[ Search ] [ What's New? ] [ About ]
[ Bugs ] [ Misc ] [ Mailing Lists ] [ Newgroups ] [ NewsWire ] [ Papers ] [ People ]
[ Pictures ] [ Publications ] [ Responce Teams ] [ Tools ] [ Upcoming Events ] [ Web Sites ]

Security Guidelines

Title: A Guideline On Office Automation Security
Authors: National Computer Security Center
Abstract:
Office Automation Systems (OA systems) are small, microprocessor-based Automated Information Systems that are used for such functions as typing, filing, calculating, sending and receiving electronic mail, and other data processing tasks. They are becoming commonly used by managers, technical employees, and clerical employees to increase efficiency and productivity. Examples of OA systems include personal computers, word processors, and file servers. This guideline provides security guidance to users of OA systems, to the ADP System Security Officers responsible for their operational security, and to others who are responsible for the security of an OA system or its magnetic storage media at some point during its life-cycle. This guideline explains how OA system security issues differ from those associated with mainframe computers. It discusses some of the threats and vulnerabilities of OA systems, and some of the security controls that can be used. It also discusses some of the environmental considerations necessary for the safe, secure operation of an OA system. This guideline suggests some security responsibilities of OA system users, and of ADP System Security Officers. Also described are some of the security responsibilities of the organization that owns or leases the OA system. In addition, guidance is given to the procurement officer who must purchase OA systems or components, and guidance is also provided to the officer who is responsible for securely disposing of OA systems, components, or the associated magnetic media. This document is issued as a National Telecommunications and Information Systems Security Advisory Memorandum, and is therefore intended as guidance only. Nothing in this guideline should be construed as encouraging or permitting the circumvention of existing Federal Government or organizational policies.

Title: An Introduction to Computer Security: The NIST Handbook (DRAFT)
Authors: National Institute of Standards and Technology
Abstract:
The purpose of this Handbook is to assist managers in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. Such knowledge is vital for managers to make informed decisions in selecting cost-effective, appropriate controls to protect systems in their unique operating and threat environments. The Handbook provides a broad overview of the field of computer security. It assists the readers understanding of their computer security needs and to develop a sound approach to the selection of appropriate security controls. The document does not, however, describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. References of how-to-too books and articles that give further information are also provided.

Title: Computer User's Guide to the Protection of Information Resources
Authors: National Institute of Standards and Technology
File name: /pub/doc/guidelines/nist_protection_of_resources.txt.Z
Abstract:
Today's computer technology, with microcomputers and on-line access, has placed the power of the computer where it belongs, in YOUR hands. YOU, the users, develop computer applications and perform other data processing functions which previously were only done by the computer operations personnel. These advances have greatly improved our efficiency and effectiveness but, also present a serious challenge in achieving adequate data security.

Title: Coping with the Threat of Computer Security Incidents. A Primer from Prevention through Recovery
Authors: Russell L. Brand
Abstract:
As computer security becomes a more important issue in modern society, it begins to warrant a systematic approach. The vast majority of the computer security problems and the costs associated with them can be prevented with simple inexpensive measures. The most important and cost effective of these measures are available in the prevention and planning phases. These methods are presented followed by a simplified guide to incident handling and recovery.

Title: Establishing a Computer Security Incident Response Capability (CSIRC)
Authors: John P. Wack
Abstract:
Government agencies and other organizations have begun to augment their computer security efforts because of increased threats to computer security. Incidents involving these threats, including computer viruses, malicious user activity, and vulnerabilities associated with high tech nology, require a skilled and rapid response before they can cause significant damage. These increased computer security efforts, described here as Computer Security Incident Response Capabilities (CSIRCs), have as a primary focus the goal of reacting quickly and efficiently to com puter security incidents. CSIRC efforts provide agencies with a centralized and cost-effective approach to handling computer security incidents so that future problems can be efficiently resolved and prevented.

Title: Guidelines for Formal Verification Systems
Authors: National Computer Security Center
Abstract:
This document explains the requirements for formal verification systems that are candidates for the NCSC's Endorsed Tools List (ETL). [5] This document is primarily intended for developers of verification systems to use in the development of production-quality formal verification systems. It explains the requirements and the process used to evaluate formal verification systems submitted to the NCSC for endorsement.

Title: Improving the Security of Your Site by Breaking Into it
Authors: Dan Farmer Wietse Venema
Abstract:
In this paper we will take an unusual approach to system security. Instead of merely saying that something is a problem, we will look through the eyes of a potential intruder, and show "why" it is one. We will illustrate that even seemingly harmless network services can become valuable tools in the search for weak points of a system, even when these services are operating exactly as they are intended to. In an effort to shed some light on how more advanced intrusions occur, this paper outlines various mechanisms that crackers have actually used to obtain access to systems and, in addition, some techniques we either suspect intruders of using, or that we have used ourselves in tests or in friendly/authorized environments.

Title: Improving The Security Of Your Unix System
Authors: David A. Curry
Abstract:
Many useful guidelines for improving the security of your unix system. UNIX system security can be divided into three main areas of concern. Two of these areas, account security and network security, are primarily concerned with keeping unauthorized users from gaining access to the system. The third area, file system security, is concerned with preventing unauthorized access, either by legitimate users or crackers, to the data stored in the system. This paper describes the UNIX security tools provided to make each of these areas as secure as possible.

Title: RFC 1281: Guidelines for the Secure Operation of the Internet
Authors: Richard D. Pethia Stephen D. Crocker Barbara Y. Fraser
Abstract:
The purpose of this document is to provide a set of guidelines to aid in the secure operation of the Internet. During its history, the Internet has grown significantly and is now quite diverse. Its participants include government institutions and agencies, academic and research institutions, commercial network and electronic mail carriers, non-profit research centers and an increasing array of industrial organizations who are primarily users of the technology. Despite this dramatic growth, the system is still operated on a purely collaborative basis. Each participating network takes responsibility for its own operation. Service providers, private network operators, users and vendors all cooperate to keep the system functioning. It is important to recognize that the voluntary nature of the Internet system is both its strength and, perhaps, its most fragile aspect. Rules of operation, like the rules of etiquette, are voluntary and, largely, unenforceable, except where they happen to coincide with national laws, violation of which can lead to prosecution. A common set of rules for the successful and increasingly secure operation of the Internet can, at best, be voluntary, since the laws of various countries are not uniform regarding data networking. Indeed, the guidelines outlined below also can be only voluntary. However, since joining the Internet is optional, it is also fair to argue that any Internet rules of behavior are part of the bargain for joining and that failure to observe them, apart from any legal infrastructure available, are grounds for sanctions.

Title: Security References Bib
Authors: Unknonw
Abstract:
This document contains a list of computer security books' information. It includes author, title, year, institution, etc.

Title: U. S. Department Of Commerce Abbreviated Certification Methodology For Sensitive Information Technology Systems
Authors: U. S. Department Of Commerce
Abstract:
The purpose of this document is to provide guidance on appropriate procedures to follow in performing the technical certification evaluations of all sensitive and classified national security systems within the Department.


Aleph One / aleph1@underground.org
Copyright © 1996 Computer Underground Society. All rights reserved.