Phase 1: Writing Good Guidance1 2 3 4 5 2 3Approved for Public Release. Distribution Unlimited. Case 08‐14931MITRE©2008 The MITRE Corporation. All rights reservedIntroduction• Creating contents of guide• Deciding…– What to recommend– How to structure the guide– How to write recommendations and supporting data clearly • MITRE developed procedures that support creating guidance efforts©2008 The MITRE Corporation. All rights reserved 2How do you know what to recommend?• Deployment options• Installation and configuration • Accounts and Passwords • Security features • Product key features • Expected product usage• Services provides / does not provide • Documented attacks against prior versions of product helps to understand possible threats ©2008 The MITRE Corporation. All rights reserved 3Structure Guide Content4©2008 The MITRE Corporation. All rights reservedCreateWhatsecurity‐relevant action to takeRecommendation Whythe action should be takenRationale HowTo Howto carry out the action Compliance CheckDiscussed in Investigate phase(Optional)©2008 The MITRE Corporation. All rights reserved 5Recommendation: WhatRationale: WhyCreate ‐> Rule How To: How• Users should change their passwordsoften• Limit access to the Oracle Application Server configuration files • Set the “log_trace”control in the msd.conffile to record messagesnecessary • Restrict ...