the early registration
discount expires Wednesday, June 4.

Registration information
     for NIAL: http://www.sans.org/sansfire03/nial.php
     for SANSFIRE: http://www.sans.org/sansfire03/

"This was the best opportunity I've had to evaluate the state of
security in the rest of the world, without bias, and see where my
organization stands."
        Robert Drum, Aventis

*********************************************************************
Standards for Security Assessments in Federal Agencies

In its May 16, 2003 report to Congress on the status of security in
federal systems, (required under the Government Information Systems
Reform Act), the US Office of Management and Budget reported that 60%
of all federal systems have had their security controls tested and
evaluated in the past year.  [If NASA is left out of the calculation,
the rest of the government is actually under 50%.]  What is
remarkable about this number is not that it is low.  The problem is, the

inconsistencies in coverage, methodology, and skill level of
evaluators have made many of the tests ineffective.  Agencies do
not even define systems consistently -- some group thousands of
computers together and call them one system. Others do not.
Standards are being drafted to help ensure consistent measures
are used that actually test for critical security data.  These will
be discussed at the conference and available drafts will be handed
out to all attendees.

A great deal of the contents of required security plans are
oft-repeated boilerplate.  Consultants make considerable amounts
of money using automated tools to create cookie-cutter plans.
One federal agency has developed an automated Systems Security
Plan Development Tool to assist users in drafting a System Security
Plan for an unclassified automated information technol
be made available to attendees and the author will be giving an
evening talk to which NIAL and SANSFIRE attendees will be admitted.

*********************************************************************
ISO17799 for Security Assessments

One of the promising developments in security standards is the
international adoption (by the ISO) of the British security
assessment guidelines. ISO17799 provides a high-level look
at what needs to be done to test the security of an information
system. SANS is leading an international effort to bring the
high-level guidance down to ground level.  NIAL attendees
will be given exclusive early access to our draft
of the first of our consensus research Step-by-Step guides to
implementing ISO17799.

*********************************************************************
Standard Configurations for Procuring New Systems and For Testing
 Existing Systems

At a Federal Trade Commission meeting in May, one of the largest
vendors of Windows systems told the audience that that firm would soon
be
delivering systems configured in accordance with the new consensus
standards for safe configuration of Windows 2000.   Once systems are
available configured safely, the initial security configuration
workload on system administrators will be greatly reduced and
far more systems will be protected against common worms.
The standards for safe configurations are being developed by a
private-public partnership involving a half-dozen nations.
Benchmarks and free testing tools are already available for
Window 2000, Solaris, Linux, HP-UX, and Cisco IOS.
You may find them at www.cisecurity.org.  They will be discussed
along with plans for more systems at NIAL V.

*********************************************************************
Standards for Security Skills Certification for System Administrators

CIOs in several large organizations are putting pressure on their
operations staff to ensure that person with privileged access (root
or administrator passwords, for example) have at least a minimum set of
security skills. Some organizations are using GIAC certification to
meet the new requirement. (www.giac.org) Other efforts are underway to
establish minimum security skills lists for system administrators in
Department of Defense organizations.  Progress on these efforts will
be reported at NIAL V.

===================================================

As we mentioned before, NIAL is running right after SANSFIRE, and
they are both in Washington, D.C.  So we should close by listing the
wonderful, four, five, and six-day tracks that provide immersion
training by the nation's best security teachers.  Security and system
administration staff cannot be expected to have systems meet any
standards if they do not have the opportunity to get up-to-date
training and certifications.

Here's what a few recent students said about these tracks:

   "The most valuable training experience I have had. Really
    opened my eyes to true information security and its
    implementation." (Nicole Saper, Los Alamos National Labs)

   "SANS has proven itself to be the premier leader in training.
    That they focus on security training makes it that much more
    beneficial for our industry.  These guys have it down to an art."
    (Daniel Bahr, The Consultant Registry)

SANS Security +S
(Track 9)
SANS' foundational course that allows someone new to security to
understand the main issues and concepts fast.  This course is
designed to prepare the student for both the CompTIA Security
+ certification as well as the GIAC GISO.

SANS Security Essentials and the CISSP Common Body of Knowledge
(Track 1) Survival skills for system administrators who also have
security
responsibility. It is also by far the best training for security
officers who want to know the CISSP material but also want to be able
to look at security through the eyes of system administrators - the
only people who can make sure systems are secured properly.

SANS Security Leadership Essentials Bootcamp for Managers
(Track 10) The CIOs who attended the first run of this program
said, "Just perfect."  It teaches the key concepts and technologies
- from a management perspective.

Firewalls, Perimeter Protection & Virtual Private Networks
(Track 2)
The minimum knowledge needed for anyone implementing and managing
firewalls or VPNs.

Intrusion Detection In-Depth
(Track 3)
The toughest, richest course in security - but an essential program
for
anyone involved in intrusion detection.

Hacker Techniques, Exploits, and Incident Handling
(Track 4)
It is tough to stop hackers if you don't know how they get in. This
track teaches you their techniques and how to block them. It is also
a
must-attend course for anyone involved in responding to security
incidents.

Securing Windows
(Track 5)
It is extraordinary what Microsoft fails to teach about threats and
how to block them. Track 5 fills the void with countermeasures that can
be used immediately upon returning to the office.

Securing UNIX
(Track 6)
Like Microsoft, the UNIX and Linux vendors fail to teach system
administrators about common threats and how to block them.  Any CIO
who allows UNIX or Linux systems to be deployed in an important
organization without system admins certified in Track 6 material, is
probably
guilty of malpractice. In both cases, Windows and Unix, it would be like

doctors sending samples to lab technicians without the right skills.

Auditing Networks, Perimeters, and Systems
(Track 7)
Auditors, even those with auditing certifications, are generally
untrained in the selection and use of automated tools for conducting
in-depth audits of systems.  As more organizations demand security
audits, people with the skills taught in Track 7 will stand out more
and more from the rest of the audit community.

System Forensics, Investigation & Response
(Track 8)
Consultants and law enforcement people - in fact anyone who is called
in after an attack to find out what happened -will need the material
taught in Track 8.

====

That's actually not all. SANSFIRE will hold a large exposition of the
tools and services you need for a robust security program, as well as
nightly programs called SANS@NIGHT that provide updates on the
important new developments in security.

We look forward to seeing you at NIAL V and SANSFIRE.

Registration information:
     for NIAL: http://www.sans.org/sansfire03/nial.php
     for SANSFIRE: http://www.sans.org/sansfire03/

Be afraid - very afraid!  Load yourself with some armor for your
organization.
K. Taylor, U.S. Army Corps of Engineers

--

To change your subscription, address, or other information, visit
http://portal.sans.org

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 131k members/stakeholders strong!)
"Be precise in the use of words and expect precision from others" -
    Pierre Abelard
================================================================
CEO/DIR. Internet Network Eng. SR. Eng. Network data security
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number: 214-244-4827 or 214-244-3801

---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de

Prev by Date: Re: [atlarge-discuss] Yet another result -- please verify your votes.
Next by Date: Re: [atlarge-discuss] Is there a stated or voted upon requirenment for Pay Pal as a identification method for members?
Previous by thread: Re: [atlarge-discuss] Is there a stated or voted upon requirenment for Pay Pal as a identification method for members?
Next by thread: [atlarge-discuss] Re: FC: North Carolina cops may have lied, posed as FBI cybercrime agents
Index(es):
- Date
- Thread