Title: A Guideline On Office Automation Security
Authors: National Computer Security Center
Abstract:
- Office Automation Systems (OA systems) are small, microprocessor-based
Automated Information Systems that are used for such functions as
typing, filing, calculating, sending and receiving electronic mail,
and other data processing tasks. They are becoming commonly used by
managers, technical employees, and clerical employees to increase
efficiency and productivity. Examples of OA systems include personal
computers, word processors, and file servers. This guideline provides
security guidance to users of OA systems, to the ADP System Security
Officers responsible for their operational security, and to others who
are responsible for the security of an OA system or its magnetic
storage media at some point during its life-cycle. This guideline
explains how OA system security issues differ from those associated
with mainframe computers. It discusses some of the threats and
vulnerabilities of OA systems, and some of the security controls that
can be used. It also discusses some of the environmental
considerations necessary for the safe, secure operation of an OA
system. This guideline suggests some security responsibilities of OA
system users, and of ADP System Security Officers. Also described are
some of the security responsibilities of the organization that owns or
leases the OA system. In addition, guidance is given to the
procurement officer who must purchase OA systems or components, and
guidance is also provided to the officer who is responsible for
securely disposing of OA systems, components, or the associated
magnetic media. This document is issued as a National
Telecommunications and Information Systems Security Advisory
Memorandum, and is therefore intended as guidance only. Nothing in
this guideline should be construed as encouraging or permitting the
circumvention of existing Federal Government or organizational
policies.
Title: An Introduction to Computer Security: The NIST Handbook (DRAFT)
Authors: National Institute of Standards and Technology
Abstract:
- The purpose of this Handbook is to assist managers in securing
computer-based resources (including hardware, software, and
information) by explaining important concepts, cost considerations,
and interrelationships of security controls. Such knowledge is vital
for managers to make informed decisions in selecting cost-effective,
appropriate controls to protect systems in their unique operating and
threat environments. The Handbook provides a broad overview of the
field of computer security. It assists the readers understanding of
their computer security needs and to develop a sound approach to the
selection of appropriate security controls. The document does not,
however, describe detailed steps necessary to implement a computer
security program, provide detailed implementation procedures for
security controls, or give guidance for auditing the security of
specific systems. References of how-to-too books and articles that
give further information are also provided.
Title: Computer User's Guide to the Protection of Information Resources
Authors: National Institute of Standards and Technology
File name: /pub/doc/guidelines/nist_protection_of_resources.txt.Z
Abstract:
- Today's computer technology, with microcomputers and on-line
access, has placed the power of the computer where it belongs, in
YOUR hands. YOU, the users, develop computer applications and
perform other data processing functions which previously were
only done by the computer operations personnel. These advances
have greatly improved our efficiency and effectiveness but, also
present a serious challenge in achieving adequate data
security.
Title: Coping with the Threat of Computer Security Incidents. A Primer from Prevention through Recovery
Authors: Russell L. Brand
Abstract:
- As computer security becomes a more important issue in modern society,
it begins to warrant a systematic approach. The vast majority of the
computer security problems and the costs associated with them can be
prevented with simple inexpensive measures. The most important and
cost effective of these measures are available in the prevention and
planning phases. These methods are presented followed by a simplified
guide to incident handling and recovery.
Title: Establishing a Computer Security Incident Response Capability (CSIRC)
Authors: John P. Wack
Abstract:
- Government agencies and other organizations have begun to augment
their computer security efforts because of increased threats to
computer security. Incidents involving these threats, including
computer viruses, malicious user activity, and vulnerabilities
associated with high tech nology, require a skilled and rapid response
before they can cause significant damage. These increased computer
security efforts, described here as Computer Security Incident
Response Capabilities (CSIRCs), have as a primary focus the goal of
reacting quickly and efficiently to com puter security
incidents. CSIRC efforts provide agencies with a centralized and
cost-effective approach to handling computer security incidents so
that future problems can be efficiently resolved and prevented.
Title: Guidelines for Formal Verification Systems
Authors: National Computer Security Center
Abstract:
- This document explains the requirements for formal verification
systems that are candidates for the NCSC's Endorsed Tools List
(ETL). [5] This document is primarily intended for developers of
verification systems to use in the development of production-quality
formal verification systems. It explains the requirements and the
process used to evaluate formal verification systems submitted to the
NCSC for endorsement.
Title: Improving the Security of Your Site by Breaking Into it
Authors: Dan Farmer Wietse Venema
Abstract:
- In this paper we will take an unusual approach to system security.
Instead of merely saying that something is a problem, we will look
through the eyes of a potential intruder, and show "why" it is one.
We will illustrate that even seemingly harmless network services can
become valuable tools in the search for weak points of a system, even
when these services are operating exactly as they are intended to. In
an effort to shed some light on how more advanced intrusions occur,
this paper outlines various mechanisms that crackers have actually
used to obtain access to systems and, in addition, some techniques we
either suspect intruders of using, or that we have used ourselves in
tests or in friendly/authorized environments.
Title: Improving The Security Of Your Unix System
Authors: David A. Curry
Abstract:
- Many useful guidelines for improving the security of your unix system.
UNIX system security can be divided into three main areas of concern.
Two of these areas, account security and network security, are primarily
concerned with keeping unauthorized users from gaining access to the
system. The third area, file system security, is concerned with preventing
unauthorized access, either by legitimate users or crackers, to the data
stored in the system. This paper describes the UNIX security tools provided
to make each of these areas as secure as possible.
Title: RFC 1281: Guidelines for the Secure Operation of the Internet
Authors: Richard D. Pethia Stephen D. Crocker Barbara Y. Fraser
Abstract:
- The purpose of this document is to provide a set of guidelines to aid
in the secure operation of the Internet. During its history, the
Internet has grown significantly and is now quite diverse. Its
participants include government institutions and agencies, academic
and research institutions, commercial network and electronic mail
carriers, non-profit research centers and an increasing array of
industrial organizations who are primarily users of the technology.
Despite this dramatic growth, the system is still operated on a purely
collaborative basis. Each participating network takes responsibility
for its own operation. Service providers, private network operators,
users and vendors all cooperate to keep the system functioning. It is
important to recognize that the voluntary nature of the Internet
system is both its strength and, perhaps, its most fragile aspect.
Rules of operation, like the rules of etiquette, are voluntary and,
largely, unenforceable, except where they happen to coincide with
national laws, violation of which can lead to prosecution. A common
set of rules for the successful and increasingly secure operation of
the Internet can, at best, be voluntary, since the laws of various
countries are not uniform regarding data networking. Indeed, the
guidelines outlined below also can be only voluntary. However, since
joining the Internet is optional, it is also fair to argue that any
Internet rules of behavior are part of the bargain for joining and
that failure to observe them, apart from any legal infrastructure
available, are grounds for sanctions.
Title: Security References Bib
Authors: Unknonw
Abstract:
- This document contains a list of computer security books' information.
It includes author, title, year, institution, etc.
Title: U. S. Department Of Commerce Abbreviated Certification Methodology For Sensitive Information Technology Systems
Authors: U. S. Department Of Commerce
Abstract:
- The purpose of this document is to provide guidance on appropriate
procedures to follow in performing the technical certification
evaluations of all sensitive and classified national security systems
within the Department.
|