![]() |
![]() | ||||||
![]() | |||||||
![]() | |||||||
How to Develop Your =
Company’s First Security=20
Baseline Standard Introduction The goal of this document is to = provide a guide=20 for those charged with designing and implementing baseline = security=20 standards for the first time. The scope of the standards will = depend on=20 the immediate needs of the organization, and will specify a = standard for=20 installing, hardening, and placing into production, new servers = and=20 workstations. On some networks, you can tell who built a = particular system=20 by the output of an NMap scan! Some administrators attempt to turn = off a=20 few services, others turn them all off, and still others turned = the wrong=20 ones off. A Minimum Security Baseline Standard (MSB’s) will = allow=20 organizations to deploy systems in an efficient and standardized = manner.=20 Creating and maintaining your = security baseline=20 standards will be an ongoing process, requiring the help and = support of a=20 number of departments within the IT organization. The main goal of = developing a security baseline is to promote and strengthen the = security=20 of the organizations computing assets. If you are developing MSB's = in your=20 organization for the first time, it may be happening in = conjunction with=20 the creation of your first security policy, or the creation of = your first=20 IT Security Department. The adoption of MSB’s can be a = useful part of your=20 sites’ security policy. How your site can benefit from=20 MSB’s? Setting standards for various types = of systems=20 will help to enhance host security, allow a more efficient use of = time,=20 and make it easier to provide technical support to users by = requiring that=20 systems comply to a configuration that has been tested and known = to work=20 with the applications used by the organization. Since the help = desk will=20 be working with systems complying with the standards (or at least = began=20 their working life in a known configuration), they will be more = efficient=20 in solving user issues. Please note that there is also a downside = to=20 standardization. If all of your systems are configured in the same = way,=20 they may ALL become vulnerable to attack in the same manner! This = also=20 means however, than you can more easily define the weaknesses = within your=20 site. How is an MSB different than a = Security=20 Policy? The MSB’s are a how-to on = making the security=20 policy work for the site. The MSB's will reflect the goals of the = security=20 policy, offering guidelines for preparing individual systems for=20 production use. The MSB's will NEVER conflict with the security = policy,=20 and will provide more detail than the security policy. The MSB's = are a=20 tool to implement the ideals and goals of the security = policy. Two Types of Baseline=20 Standards There are two important types of = security=20 baselines: High-level and Technical. You may decide to develop = either or=20 both of these, depending on the needs of your site. The high level = standards will be OS independent, broad reaching, and will reflect = the=20 goals and mandates of the security policy. It will spell out an = achievable=20 baseline as it applies to systems of various security-levels. A = good=20 strategy for implementing baseline standards in a company where=20 security-awareness is beginning to bloom is to start with a = simple, easy=20 to implement baseline, then tighten up the configurations as = needed.=20 Smaller sites may choose to adopt only the technical standards. = The=20 technical baselines will consist of separate documents for each = type of=20 system used by the organization. This will require the = identification of=20 all the different OS configurations used by the company, and the = function=20 of each system type. The documents should be classified according = to=20 functional type, such as web server, application server, desktop=20 workstation, etc. (See example outlines of both high-level and = technical=20 baselines at the end of this document). A quick starting point for = developing your=20 technical standards is to use a system-hardening guide for each OS = type,=20 using the parts that fit the needs of your site. These guides can = also=20 help you consider issues that you might not have considered. = Several links=20 to system hardening guides are listed below: Linux: http://www.lin= uxdoc.org/HOWTO/Security-HOWTO.html=20 Sun Solaris: http://www.softpa= norama.org/Security/sos.shtml=20 MS Windows NT: ht= tp://www.upenn.edu/security-privacy/standards/ntConfig.html=20 Keep the MSB's relevant by keeping = up with the=20 needs of your site and be sure that the standards address the 'Top = Ten=20 Threats' ( http://www.sans.org/topten.htm )=20 and deals with them. The next step is to try the MSB = configuration=20 against several test machines. This will help identify and correct = confusing directions, and insure that your configuration will = result in a=20 usable system. After you are satisfied with the technical = standard, have=20 the configuration team use the document on a test basis and = continue to=20 tune the document. How to Ensure = Success One of the leading causes of death = of standards=20 is creating policies that are too rigid. Make sure the technical = baseline=20 is reasonable, or you’ll be taking the risk that it will = become 'another=20 failed IT initiative'. Make sure that the MSB's are easy = to use by=20 making them easily available, along with the scripts, software = tools, etc.=20 that are recommended in MSB's. Make the standards available on a = company=20 intranet web server and provide links to other related system=20 configuration documents and tools. This will help streamline the=20 configuration process. Build an FTP server that serves up the = patches,=20 hot-fixes, logging software and add-on security software to help = ensure=20 that the correct software and version is used. Conclusion Adopting standards for server and = desktop=20 systems is one step in developing a more-secure computer network. = A secure=20 IT infrastructure is a more efficient infrastructure. Convincing = an=20 organization to adopt security baseline standards will result in = risk=20 reductions by eliminating the "low-hanging fruit" vulnerabilities, = and=20 will make sure that new systems begin service in a known-state. = MSB’s will=20 help the support team by giving them standard systems to work = with. MSB’s=20 are a tool to help achieve the goals of the security policy. If = designed=20 and implemented properly, MSB’s will help strengthen host = security, and=20 will help to minimize the damage in the event of a network=20 compromise. Appendix A: High-Level Standards = Outline Some Company High-Level Standards=20 Document
Appendix B: Technical Standards=20 Outline Some Company Minimum Technical=20 Standards
References (1)AusCERT. Information Security =
Standards. May 2000. (2) National Computer Security =
Center=20
(NCSC). A Guide to Understanding Configuration Management in =
Trusted=20
Systems. (Amber Book). March 1988. (3) Bundesamt fŸr Sicherheit =
in der=20
Informationstechnik. IT Baseline Protection Manual. July=20
2000. Suggested Reading Allen, Julia. Securing Networked =
Systems – A=20
technology Improvement Process. March, 1999 Hernan, Shawn. Security Often =
Sacrificed for=20
Convenience The Experts’ Consensus. How = to Eliminate The=20 Ten Most Critical Internet Security Threats. September 2000. http://www.sans.org/topten.htm=20 Internet Engineering Task Force. = Site Security=20 Handbook (RFC 2196). September, 1997. http://www.ietf.org/rfc/rfc2= 196.txt=20 |
|||||||
to top of page |=20 to = Security=20 Policy Issues | to = Reading=20 Room Home
|
|||||||
![]() |
|||||||
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() ![]() |