8.4 Upgrading software to remediate vulnerabilities

 < Day Day Up > 



One of the most frequently discussed areas of IT security during the last several years has been how long it takes to eradicate a vulnerability once it is identified. Many vulnerabilities can be reduced or eliminated by installing current patches. In the case of Code Red, for example, the vulnerability had been known for months before it was exploited in the Code Red attack. Other vulnerabilities can be reduced or eliminated by configuring software in a more secure manner.

In addition to the software producer, there are several organizations that can provide information about the configuration of operating system and applications software. The NSA, for example, provides the following publications at its Web site:

  • Guide to the Secure Configuration and Administration of iPlanet Web Server, Enterprise Edition 4.1

  • Guide to the Secure Configuration and Administration of Microsoft Internet Information Server 4.0

  • Guide to the Secure Configuration and Administration of Microsoft Internet Information Server 4.0 (Checklist Format)

  • Secure Configuration of the Apache Web Server, Apache Server Version 1.3.3 on Red Hat Linux 5.1

  • Microsoft NetMeeting 3.0 Security Assessment and Configuration Guide

  • The 60 Minute Network Security Guide

  • Guide to Securing Microsoft Internet Explorer 5.5 Using Group Policy

  • Guide to the Secure Configuration and Administration of Microsoft SQL Server 2000

  • Guide to Securing Netscape 7.02

Software configuration is controlled through a formal and structured configuration management process. This involves identifying the configuration of a system or component, controlling changes to the configuration, and maintaining the integrity and traceability of the configuration throughout the life cycle of the technology. Proper configuration management enables an organization to answer the control and track the following activities:

  • The process for making changes to computers, applications, or network equipment

  • Who is authorized to make changes

  • Who made which changes to the systems or applications

  • What changes were made

  • When were the changes made

  • Why were the changes made



 < Day Day Up > 



Implementing Homeland Security for Enterprise IT
Implementing Homeland Security for Enterprise IT
ISBN: 1555583121
EAN: 2147483647
Year: 2003
Pages: 248

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net