U. S. Department Of
U. S. Department Of Commerce Abbreviated Certification
Methodology For Sensitive Information Technology
Abstract: The purpose of this document is to provide guidance on appropriate procedures to follow in performing the technical certification evaluations of all sensitive and classified national security systems within the Department.
Improving The Security Of Your Unix System
Abstract: Many useful guidelines for improving the security of your unix system. UNIX system security can be divided into three main areas of concern. Two of these areas, account security and network security, are primarily concerned with keeping unauthorized users from gaining access to the system. The third area, file system security, is concerned with preventing unauthorized access, either by legitimate users or crackers, to the data stored in the system. This paper describes the UNIX security tools provided to make each of these areas as secure as possible.
Improving the Security of Your Site by Breaking Into
Abstract: In this paper we will take an unusual approach to system security. Instead of merely saying that something is a problem, we will look through the eyes of a potential intruder, and show "why" it is one. We will illustrate that even seemingly harmless network services can become valuable tools in the search for weak points of a system, even when these services are operating exactly as they are intended to. In an effort to shed some light on how more advanced intrusions occur, this paper outlines various mechanisms that crackers have actually used to obtain access to systems and, in addition, some techniques we either suspect intruders of using, or that we have used ourselves in tests or in friendly/authorized environments.
A Guideline On Office Automation Security
Abstract: Office Automation Systems (OA systems) are small, microprocessor-based Automated Information Systems that are used for such functions as typing, filing, calculating, sending and receiving electronic mail, and other data processing tasks. They are becoming commonly used by managers, technical employees, and clerical employees to increase efficiency and productivity. Examples of OA systems include personal computers, word processors, and file servers. This guideline provides security guidance to users of OA systems, to the ADP System Security Officers responsible for their operational security, and to others who are responsible for the security of an OA system or its magnetic storage media at some point during its life-cycle. This guideline explains how OA system security issues differ from those associated with mainframe computers. It discusses some of the threats and vulnerabilities of OA systems, and some of the security controls that can be used. It also discusses some of the environmental considerations necessary for the safe, secure operation of an OA system. This guideline suggests some security responsibilities of OA system users, and of ADP System Security Officers. Also described are some of the security responsibilities of the organization that owns or leases the OA system. In addition, guidance is given to the procurement officer who must purchase OA systems or components, and guidance is also provided to the officer who is responsible for securely disposing of OA systems, components, or the associated magnetic media. This document is issued as a National Telecommunications and Information Systems Security Advisory Memorandum, and is therefore intended as guidance only. Nothing in this guideline should be construed as encouraging or permitting the circumvention of existing Federal Government or organizational policies.
National Institute of
Standards and Technology,
An Introduction to Computer Security: The NIST Handbook
Abstract: The purpose of this Handbook is to assist managers in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. Such knowledge is vital for managers to make informed decisions in selecting cost-effective, appropriate controls to protect systems in their unique operating and threat environments. The Handbook provides a broad overview of the field of computer security. It assists the readers understanding of their computer security needs and to develop a sound approach to the selection of appropriate security controls. The document does not, however, describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. References of how-to-too books and articles that give further information are also provided.
John P. Wack,
Establishing a Computer Security Incident Response Capability
Abstract: Government agencies and other organizations have begun to augment their computer security efforts because of increased threats to computer security. Incidents involving these threats, including computer viruses, malicious user activity, and vulnerabilities associated with high tech nology, require a skilled and rapid response before they can cause significant damage. These increased computer security efforts, described here as Computer Security Incident Response Capabilities (CSIRCs), have as a primary focus the goal of reacting quickly and efficiently to com puter security incidents. CSIRC efforts provide agencies with a centralized and cost-effective approach to handling computer security incidents so that future problems can be efficiently resolved and prevented.
US Department of
FEDERAL GUIDELINES FOR SEARCHING AND SEIZING
Abstract: As computers and telecommunications explode into the next century, prosecutors and agents have begun to confront new kinds of problems. These Guidelines illustrate some of the ways in which searching a computer is different from searching a desk, a file cabinet, or an automobile. For example, when prosecutors must interpret Rule 41 (which requires that the government obtain a search warrant in the district where the property to be searched is "located"), applying it to searches of physical items is usually uncomplicated. But when they must try to "locate" electronic data, the discussion can quickly become more metaphysical than physical. Even so, it is important to remember throughout the process that as dazzling and confounding as these new-age searches and seizures may be, they are in many essential ways just like all other searches. The cause must be just as probable; the description of items, just as particular. The standard investigative techniques that work in other cases (like finding witnesses and informants) are just as valuable in computer cases. The evidence that seals a case may not be on the hardware or software, but in an old-fashioned form: phone bills, notes in the margins of manuals, or letters in a drawer. The sections that follow are an integration of many legal sources, practical experiences, and philosophical points of view. We have often had to extrapolate from existing law or policies to try to strike old balances in new areas. We have done our best to anticipate the questions ahead from the data available today. Even so, we recognize that rapid advances in computer and telecommunications technologies may require that we revisit these Guidelines, perhaps in the near future. In the meantime, as law struggles to catch up to technology, it is important to remember that computer cases are just like all others in one respect at least: under all the "facts and circumstances," there is no substitute for reasonable judgment.
Guidelines for Formal Verification Systems
Abstract: This document explains the requirements for formal verification systems that are candidates for the NCSC's Endorsed Tools List (ETL).  This document is primarily intended for developers of verification systems to use in the development of production-quality formal verification systems. It explains the requirements and the process used to evaluate formal verification systems submitted to the NCSC for endorsement.
National Institute of
Standards and Technology,
Computer User's Guide to the Protection of Information
Abstract: Today's computer technology, with microcomputers and on-line access, has placed the power of the computer where it belongs, in YOUR hands. YOU, the users, develop computer applications and perform other data processing functions which previously were only done by the computer operations personnel. These advances have greatly improved our efficiency and effectiveness but, also present a serious challenge in achieving adequate data security.
Abstract: This directory contains the general information of "Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery".
Russell L. Brand, Coping
with the Threat of Computer Security Incidents. A Primer from
Prevention through Recovery
Abstract: As computer security becomes a more important issue in modern society, it begins to warrant a systematic approach. The vast majority of the computer security problems and the costs associated with them can be prevented with simple inexpensive measures. The most important and cost effective of these measures are available in the prevention and planning phases. These methods are presented followed by a simplified guide to incident handling and recovery.
Abstract: This directory contains some documents of the Rainbow series.
Richard D. Pethia, Stephen D. Crocker, Barbara Y. Fraser, RFC
1281: Guidelines for the Secure Operation of the
Abstract: The purpose of this document is to provide a set of guidelines to aid in the secure operation of the Internet. During its history, the Internet has grown significantly and is now quite diverse. Its participants include government institutions and agencies, academic and research institutions, commercial network and electronic mail carriers, non-profit research centers and an increasing array of industrial organizations who are primarily users of the technology. Despite this dramatic growth, the system is still operated on a purely collaborative basis. Each participating network takes responsibility for its own operation. Service providers, private network operators, users and vendors all cooperate to keep the system functioning. It is important to recognize that the voluntary nature of the Internet system is both its strength and, perhaps, its most fragile aspect. Rules of operation, like the rules of etiquette, are voluntary and, largely, unenforceable, except where they happen to coincide with national laws, violation of which can lead to prosecution. A common set of rules for the successful and increasingly secure operation of the Internet can, at best, be voluntary, since the laws of various countries are not uniform regarding data networking. Indeed, the guidelines outlined below also can be only voluntary. However, since joining the Internet is optional, it is also fair to argue that any Internet rules of behavior are part of the bargain for joining and that failure to observe them, apart from any legal infrastructure available, are grounds for sanctions.
R. Pethia, S. Crocker, Barbara Y. Fraser,
Guidlines for the Secure Operation of the Internet
Abstract: This memo provides a set of guidelines to aid the secure operation of the internet community, it does not specify an internet standard. It address teh entire internet community, consisting of users, hosts local, regional, domestic and international backbone networks, and vendors who supply operating systems, routers, network management tools, workstations and other network components
Security References Bib
Abstract: This document contains a list of computer security books' information. It includes author, title, year, institution, etc.
Enhancing Security of Unix Systems
Abstract: This paper examines the common threats to data security in open systems highlighting some of the more recent threats, and looks at some of the tools and techniques that are currently available to enhance the security of a Unix system. Since many programs are written without security issues in mind, the topic of secure programming methodologies is also discussed, with some examples of coding techniques that avoid security vulnerabilities.
The Australian Computer
Emergency Response Team,
UNIX Computer Security Checklist (Version 1.0)
Abstract: The Australian Computer Emergency Response Team has developed a checklist which covers common and known security holes under the UNIX Operating System. It is based around recently discovered security vulnerabilities and other checklists which are readily available.
Built by Mark Crosbie and Ivan Krsul.
Security Archive Homepage.
COAST Project (CERIAS)Page.
Purdue CS Dept page.