30 pages

Español

Benchmark Development Course

Thiwyig - Lisa Nordman

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

30 pages

Español

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Phase 1: Writing Good Guidance1 2 3 4 5 2 3Approved for Public Release. Distribution Unlimited. Case 08‐14931MITRE©2008 The MITRE Corporation. All rights reservedIntroduction• Creating contents of guide• Deciding…– What to recommend– How to structure the guide– How to write recommendations and supporting data clearly • MITRE developed procedures that support creating guidance efforts©2008 The MITRE Corporation. All rights reserved 2How do you know what to recommend?• Deployment options• Installation and configuration • Accounts and Passwords • Security features • Product key features • Expected product usage• Services provides / does not provide • Documented attacks against prior versions of product helps to understand possible threats ©2008 The MITRE Corporation. All rights reserved 3Structure Guide Content4©2008 The MITRE Corporation. All rights reservedCreateWhatsecurity‐relevant action to takeRecommendation Whythe action should be takenRationale HowTo Howto carry out the action Compliance CheckDiscussed in Investigate phase(Optional)©2008 The MITRE Corporation. All rights reserved 5Recommendation: WhatRationale: WhyCreate ‐> Rule How To: How• Users should change their passwordsoften• Limit access to the Oracle Application Server configuration files • Set the “log_trace”control in the msd.conffile to record messagesnecessary • Restrict ...

Informations

Publié par	Thiwyig
Nombre de lectures	30
Langue	Español

Extrait

Phase 1: Writing Good Guidance

Introduction

•Creating contents of guide •Deciding What to recommend How to structure the guide How to write remmcosneaditno and supporting data clearly •MITRE developed procedures that support creating guidance efforts

How do you know what to recommend?

ployment options tallation and configuration counts and Passwords urity features duct key features

Expected product usage Services product provides / does not pro vide Doc umented attacks against prior ion vers s of product helps to understand possible thre ats

Structure Guide Content

Recommendation

Rationale

HowTo

Compliance Check (Optional)

Create

Whatsecurity‐relevant action to take

Whythe action should be taken

Howto carry out the action

Discussed in Investigate phase

mes oerocdrceneegassyssra el thtarecgot_• Senoc.dsm t elif frontco he tinl

•Restrict access to the C:\Windows folder for non‐authenticated users

•Limit access to the Oracle plApaticnio Server cifnoarugtion files

Recommendation: What Create‐> Rule Rationale: Why How To: How

•Users s h o u l d c h a n g e their passwords often

What do Administrators Need?

Recommendations that are: Unambiguous Clear and concise Directive (imperative form) Measurable, if possible

Recommendation: What Create‐> Rule Rationale: Why How To: How

•

Writing Style Guidelines

Always use imperative voice (Enable screen saver)

Put the word only close to the word(s) it modifies Do not use the words restrict or limit

Imperative Voice

Imperative voice is direct and clearly states that an action is taken. Passive voice is weaker and wordier.

For example: Do not say It is recommended that the NSA guide on Windows Server 2003 be applied.

Do say Apply the NSA guide on Windows Server 2003.

accreadon tess Olnas yol w ylat noo Do ln yda Allwo.Do saystratorsda inimredlrof owndfos CheWi:\re.ofdlwo sWind C:\the to ssecca daer evaho trstorastnimi10

Putting only at a distance from the word it modifies often creates an ambiguous statement.

For example: If you want to say that only miadstniarotsr should have read access to the C:\Windows folder:

Only

Restrict & Limit

Restrict and limit often make the sentence in which they appear ambiguous. They are too vague. Be specific.

For example: Restrict access to the C:\Windows folder for non‐authenticated users.  ‐Only non‐tuaedhenticat users have access to the C:\Windows folder. ‐Non‐ditneetacauth users have some access to the C:\Windows folder. ‐Non‐detacitnehtua users have access to only the C:\Windows folder. Do say Allow only authenticated users to have access to the C:\Windows folder.