S 2.35 Obtaining information on security weaknesses of the system

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator

In case of security gaps that have become known or have been disclosed in publications, the required organisational and administrative measures must be taken. Security-related updates or patches for the hardware and software used may need to be installed (see also S 2.273 Prompt installation of security-relevant patches and updates). If no corresponding updates or patches are available, then additional security hardware and/or software may need to be employed.

Therefore, it is very important that the system administrators inform themselves regularly about vulnerabilities which have recently become known. Examples of sources of information on this subject are:

• Federal Office for Information Security (BSI) (see http://www.bsi.bund.de/)
• manufacturers or distributors of programs and operating systems In many cases, they inform registered customers about detected security gaps of their systems and provide them with corrected alternate versions of the system or patches for remedying those security gaps.
• Computer Emergency Response Teams (CERTs).
  
  These are organisations which provide a central point of contact for preventive and reactive safeguards concerning security-related incidents in computer systems. In Advisories, CERTs supply information on current vulnerabilities in hardware and software products and provide recommendations on how to remedy them. Various organisations or associations have their own CERTs.
  
  The original CERT of the Carnegie Mellon university served as a model for many other teams and is today some kind of "umbrella CERT":
  
  Computer Emergency Response Team / Coordination Center (CERT/CC), Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890,
  
  telephone: +1-412-268-7090 (24 hour hotline), e-mail: cert@cert.org, WWW: http://www.bsi-fuer-buerger.de/
  
  CERT messages are published in news groups (comp.security.announce and info.nsfnet.cert) and through mailing lists (inclusion by e-mail to: cert-advisory-request@cert.org).
  
  In Germany, among others, the following CERTs exist:
• CERT-Bund, Federal Office for Information Security, P.O.B. 20 03 63, D-53133 Bonn, telephone: 0228 99-9582-222, fax: 022899-9582-5427, e-mail: certbund@bsi.bund.de, WWW: https://www.bsi.bund.de/certbund/
• DFN-CERT, DFN-CERT, Zentrum für sichere Netzdienste GmbH, Heidenkampsweg 41, D-20097 Hamburg, telephone: 040-808077-555, fax: -556, e-mail: info@dfn-cert.de, WWW: http://www.dfn-cert.de. The DFN-CERT offers various mailing lists, see http://www.dfn-cert.de/infoserv/dml.html.
• Various universities have CERTs which also make information publicly available. An example is the RUS-CERT of the University of Stuttgart (see http://cert.uni-stuttgart.de).
• manufacturer-specific and system-specific as well as security-specific news groups or mailing lists Such forums are used to discuss indications of existing or suspected security gaps or errors in various operating systems and other software products. Mailing lists in the English language such as Bugtraq are often particularly up-to-date. They can be accessed through public archives, for example under http://www.securityfocus.com.
• some IT trade journals also regularly publish articles providing an overview of new security gaps in various products.

The administrators and the IT Security Officer should ideally obtain information on security gaps from at least two different institutions. It is recommended for this purpose to use an "independent" source of information in addition to the information from the manufacturer.

In any case, the administrators should also use product-specific information sources by the manufacturer, for example, in order to know whether patches or updates are provided for a specific product if security gaps are discovered. In case of products where security patches are no longer provided by the manufacturer, it must be checked in advance whether their use can still be justified under these circumstances and which additional safeguards can be employed to ensure the protection of the affected systems.

Review questions:

• Do the administrators inform themselves regularly about vulnerabilities which have recently become known?
• Are security-relevant updates installed promptly?
• If there are no updates for known vulnerabilities: Are other technical or organisational safeguards taken?