[ISN] ITL Bulletin for April 2004

[InfoSec News]

Forwarded from: Elizabeth Lennon <elizabeth.lennon at nist.gov>

ITL BULLETIN FOR APRIL 2004

SELECTING INFORMATION TECHNOLOGY SECURITY PRODUCTS
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Information technology security products are essential to better
secure information technology (IT) systems, and many products to
protect IT systems are available in the marketplace today. But IT
security products alone will not guarantee that an organization's IT
systems are secure.  Security products should be selected and used
within the organization's overall program to manage the design,
development, and maintenance of its IT security infrastructure, and to
protect the confidentiality, integrity, and availability of its
mission-critical information.

The foundation for the selection of IT security products is a
comprehensive information security management program, including risk
management procedures that are applied throughout the System
Development Life Cycle (SDLC). The risk management process enables
organizations to analyze their systems for security, to identify
appropriate and cost-effective controls, to select and use security
products that will protect their information and information systems,
and to monitor the effectiveness of the controls.  Management,
operational, and technical controls are needed to support security
objectives and to protect information.

Guide to Selecting Information Technology Security Products

NIST's Information Technology Laboratory published Special Publication
(SP) 800-36, Guide to Selecting Information Technology Security
Products, to help organizations select cost-effective and useful
products for their systems.  Written by Timothy Grance, Marc Stevens,
and Marissa Myers, NIST SP 800-36 defines broad security product
categories and specifies product types, product characteristics, and
environment considerations within those categories. This ITL Bulletin
summarizes the publication, which is available at
http://csrc.nist.gov/publications.

The guide presents pertinent questions that an organization should ask
when selecting a product from within the categories. As security
products evolve and change, organizations can modify the questions to
be asked to fit their particular needs. When used with other NIST
publications, including those listed in the More Information section
at the end of this bulletin, the guide will help organizations develop
a comprehensive approach to managing their IT security and information
assurance requirements.

In its March 2004 report, "Information Security:  Technologies to
Secure Federal Systems," the U.S. General Accounting Office (GAO)
referred to the product selection guide, as well as other NIST
publications. The GAO report discusses commercially available,
state-of-the-practice cybersecurity technologies that federal agencies
can use to secure their information systems, and states, "these
technologies implement the technical controls that NIST recommends
federal agencies deploy in order to effectively meet federal
requirements." The GAO emphasizes the importance of developing a
framework and a continuing cycle of activity to assess risks,
implement effective security procedures, and monitor the effectiveness
of the procedures. GAO 04-467 is available at http://www.gao.gov/.

Who Selects Security Products for an Organization

People throughout the organization may be involved in product
selection at both the individual and the group level. All should be
aware of the importance of security in the organization's information
infrastructure and the security impacts of their decisions. People
involved include the following:

* IT Security Program Manager, who is responsible for developing
  enterprise standards for IT security;

* Chief Information Officer, who is responsible for the organization's
  IT planning, budgeting, investment, performance, and acquisition;

* IT Investment Board (or equivalent), which is responsible for
  planning and managing the capital planning and investment control
  process for federal agencies, as specified in the Information
  Technology Management Reform Act of 1996 (Clinger-Cohen Act);

* Program Manager, who owns the data, initiates the procurement, is
  involved in strategic planning, and is aware of functional system
  requirements;

* Acquisition Team, which is composed of representatives from program,
  technical, and contracting areas of the organization and which
  provides a balanced perspective of cost and schedule considerations;

* Contracting Officer, who has authority to enter into, administer,
  and terminate contracts;

* Contracting Officer's Technical Representative, who is appointed by
  the Contracting Officer to manage the technical aspects of a
  particular contract;

* IT System Security Officer, who is responsible for ensuring the
  security of an information system throughout its life cycle; and

* Other participants, who may include the system certifier and
  accreditor, system users, and people representing information
  technology, configuration management, design, engineering, and
  facilities groups.

Using the Risk Management Process in Product Selection

Before selecting specific products, organizations should review the
current status of their security programs and the security controls
planned or in place to protect their information and information
systems. Organizations should use the risk management process to
identify the effective mix of management, operational, and technical
security controls that will mitigate risk to an acceptable level.

The Secretary of Commerce recently approved Federal Information
Processing Standard (FIPS) 199, Standards for Security Categorization
of Federal Information and Information Systems, for use by federal
government organizations (available at
http://csrc.nist.gov/publications/fips/). The new standard helps
federal agencies identify and prioritize their most important
information and information systems by defining the maximum impact
that a breach in confidentiality, integrity, or availability could
have on the agency's operations, assets, and/or individuals. The
security categorization serves as the starting point for the selection
of security controls that are commensurate with the importance of the
information and information system to the agency, and then for the
selection of appropriate security products. Draft NIST SP 800-53,
Recommended Security Controls for Federal Information Systems,
provides recommendations for minimum-security controls associated with
the various security categories defined in FIPS 199.  Organizations
may adjust the set of recommended controls based on local risk
assessments.

After systems and products are in place, the controls should be
monitored for effectiveness throughout the system life cycle.

Products Discussed

NIST SP 800-36 provides information about the following IT security
product categories, including the types of products in each category,
the product characteristics, and the environment considerations for
each category:

* Identification and Authentication products including security
  tokens, authentication protocols, and biometric control systems;

* Access Control products including access control lists and role
  based access control systems;

* Intrusion Detection products including network-based, host-based,
  and application-based systems;

* Firewall products that control the flow of network traffic between
  networks or between a host and a network;

* Public Key Infrastructure systems that manage cryptographic key
  pairs and associate key holders with their public keys;

* Malicious Code Protection systems including malicious code scanners,
  integrity checkers, vulnerability monitors, and improper behavior
  blockers;

* Vulnerability Scanners that examine servers, workstations,
  firewalls, and routers for known vulnerabilities;

* Forensic systems that identify, preserve, extract, and document
  computer-based evidence; and

* Media Sanitizing products that remove data from or modify storage
  media so that the data cannot be retrieved and reconstructed.

Organizational, Product, and Vendor Considerations

The guide discusses the characteristics of products in each of these
categories and recommends that organizations consider organizational,
product, and vendor issues when selecting IT security products. These
issues are presented as specific questions to be asked by
organizations selecting information technology security products:

* Organizational considerations

- Need for product to mitigate risk

- Identification of user community

- Relationship between product and organization's mission

- Sensitivity of data to be protected

- Support for security requirements in security plan, 
  policies, and procedures

- Identification of the organization's security 
  requirements and comparison to product specifications

- Consideration of threat environment and security 
  functions needed to mitigate risks

- Consideration of the use of tested products

- Need for firewalls, intrusion detection systems, or other 
  boundary controllers

- Impact of product on operational environment, 
  maintenance, and training

- Requirements for support, plug-in components, or middleware

* Product considerations

- Review of lists of validated products, including those 
  products validated under the joint NIST/Communications 
  Security Establishment of Canada Cryptographic Module 
  Validation Program (CMVP) and the National Information 
  Assurance Partnership (NIAP) Common Criteria Evaluation and 
  Validation Scheme (CCEVS), jointly managed by NIST and the 
  National Security Agency

- Review of product vulnerabilities

- Test and implementation of patches

- Review of protection profiles

- Review of total life cycle costs, including acquisition 
  and support

- Ease of use, scalability, and interoperability requirements

- Test requirements for acceptance and integration testing, 
  and for configuration management

- Known vulnerabilities of products

- Implementation requirements for relevant patches

- Requirements and methods for reviewing product 
  specifications against existing and planned organizational 
  programs, policies, procedures, and standards

- Security critical dependencies with other products and 
  interactions with the existing infrastructure

* Vendor considerations

- Impact of the selection of a particular product on future 
  security choices

- Vendor experience with the product

- Vendor history in responding to security flaws in its products

All of these considerations may not apply in all cases to all
organizations. The questions posed in the guide can be modified to
meet the specific conditions of organizations and help them reach
decisions that support their requirements and that provide the
appropriate level of protection.

More Information

For a list of references to publications and to web pages with
information that can help you in planning and implementing a
comprehensive approach to information technology security, consult
Appendix A of NIST SP 800-36.

NIST Special Publications, including the following, are available in
electronic format from ITL's Computer Security Resource Center at
http://csrc.nist.gov/publications.

NIST SP 800-12, An Introduction to Computer Security: The NIST
Handbook, provides guidance on the fundamentals of information system
security.

NIST SP 800-14, Generally Accepted Principles and Practices for
Securing Information Technology Systems, explains approaches and
methods that can be used to secure information systems.

NIST SP 800-18, Guide for Developing Security Plans for Information
Technology Systems, discusses developing and updating security plans.

NIST SP 800-21, Guideline for Implementing Cryptography in the Federal
Government, provides guidance to federal agencies on selecting
cryptographic controls to protect sensitive, unclassified information.

NIST SP 800-23, Guidelines to Federal Organizations on Security
Assurance and Acquisition/Use of Tested/Evaluated Products, discusses
the concept of assurance in the acquisition and use of security
products.

NIST SP 800-26, Security Self Assessment Guide for Information
Technology Systems, helps organizations determine the status of their
information security programs and establish targets for improvement.

NIST SP 800-27, Engineering Principles for Information Technology
Security: A Baseline for Achieving Security, presents the system-level
security principles that should be considered in the design,
development, and operation of an information system (draft revision
available at http://csrc.nist.gov/publications/drafts.html).

NIST SP 800-30, Risk Management Guide for Information Technology
Systems, discusses the risk-based approach to security and provides
guidance on conducting risk assessments (draft revision available at
http://csrc.nist.gov/publications/drafts.html).

NIST SP 800-31, Intrusion Detection Systems (IDSs), and 
NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, provide
information on using and deploying IDSs and firewalls.

NIST SP 800-33, Underlying Technical Models for Information Technology
Security, provides information on IT security engineering principles
and concepts for IT systems.

NIST SP 800-35, Guide to Information Technology Security Services,
covers evaluating, selecting, and managing security services
throughout the system life cycle.

NIST SP 800-37, Guide for the Security Certification and Accreditation
of Federal Information Systems, describes the fundamental concepts of
the certification and accreditation processes, and details the various
tasks in the processes (available in final draft at
http://csrc.nist.gov/publications/drafts.html).

NIST SP 800-42, Guidelines on Network Security Testing, describes
available security testing techniques, their strengths and weaknesses,
and the recommended frequencies for testing as well as strategies for
deploying network security testing.

NIST SP 800-44, Guidelines on Securing Public Web Servers, assists
organizations in installing, configuring, and maintaining secure
public web servers.

NIST SP 800-53, Recommended Security Controls for Federal Information
Systems, provides information about selecting security controls to
meet the security requirements for the system (available in draft at
http://csrc.nist.gov/publications/drafts.html).

NIST SP 800-60, Guide for Mapping Types of Information and Information
Systems to Security Categories, provides guidance in assigning
security categories and analyzing the impact of risks, based on
security categorization definitions in FIPS 199 (available in draft at
http://csrc.nist.gov/publications/drafts.html).

NIST SP 800-64, Security Considerations in the Information System
Development Life Cycle, discusses the analysis of system security
requirements and methods for incorporating security into IT
procurements.

Disclaimer
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply
recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.