logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 215 days ago
Via: http://lists.jammed.com | Tags: isn nist seeks comments scheme score security configurations comments Discuss  


http://www.gcn.com/online/vol1_no1/46398-1.html



By William Jackson

GCN.com

06/05/08



The National Institute of Standards and Technology is developing a

system of standardized measurements to evaluate the impact of security

configurations on operating systems and applications.



"Each security configuration decision can have positive and negative

effects of varying degrees to the security of a host," NIST's draft

document states. "Without a standardized way to quantify these effects,

organizations cannot easily make sound decisions as to how each security

issue should be addressed, nor can they quantitatively determine the

overall security strength or weakness for a host."



The draft [1] of "Interagency Report 7502: The Common Configuration

Scoring System" has been released for public comment.



The report proposes a set of measures for security configuration issues

and a formula to combine those measures into scores for each issue,

collectively called the Common Configuration Scoring System (CCSS). It

is derived from the Common Vulnerability Scoring System (CVSS) for

measuring the relative severity of vulnerabilities caused by software

flaws. CCSS adjusts the basic components of CVSS to focus on security

configuration issues rather than software flaws.



Initially, CCSS addresses only configuration issues that are constant

over time and environments. It deals with how readily a weakness could

be exploited and how exploitation could affect hosts. Those

characteristics are base metrics, and they are the inputs into the

equation that calculates a base score.



NIST plans to expand CCSS to include environmental metrics, which

represent characteristics unique to a particular environment.



Comments on the draft of CCSS should be e-mailed by July 3 to

IR7502comments (at) nist.gov with "Comments IR 7502" in the subject

line.



[1] http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf





_______________________________________________

Attend Black Hat USA, August 2-7 in Las Vegas,

the world's premier technical event for ICT security experts.

Featuring 40 hands-on training courses and 80 Briefings

presentations with lots of new content and new tools.

Network with 4,000 delegates from 50 nations.

Visit product displays by 30 top sponsors in

a relaxed setting. http://www.blackhat.com





addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security