NIST Site Search
Google
Web NIST.org
NIST.gov
Product Research

Advertise on this site
Headlines

»Excel Invalid Object
A remote code execution vulnerability exists within Microsoft Excel which may allow for a remote att ...
»Adobe PDF Buffer Overflow
A vulnerability exists within Adobe Acrobat that allows an attacker to execute arbitrary code on a v ...
»Creative Software AutoUpdate Engine ActiveX stack buffer overflow
The Creative Software AutoUpdate Engine ActiveX control is a component that provides automatic updat ...
»Internet Connection Sharing DoS
A denial of service vulnerability exists within the Internet Connection Sharing service in Microsoft ...
»RPC Memory Exhaustion
The three referenced exploits take advantage of an inherent problem in RPC, in which an attacker get ...


Date published: Mon, 8 Feb 2010 23:38:00 PST
Details

»News: Twitter attacker had proper credentials
Twitter attacker had proper credentials
»News: PhotoDNA scans images for child abuse
PhotoDNA scans images for child abuse
»News: Conficker data highlights infected networks
Conficker data highlights infected networks

>> Advertisement <<
Can you ...
»News: Popular apps need better patching, says report
Popular apps need better patching, says report
»Brief: Google offers bounty on browser bugs
Google offers bounty on browser bugs


Date published: not known
Details

»Releases.mozilla.org SSL and Manual Update Fail
I did a presentation at the DefCon Comedy Jam about how users manually validate updates for Firefox ...
»Accuracy and Time Costs of Web Application Security Scanner Report
Larry Suto is back with another report outlining the differences between some of the top web applica ...
»Large List of RFIs (1000+)
I started on this project over a year ago, and then I stopped, and then I started it again, and then ...
»Micro PHP LFI Backdoor
I’ve been playing around a lot more with LFI attacks, because I think they’re more preva ...
»JavaScript Embedded in Homepage Links in Firefox
So after the last post I was messing around a bit with the way the homepage functionality works in F ...
»Quicky Firefox Bookmarklet Backdoor
Every once in a while I see someone who really should know better leaving their desktop unattended. ...


Date published: not known
Details

»Oracle Releases Security Alert for WebLogic Server Vulnerability
»Microsoft Releases Advance Notification for February Security Bulletin
»Apple Releases iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch
»Microsoft Releases Security Advisory 980088
»Cisco Releases Security Advisory for Unified MeetingPlace
»Google Releases Chrome 4.0.249.78
»RealNetworks, Inc. Releases Updates to Address Vulnerabilities
»Microsoft Releases Cumulative Security Update for Internet Explorer
»Apple Releases Security Update 2010-001
»Adobe Releases Shockwave Player Update


Date published: not known
Details

»T-303: Apple Safari 4.0.4 Denial of Service
T-303: Apple Safari 4.0.4 Denial of Service
»T-302: Red Hat Linux Kernel Routing Implementation Multiple Remote Denial of Service Vulnerabilities
T-302: Red Hat Linux Kernel Routing Implementation Multiple Remote Denial of Service Vulnerabilities
»T-301: Citrix XenServer Authentication Bypass Vulnerability
T-301: Citrix XenServer Authentication Bypass Vulnerability
»T-300: lighttpd Slow Request Handling Remote Denial of Service Vulnerability
T-300: lighttpd Slow Request Handling Remote Denial of Service Vulnerability
»T-299: Multiple Sun Java Vulnerabilities
T-299: Multiple Sun Java Vulnerabilities
»T-298: Samba setuid 'mount.cifs' Verbose Option Information Disclosure Vulnerability
T-298: Samba setuid 'mount.cifs' Verbose Option Information Disclosure Vulnerability
»T-297: Multiple Vendor HTML Form Protocol Vulnerability
T-297: Multiple Vendor HTML Form Protocol Vulnerability
»T-296: Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace
T-296: Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace
»T-295: Joomla! JBDiary Component Multiple SQL Injection Vulnerabilities
T-295: Joomla! JBDiary Component Multiple SQL Injection Vulnerabilities
»T-294: Microsoft Internet Explorer URI Validation Remote Code Execution Vulnerability
T-294: Microsoft Internet Explorer URI Validation Remote Code Execution Vulnerability
»T-293: Windows Kernel #GP Trap Handler Flaw Lets Local Users Gain Elevated Privileges
T-293: Windows Kernel #GP Trap Handler Flaw Lets Local Users Gain Elevated Privileges
»T-292: Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability
T-292: Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability
»T-291: Expat UTF-8 Character XML Parsing Remote Denial of Service Vulnerability
T-291: Expat UTF-8 Character XML Parsing Remote Denial of Service Vulnerability
»T-290: Net-SNMP 'snmpUDPDomain.c' Remote Information Disclosure Vulnerability
T-290: Net-SNMP 'snmpUDPDomain.c' Remote Information Disclosure Vulnerability
»T-289: HP StorageWorks Products Remote Management Interface Privilege Escalation Vulnerability
T-289: HP StorageWorks Products Remote Management Interface Privilege Escalation Vulnerability


Date published: not known
Details

»February issue of VB published
The February issue of Virus Bulletin is now available for subscribers to download.
»EU report suggests 95% of email is spam
Less than five per cent of all SMTP connections result in an email being delivered into a user's inb ...
»January issue of VB published
The January issue of Virus Bulletin is now available for subscribers to download.
»Project Honey Pot 'celebrates' billionth spam message
Facebook about to become most phished organization.
»Botnets becoming more robust
Zeus botnet used Amazon's in-the-cloud service to control bots.
»IE zero-day bug fixed in Patch Tuesday updates
Serious browser bug main feature of monthly alerts, Adobe Flash issue also patched.


Date published: not known
Details

»Researchers Develop Code That Stops Local Scanning Worms
In tests, algorithm was an efficient estimator of worm virulence and could determine the size of the ...
»Hacker Unleashes BlackBerry Spyware Source Code
Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages an ...
»Product Watch: New Tool Automatically Examines Suspicious Code In Memory
HBGary Responder Professional 2.0 analyzed malware behavior in the Operation Aurora in five minutes ...
»'Rugged' Initiative Brings Secure Software Development To The Masses
Rugged Software Development initiative an 'on-ramp' for all types of programmers to write resilient ...
»Database Account-Provisioning Errors A Major Cause Of Breaches
Database accounts are often managed manually -- if at all


Date published: not known
Details
U.S. Government Standardizing on Windows Hardening
U.S. Government agencies have struggled with how to implement baseline security configurations required of them under various government regulations. The new government-wide Windows security configuration requirements outlined by the Office of Management and Budget (OMB) are truly revolutionary and grandiose in scale. But this is likely to affect everyone.

Few federal agencies have fully implemented NIST.gov, CIS, DISA, or NSA hardening guidelines, even though many have required it for years. Those agencies that had set hardening standards tended to water them down to the lowest common denominator that prevented anything the agency might use from breaking. Few civilian federal computers implemented the full guidelines. (NIST.org)

This type of approach has of course led to computers not being as secure as they should be. It has also been very wasteful. Each agency has had to test all of the settings in their environment and test each application used within the agency. Each agency also ended up negotiating with hardware vendors to ship computers with their settings already applied (at least those agencies that bothered to try). Many agencies also gave their offices a lot of leeway in whether to implement the baselines (or STIGS - Security Technical Implementation Guides) or they failed to verify compliance. All of this has led to a lot of wasted time, effort, and money. Not to mention a much lower security posture.

This is all about to come to an end. The White House Office of Management and Budget (OMB) has mandated that all federal agencies implement a common set of secure configuration settings developed by the National Institute of Standards and Technology (NIST). The following is a time line outlined by OMB.
  • May 1st 2007 – Agencies must submit to OMB plans:
    - on how they will implement the new standard baseliine configuration,
    - on how they will enforce and automate the settings,
    - on how they will restrict administrative rights to change these settings to only authorized personnel.
    - on how they will test their systems in advance for adverse effects of the settings,
    - on how they will integrate the new security settings into their Capital Planning and Investment Control Process (NIST SP 800-65)
    - on how they will ensure that all computers have vulnerability patches applied
    - on how they will document any deviations from the standard baseline and the reason for the deviation
  • April 20th, 2007 – OMB and the Department of Homeland Security (DHS) will make available XP and Vista images that hardware and software vendors can use for testing.
  • June 30th, 2007 – All new computer purchases with Windows XP or Vista must contain the standard baseline security configuration. All new software purchases must be compatible with the new security settings. All IT companies doing business with the government must certify that their products will work with this configuration.
  • February 1st, 2008 – Agencies must fully implement the standard security settings on all computers running Microsoft Windows XP and Vista.

Once these changes start to take affect in June the entire U.S. Government will be doing things differently. This will affect hardware and software acquisition, IT management, computer setup, end user training, other security policies and procedures, etc. For once everyone in the government will be doing something with computers the same way. This is a first, and its a huge change. It is also long overdue, not only from a security point of view but from a fiscal one. The cost savings will be enormous. There will also be a complete paradigm shift in how government IT personnel perceive things. No longer will local offices or individual IT people be making security decisions, management is now running the show and for once management is making a fully informed decision.

Many of OMB's past Memorandums were not implemented on time, or drastically watered down by agencies. Such as M-06-16 that mandated (among other things) encryption of mobile computers and devices by August 2006. Few agencies have fully implemented this directive. This new security baseline initiative is different, for once OMB isn't leaving anything to chance. They are not only telling agencies exactly what to do, but they are giving them the means to do it (completed and detailed NIST specifications). They are also forcing the issue through contracting rules that disallow any purchases that are not within compliance. In addition they are working with vendors, especially Microsoft, in making sure that products will be available by the OMB deadlines. For once they're doing it right.

There is already discussion about government-wide standardized baselines (or STIGs) for Unix, Apple and Linux operating systems. The federal government Windows XP and Vista image is also likely to be available to commercial buyers. There is nothing secret about it. Most Microsoft applications will be guaranteed to work with the image, as will most mainstream applications. If you work for a large enterprise don't be surprised if you start seeing this configuration on new desktops in the near future.

This will, of course, lead to much better desktop security within the federal government. The Air Force / DISA / NIST STIGs are tough and they will truly have a positive affect. When security is left open to the current technician of the moment few take the time to harden Windows to this degree. When the end user has administrative rights to their computer then so does any piece of malware they may stumble upon. Standardizing on a tough policy and forcing the market place to become compatible is the perfect way to accomplish the goal of securing the desktop. Karen Evans, OMB's administrator of e-government and information technology, and the rest of the OMB team will deserve a lot of credit if they can pull this off.

These are certainly dramatic changes. Click here to post your comments.

References:
  • GovExec.com - “OMB sets security standards for Windows computers”
  • FCW.com – Federal Computer Week “OMB: Vista is an opportunity to set desktop standards - Policies at the Air Force, Army serve as a governmentwide model”
  • NIST.org - “Hardening Microsoft Windows – STIGS, Baselines, and Compliance”. Includes links to NIST.gov STIGS as well as to the Department of Defense, Defense Information Systems Agency (DISA) STIGs that the new requirements are based off of. If you want to know what the new government-wide requirements are going to look like the DISA STIG's are probably as close as you'll find.
  • SP 800-68 – NIST.gov Guidance for Securing Microsoft Windows XP Systems for IT Professional
  • NIST.gov – FAQ and Description of the Guidance for Securing Microsoft Windows XP Systems for IT Professionals
  • ComputerWorld - “Feds to Adopt Common Security Settings on PCs - OMB tells agencies to standardize configurations for Windows XP, Vista”



Share or Bookmark this Article Using:
| furl | reddit | del.icio.us | magnoliacom | digg | newsvine | stumble it |



Google
WebNIST.org
NIST.govSecurityFocus.com



Posted by NIST.org on Monday 26 March 2007 - 21:33:22 | Read/Post Comment: 0 |LAN_EMAIL_7 printer friendly
Translate to: French German Italian Spanish Portuguese GTM_LAN_DUTCH Russian Chinese Arabic Korean English
Google Ads




NIST Site Menu
·Home

NIST Security Books
NIST IT Security Books

NIST.org Security Bookstore
Current Security News
 
SANS Internet Storm Center, InfoCON: green

» Infocon: green

» Oracle has an unscheduled security alert and patch for CVE-2010-0073. The issue affects WebLogic Server and is remotely exploitable. Details and patch are here http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html, (Tue, Feb 9th)
[08 Feb 2010 05:43pm]

» When is a 0day not a 0day? Samba symlink bad default config, (Tue, Feb 9th)
[08 Feb 2010 05:23pm]

» When is a 0day not a 0day? Fake OpenSSh exploit, again. , (Mon, Feb 8th)
[08 Feb 2010 07:58am]

» Mandiant Mtrends Report, (Sun, Feb 7th)
[07 Feb 2010 07:56am]

» LANDesk Management Gateway Vulnerability, (Sat, Feb 6th)
[06 Feb 2010 01:30pm]

» tweaked ISC layout. Please submit screen shot and browser details if things don't look right., (Sat, Feb 6th)
[05 Feb 2010 07:04pm]

» Oracle WebLogic Server Security Alert, (Sat, Feb 6th)
[05 Feb 2010 06:17pm]

» New version of Andreas Schuster's Evtx Parser released http://computer.forensikblog.de/en/2010/02/evtx_parser_1_0_2.html, (Sat, Feb 6th)
[05 Feb 2010 05:32pm]

» Memory Analysis - time to move beyond XP, (Fri, Feb 5th)
[05 Feb 2010 05:23pm]

***
CNET News.com

» Verizon temporarily blocks some 4chan sites
[08 Feb 2010 11:46am]

» Security software maker Vitamin D exits beta
[08 Feb 2010 10:12am]

» China breaks up Black Hawk hacking ring
[08 Feb 2010 09:51am]

» PCI compliance: What it is and why it matters (Q&A)
[08 Feb 2010 05:00am]

» New UI, features highlight McAfee 2010 suites
[07 Feb 2010 10:00pm]

» BlackBerry has spyware risk too, researcher says
[07 Feb 2010 10:00am]

» Mozilla yanks infected add-ons, warns users
[05 Feb 2010 02:31pm]

» Caught on tape: Pastry thief and a bad dog walker
[05 Feb 2010 05:00am]

» DOJ not pleased with latest Google Book agreement
[04 Feb 2010 05:56pm]

» Microsoft to patch 26 holes in Windows, Office
[04 Feb 2010 01:33pm]

» U.S. House passes cybersecurity research bill
[04 Feb 2010 01:07pm]

» Air Force taps IBM for secure cloud
[04 Feb 2010 11:58am]

» Billions to be spent on smart-grid cybersecurity
[04 Feb 2010 11:05am]

» Report: Google, NSA talk defense partnership
[04 Feb 2010 12:45am]

» Microsoft investigates new Internet Explorer flaw
[03 Feb 2010 03:58pm]

***
Computerworld Security News

» Poughkeepsie, N.Y., slams bank for $378,000 online theft
[08 Feb 2010 01:52pm]

» Adobe apologizes for 16-month-old Flash bug
[08 Feb 2010 12:47pm]

» PC Maintenance: What Tasks When?
[08 Feb 2010 11:01am]

» An open letter to my public transit company
[08 Feb 2010 10:01am]

» Why CSOs Should Care About ShmooCon
[08 Feb 2010 07:56am]

» Malwarebytes' Anti-Malware Free
[08 Feb 2010 07:47am]

» More Security News

***
GSO

» Netgear Router Hack Pt. 2 by Kenny
[01 Dec 2009 05:16pm]

» Netgear Router Hack Pt. 1 by Kenny
[01 Dec 2009 05:16pm]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
NIST - Books You Need

NIST Bookstore
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Add to NetVibes
Add to Bloglines
Add to NewsGator
Add to Google
Add to My Yahoo
Add to My MSN
Add to Technorati
Add to Pluckit
Add to My AOL
Subscribe in FeedLounge
Add to ProtoPage

Symantec News

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.