eSe

e-Security and e-Business (CERT/LogMan) Approaches)

Modules
HTML versions of the modules are available from the CERT web site. PDF and Postscript versions of the modules are available from the SEI web site. For the PDF and Postscript versions, click on the icons next to the module names. The currently available modules are:

Security for Information Technology Service Contracts

Securing Desktop Workstations

Responding to Intrusions

Securing Network Servers

Deploying Firewalls

Securing Public Web Servers

Detecting Signs of Intrusio

Practices

The practices are grouped into five general steps, listed below. They are illustrated in the diagram Security Knowledge in Practice

Harden and secure your systems by establishing secure configurations

Prepare for intrusions by getting ready for detection and response

Detect intrusions quickly

Respond to intrusions to minimize damage

Improve your security to help protect against future attacks

The following practices relate to managing computer security contractors. They are listed under the heading

Practices about hardening and securing systems

Develop       a computer deployment plan that includes security issues
Include       explicit security requirements when selecting servers
Keep       operating systems and applications software up to date
Offer       only essential network services and operating system services on the       server host machine
Configure       computers for user authentication
Configure       computer operating systems with appropriate object, device, and file       access controls
Configure       computers for file backups
Protect       computers from viruses and similar programmed threats
Configure       computers for secure remote administration
Allow       only appropriate physical access to computers
Configure       network service clients to enhance security
Configure       multiple computers using a tested model configuration and a secure       replication procedure
Develop       and promulgate an acceptable use policy for workstations
Configure       computers to provide only selected network services
Isolate       the Web server from public networks and your organization's internal       networks
Configure       the Web server with appropriate object, device and file access controls
Identify       and enable Web-server-specific logging mechanisms
Consider       security implications before selecting programs, scripts, and plug-ins       for your web server
Configure       the web server to minimize the functionality of programs, scripts, and       plug-ins
Configure       the Web server to use authentication and encryption technologies, where       required
Maintain       the authoritative copy of your Web site content on a secure host
Protect       your Web server against common attacks
Design       the firewall system
Acquire       firewall hardware and software
Acquire       firewall documentation, training, and support
Install       firewall hardware and software
Configure       IP routing
Configure       firewall packet filtering
Configure       firewall logging and alert mechanisms
Test       the firewall system
Install       the firewall system
Phase       the firewall system into operation

Practices about preparing to detect and respond to intrusions.

Establish       a policy and procedures that prepare your organization to detect signs of       intrusion
Identify       data that characterize systems and aid in detecting signs of suspicious       behavior
Manage       logging and other data collection mechanisms
Establish       policies and procedures for responding to intrusions
Prepare       to respond to intrusions

Practices about detecting intrusions

Ensure that the software used to examine systems has not been compromised

Monitor       and inspect network activities for unexpected behavior
Monitor       and inspect system activities for unexpected behavior
Inspect       files and directories for unexpected changes
Investigate       unauthorized hardware attached to your organization's network
Inspect       physical resources for signs of unauthorized access
Review       reports by users and external contacts about suspicious and unexpected       behavior
Take       appropriate actions upon discovering unauthorized, unexpected, or       suspicious activity

Practices about responding to intrusions

Analyze       all available information to characterize an intrusion
Communicate       with all parties that need to be made aware of an intrusion and its       progress
Collect       and protect information associated with an intrusion
Apply       short-term solutions to contain an intrusion
Eliminate       all means of intruder access
Return       systems to normal operation
Identify       and implement security lessons learned

Practices about improving system security

Take appropriate actions upon discovering unauthorized, unexpected, or suspicious activity
Identify and implement security lessons learned

Practices related to computer security contractors

Specify       security requirements and assess contractor capability
Determine       contractor ability to comply with your organization's security policy
Require       that the contractor software is installed and configured to operate       securely
Require       that the contractor communicate securely with your site when operating       remotely
Control       contractor access to your systems
Review       contractor performance
Eliminate       physical and electronic access by the contractor to your systems and       networks

Implementations

CERT implementations describe useful approaches to complete steps in CERT security practices for specific operating systems. Implementations are illustrative in nature; that is they do not exhaustively cover all practice steps. Implementations are not updated to reflect the current version of operating systems. We recommend that you visit vendor web sites for current information and guidance about securing your operating system and visit the web sites referenced in each implementation.

General

Process       analysis checklist
Examples       of contract language for terms and conditions or statements of work
Maintaining       currency by periodically reviewing public and vendor information sources
Identifying       tools that aid in detecting signs of intrusion
Establishing       and maintaining a physical inventory of your computing equipment

UNIX

Using       RDISK /S to create an Emergency Repair Disk for Windows NT 4.0
Using       SYSKEY to protect the password data for Windows NT 4.0
Selecting       audit events for directories and files on Windows NT 4.0 systems
Selecting       audit events for Windows NT 4.0 registry keys
Restricting       access to the %SYSTEMROOT%\repair directory for Windows NT 4.0
Setting       up a logon banner on Windows NT 4.0
Configuring       a Windows NT 4.0 system to shut down automatically when writing to an       event log fails
Enabling       auditing of Windows NT 4.0 printer events
Selecting       Windows NT 4.0 event log settings
Selecting       Audit Policy Settings on Windows NT 4.0 Workstations
Selecting       Audit Policy Settings on Windows NT 4.0 Servers

Basic Windows NT 4.0 Security Implementations

Preparing       for the initial installation of Windows NT 4.0 systems
Securing       Windows NT 4.0 workstation during initial installation
Securing       a stand-alone Windows NT 4.0 Server during initial installation
Securing       a Windows NT 4.0 Server as Primary Domain Controller during initial       installation
Securing       a Windows NT 4.0 Server as Backup Domain Controller during initial       installation

Other technologies

Inspecting the logs produced by the Apache Web server
Inspecting the logs produced by the NCSA Web server

Intended audience

The modules are written for system and network administrators. These are the people whose day-to-day activities include installation, configuration, and maintenance of the computers and networks.

Module structure

Each module has three kinds of components.

The executive summary describes the problem and outlines a general approach to its solution.

Security improvement practices present the problem solution in detail. Each practice includes a brief description (what to do), the specific security problem or vulnerability that the practice addresses (why do it), and one or more methods (steps) for executing the practice (where,when, and how to do it). Each executive summary contains links to all the relevant practices.

Implementation details provide additional information on how to perform a practice for a specific technology; for example, Sun, Solaris, UNIX, Windows, and NT. In most cases, practices are independent of particular technologies and are applicable to all organizations. How an organization adopts and implements the practices, however, often depends on the specific networking and computing technologies it uses. The practices contain links to available technology-specific implementation details.

Formats

Modules are published in three formats:

World Wide Web (HTML), suitable for online reading with a Web browser

Portable Document Format (PDF), suitable for printing or online viewing with an appropriate viewer or Web browser plug-in

PostScript, suitable for printing

The PDF and PostScript icons will appear after the module title in the list above when these formats become available.

Hosted by www.Geocities.ws