The Best Guides for Information Security

Management

Kerry Thompson
(Originally published in SysAdmin magazine June 2007)

Contents

      Introduction
      The Open Source Security Testing Methodology Manual (OSSTMM)
      NIST Special Publications
      NIST SP800-100 Information Security Handbook: A Guide for Managers
      NIST SP800-44 Guidelines on Securing Public Web Servers
      NIST SP800-45 Guidelines on Electronic Mail Security
      NIST SP800-81 Secure Domain Name System (DNS) Deployment Guide
      NIST SP800-48 Wireless Network Security (802.11, Bluetooth, and Handheld Devices)
      NIST SP800-92 Guide to Computer Security Log Management
      NIST & DISA Checklists
      UNIX Security Checklist
      Standard of Good Practice (SoGP)
      ISO17799
      Conclusions

Introduction

As a security consultant, I'm quite often contacted by the IT managers at small to medium sized businesses asking me "how do I secure my systems?". They have usually never had to address security before and operate on a budget too tight to hire full-time security people. This is a very difficult question, not because their IT systems are particularly complex, but evaluating and managing secure systems on an ongoing basis can be very time consuming and hard to come to grips with.

There are many resources available on the Internet to help with managing IT security - far too many for the newcomer to be able to sort out the valuable ones from the useless ones. This article presents a number of very useful documents designed to help in managing enterprise security in a practical manner.

Here I will be reviewing some of the most common documents that I've used to help IT organisations evaluate their security and provide them with assistance on what to do to maintain security. Rather than referring to the many, many books available or voluminous and boring standards documents I've presented freely available and easily understood documents which can be easily adapted and applied to most IT organisations.

Why do systems administrators need to use guides, practices, and checklists? Shouldn't they already know all of this stuff? The answer is simple - they can't possibly cover all areas of IT security that need to be managed by modern enterprises. Even for a small company with one or two servers, and Internet connection and twenty or so workstations would pose a lot of work to fully evaluate how secure it is. We need guides, written practices, and checklists to make sure that we cover everything when evaluating security and provide us with guidance on how to maintain security.

In this paper I'll be reviewing the Open Source Security Testing Methodology Manual (OSSTMM), a number of NIST Special Publications, some of the DISA guides and checklists, the Standard of Good Practice (SoGP), and the ISO17799 standard. These are all freely available (except for ISO17799) and will greatly ease the task of evaluating and maintaining enterprise security.

The Open Source Security Testing Methodology Manual (OSSTMM)

http://www.osstmm.org
The Open Source Security Testing Methodology Manual is a guide for evaluating how secure systems are. It contains detailed instructions on how to test systems in a methodological way, and how to evaluate and report on the results. The OSSTMM consists of six sections:
  • Information Security
  • Process Security
  • Internet Technology Security
  • Communications Security
  • Wireless Security
  • Physical Security
It also includes a number of templates which are intended for use during the testing process to capture the information gathered. The OSSTMM is a great resource for systems administrators who want to evaluate the security of a wide range of systems in an ordered and detailed way. It contains instructions on testing systems, but few details on how to protect systems.

NIST Special Publications

http://csrc.nist.gov/publications
The Information Technology Laboratory of the National Institute of Standard and Technology (NIST) publish a number of guides and handbooks under the Special Publications programme. Some of these are quite high-level, covering areas of management, policy and governance. But many include details which are just the perfect guides for system administrators and operations people. The following is an overview of some of the available guides - check the NIST website for the full list of currently available guides.

The great thing about the NIST documents and checklists is that they are not copyrighted. That's right, thanks to the US taxpayer you can copy and modify these as much as you want without fear of reprisals. You can, for instance, take the checklists and modify them to suit your own requirements - say, to develop your own checklist for new servers going into production or to define your own security auditing process. You can even take the guides and adapt them to become your new security policy.

NIST SP800-100 Information Security Handbook: A Guide for Managers

http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
This is a big document (178 pages) which supersedes the older SP800-12 as a general handbook on managing information security. For IT managers or system administrators new to security this is really the best place to start, although much of the content is at a high level targeted for managers. Some of the chapters, such as those on governance and investment management will be too high-level for system administrators, but others such as the ones on incident response, contingency planning, and configuration management will be very useful. This guide includes an appendix containing a list of Frequently Asked Questions (FAQs) which provides a lot of useful information.

NIST SP800-44 Guidelines on Securing Public Web Servers

http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
If you're operating web servers on the public Internet, then you need to read this guide. Aimed at technical and operations people, it describes the threats to public web servers, and provides detailed guidelines for securing them. The following areas are covered:
  • Panning and management of web servers
  • Securing the operating system
  • Securely installing and configuring the web server
  • Securing web content
  • Authentication and encryption technologies
  • Implementing a secure network for a web server
  • Administering a web server
Examples and references are provided for the Apache and Microsoft IIS web servers, and there is a comprehensive appendix with details on installing and configuring both of these. There is also an appendix containing a very useful checklist for securing web servers.

NIST SP800-45 Guidelines on Electronic Mail Security

http://csrc.nist.gov/publications/nistpubs/800-45-version2/SP800-45v2.pdf
Version 2 of the Guidelines for Electronic Mail Security was released in February, 2007. This guide covers many areas from the installation and secure operation of Email servers to encryption and signing of Emails and securing various Email clients. The following areas are covered in detail:
  • Planning and managing mail servers
  • Securing the mail server operating system
  • Securing Mail servers and content
  • Administering the Email server
  • Implementing a secure network infrastructure
  • Securing mail clients
  • Signing and encrypting Email content
As in the guide for web servers, a checklist is provided in the Appendices for quickly checking the security of an existing or planned mail server. It doesn't have any operating system or mail software specific sections, but is detailed enough to cover almost any installation.

NIST SP800-81 Secure Domain Name System (DNS) Deployment Guide

http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf
DNS is a critical component of most IT environments, and risks to DNS need to be taken very seriously and managed appropriately. This guide presents recommendations for secure deployment of DNS servers. It examines the common threats to DNS, and recommends approaches to minimise them. It covers the technical details of installing the BIND DNS server on Unix systems and provides recommendations for securing the operating system. To secure DNS functions, it explains how to secure zone transfers with TSIG signatures, and gives a very good overview of DNSSEC implementation and management. This guide is thoroughly recommended if you are involved with managing DNSSEC services.

NIST SP800-48 Wireless Network Security (802.11, Bluetooth, and Handheld Devices)

http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf
This guide was written in 2002, so it is starting to get a bit out-dated now. However, the fundamentals of wireless technology haven't changed a lot and this guide does a very good job of explaining the threats to wireless networks. It covers primarily IEEE 802.11 (WiFi) and Bluetooth, and presents good guidelines on security controls such as positioning access points, controlling network access, and encryption methods. Even if you're not familiar with wireless networking, this guide serves as an excellent introduction.

NIST SP800-92 Guide to Computer Security Log Management

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
Just about every device in the world of IT generates log messages. Some devices, such as firewalls, generate huge amounts of log data all of which needs to be managed in a secure manner. This guide introduces the requirement to securely manage log data, and includes guides on log management infrastructure, and processes such as reporting and analysis tools. It includes details on the Unix syslog system, and contains references to many tools and further guides for managing log data.

NIST & DISA Checklists

http://csrc.nist.gov/checklists/repository/
http://iase.disa.mil/stigs/checklist/index.html
Sometimes we just don't have the spare time to read though pages of text that many guides consist of. This is when checklists come in handy. NIST has developed a programme for the development of checklists for securing IT systems. Now owned by DISA (Defence Information Systems Agency) a large number of checklists are available which make the job of evaluating systems much easier and more methodological. There is quite a number of checklists available here, including ones covering:
  • Most versions of Unix
  • Microsoft Windows 2000, 20003, XP, Vista
  • Oracle RDBMS
  • BIND DNS servers
  • Cisco PIX firewalls
  • Cisco IOS
  • Wireless networks
  • Apache Web server

UNIX Security Checklist

http://csrc.nist.gov/checklists/repository/1078.html
The Unix Security Checklist comes as a zip file containing a number of documents with three major sections and five appendices. Some of the documents are very large (one is 360 pages long), it is very detailed and contains checks for the Unix OS and most common applications found on Unix (such as SSH). They are all in .doc Word format which makes it very easy to adapt them to your own purposes. The most important sections are section 2 and section 3. Section 2, "SRR Results Report" contains a table that allows you to document the vulnerabilities discovered during the Security Readiness Review (SRR). Section 3, "System Check Procedures", covers procedures about how to perform the SRR for Unix systems. Unix systems covered by this checklist are HP-UX, AIX, Solaris, and RedHat Linux.

Standard of Good Practice (SoGP)

http://www.isfsecuritystandard.com/index_ns.htm
Published by the Information Security Forum (ISF), the Standard of Good Practice presents comprehensive best practices for managing IT systems from a business perspective but in a practical and achievable way. It has been targeted for larger businesses, but is still applicable to the small to medium businesses as well.

The standard is broken down into six sections, which it calls "aspects":

  • Aspect SM: Security Management
  • Aspect SD: System Development
  • Aspect CB: Critical Business Applications
  • Aspect CI: Computer Installations
  • Aspect NW: Networks
  • Aspect UE: User Environment
This is a very large document (247 pages) which would be very well suited to become adopted as a comprehensive security policy. Even if you're not specifically solving security problems, the SoGP would act as a good set of guidelines for IT management practices.

ISO17799

http://www.17799central.com/
No overview of security guides and practices would be complete without a mention of ISO17799. Entitled "A Code of Practice for Information Security Management" it was originally developed in 1993 by a number of companies and published as a British standard. It became an ISO standard in 2000 with a number of later editions and add-on documents following. It essentially consists of around 100 security controls under 10 major security headings. It is intended to be used as a reference document to identify the measures required to be applied to specific areas and issues. It contains ten sections on the following subjects:
  • Development of an enterprise IT security policy
  • Establishing a security organisation, defining management and responsibility
  • Asset classification and control
  • Security of personnel - resources, training, awareness, incident reporting
  • Implementing physical security controls
  • Management of computers and networks
  • Controlling access to computer systems
  • Integrating security into new systems
  • Business continuity and disaster planning
  • Compliance with security requirements
The good thing about ISO17799 is that it is a standard that the organisation can be audited against, and be seen as a common standard for IT security management. There is also many additional documents and books available to supplement the standard.

Probably the only bad thing about ISO17799 is that it is heavily commercialised - the 115 page document itself costs approx US$200, and contains information that is also available elsewhere at no cost (such as the SoGP).

Conclusions

There are many security guides available, and in this article I've presented some of the best ones that you can get and use for free. The OSSTMM and NIST/DISA checklists are good guides for evaluating the security of existing systems, the NIST guides are good for defining the best practices to manage systems securely, and the SoGP and ISO17799 offer standards to which the enterprise can be evaluated against. Managing IT security across the enterprise can certainly be a bewildering experience - many managers and systems administrators have problems simply deciding on where to start. But with the right guides and checklists the job can be greatly simplified and more easily understood.