New computer security guides available

New computer security guides available
New computer security guides available

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By William Jackson

The National Institute of Standards and Technology has updated its 
security guidelines for dealing with active content, providing an 
overview for active content and mobile code in use today and laying out 
a framework for making security decisions about its use within an 

A draft of Special Publication 800-28 Revision 2 [1], titled =E2=80=9CGuidelines 
on Active Content and Mobile Code,=E2=80=9D has been released for public 

NIST also has released its Common Vulnerability Scoring System (CVSS), a 
scheme for developing common descriptors of information technology 
vulnerabilities. CVSS scores are used in the National Vulnerability 

In SP 800-28, NIST defines active content as =E2=80=9Cbroadly speaking =E2=80=A6 
electronic documents that can carry out or trigger actions automatically 
without an individual directly or knowingly invoking the actions.=E2=80=9D

Incorporating active content such as Java applets, JavaScript and other 
scripts, and macros can add to the functionality of documents, e-mails, 
Web pages and files in a wide variety of formats, but NIST calls their 
security vulnerabilities =E2=80=9Cinsidious.=E2=80=9D The expanding use of these 
technologies is becoming common in a range of products and services, on 
desktop computers, servers and gateway devices.

NIST offers four broad guidelines for organizations in dealing with 
active content:

    * Understand the concept of active content and how it affects the 
      security of their systems

    * Develop policies for active content, including both its creation 
      within the organization and its reception from outside

    * Be aware of the specific benefits from using active content and 
      balance them against the associated risks and

    * Maintain consistent systemwide security when configuring and 
      integrating products involving active content in their 

Comments on version 2, SP 800-28 should be e-mailed by Oct. 12 to 
800-28comments (at) with =E2=80=9CComments on SP 800-28=E2=80=9D typed into the 
subject line.

The Common Vulnerability Scoring System [2] is being released in its 
final form. The scheme includes scores for vulnerabilities of from 0 to 
10 in each of three groups: a base score that represents the intrinsic 
threat represented by the vulnerability; a temporal group that reflects 
characteristics of a vulnerability that change over time; and an 
environmental group reflecting the characteristics of a vulnerability 
unique to a user=E2=80=99s environment.

CVSS scores can be used with security categories defined in Federal 
Information Processing Standard 199 to obtain impact scores tailored to 
an agency=E2=80=99s environment.


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Visit the InfoSec News Bookstore 

Site design & layout copyright © 1986-2014 CodeGods