NIST guide gets into security routine

"Guideline on Network Security Testing"

The National Institute of Standards and Technology released a draft guide Feb. 4 with recommendations for network administrators on when and how to test for security vulnerabilities within the life cycle of a system or network.

The NIST Computer Security Division's draft "Guideline on Network Security Testing" provides basic information about security testing that can enable administrators to prioritize requirements in accordance with the limited budgets agencies have available for this function.

This is particularly helpful as agencies continue to work toward the security management requirements in the Government Information Security Reform Act. Agencies turned in their first GISRA assessments in October 2001, and the Office of Management and Budget plans to release its review of the assessments this week.

The NIST draft guide includes links to and descriptions of common testing tools, a chart comparing the strengths and weaknesses of the different testing techniques outlined in the guide and a summary table.

It is intended for more technical officials because it focuses on security testing of firewalls, routers and switches, intrusion detection systems, Web and e-mail servers, and other servers. But many of the explanations of the testing techniques are aimed at program officials as well.

"The primary aim of the document is to help administrators and managers get started with a program for testing on a routine basis," according to the Computer Security Division's site. "The methodology recommends focusing first on those systems that are accessible externally, e.g., firewalls, Web servers, etc., and then moving on to other systems as resources permit."

Comments are due by March 6 to John Wack at john.wack@nist.gov, and the division is particularly interested in comments on whether the recommended testing schedules are realistic within agencies' network environments.

NIST also this week announced the final publication of two guides: Special Publication 800-33, "Underlying Technical Models for Information Technology Security"; and Special Publication 800-30, "Risk Management Guide for Information Technology Systems."

The first is intended to provide a description of lessons learned, good practices and technical considerations that should go into the design and development of security capabilities. The second provides an overview of the risk management process — including how it fits into the system development life cycle and the roles for personnel involved in the process — and describes a risk assessment methodology for agencies to follow.