Overview

This procedure was developed to identify and evaluate system and application vulnerabilities through research. This document defines accountability and a process that shows where to look for vulnerabilities that affect [Client] and how to access [Client] personalized resources. By adhering to the following guidelines, [Client] keep abreast of new vulnerabilities, exploits, viruses and worms. The primary party responsible for complying with these procedures is the Risk Management’s Information Security Officer (ISO). Instructions for the frequency at which the ISO (or designee) should be checking these resources is listed below.

Source Documentation/Information

• Cassandra Incident Response Database – https://cassandra.cerias.purdue.edu/user/logout.php A website developed by the Center for Education and Research in Information Assurance and Security (CERIAS). This site allows security professionals to build a profile that lists the vendors and OS’ that apply to their infrastructure. The site gets its information from the ICAT database maintained by NIST. This site is secured using SSL 128 bit encryption.

• The Internet Storm Center – http://isc.incidents.org/ Supported by the SysAdmin Audit Network Security Institute (SANS), a website that takes volunteered IDS logs from around the world (Over 3 million) and makes the statistics available on the internet free of charge. This web site is good to see what the top ten scanned ports are and the top ten IPs they are coming from.

• CERT Current Activity – http://www.cert.org/current/current_activity.html The CERT Coordination Center (CERT/CC) was formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988 in response to the needs identified during an Internet security incident. The CERT/CC is part of the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI), Carnegie Mellon University. The primary goal of the NSS Program is to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks.

• Secunia – http://www.secunia.com/advisories The Secunia Security Advisories list is free and designed for the IT professional who wants one source of information about the latest software vulnerabilities and security fixes. This site ranks the vulnerability based on a 1 – 5 ranking. Outstanding site for justifying the need for patches or mitigation.

• SecureFocus BugTraq Vulnerability Forum – http://online.securityfocus.com/archive/1 The Bugtraq forum is a site that lists all correspondence relating to vulnerabilities that may or may not be verified. There is a process once items are entered into the Bugtraq Forum where CERT reviews submitted issues, evaluates them and gives them a candidate number. After thorough evaluation, if the candidate is a true vulnerability, it will receive a CVE (Common Vulnerabilities and Exposures) designation.

• Microsoft Security Notification Service – http://www.microsoft.com/security/security_bulletins/decision.asp Microsoft TechNet offers the Microsoft Security Notification Service. These e-mail messages are geared toward IT professionals and contain in-depth technical information. This information will state the date the problem was found, what the problem is and how to mitigate the problem. In many cases the bulletins list “Mitigating Factors” that may make the vulnerability non-applicable or may heighten the need for action. The bulletins also have patch information available such as if a patch is available, where to get the patch and what the patch does.

• SANS Newsbites – http://portal.sans.org/register.php The SANS NewsBites is a weekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible. Spend five minutes per week to keep up with the high-level perspective of all the latest security news. Each issue is delivered weekly by email, Free.

• ICAT Database – http://icat.nist.gov/icat.cfm The ICAT Metabase is a searchable index of computer vulnerabilities. ICAT links users into a variety of publicly available vulnerability databases and patch sites. ICAT indexes the information available in CERT advisories, ISS X-Force, Security Focus, NT Bugtraq, Bugtraq, and a variety of vendor security and patch bulletins. ICAT is maintained by the National Institute of Standards and Technology. The ICAT DB is Uses the CVE naming standard.