[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Evans: Standard desktop configuration key to network security


By Mary Mosquera

Office of Management and Budget officials believe a standard computer 
desktop configuration will dramatically improve security governmentwide, 
said Karen Evans, OMBs administrator for e-government and information 
technology. Agencies upgrading their computers to Microsoft Windows XP 
or Vista must adopt the Federal Desktop Core Configuration (FDCC) 
standard by February 2008, she said.

Agencies otherwise will move to the FDCC standard when they plan to 
update their computers, she said. OMB published three memos this year on 
plans for the standard configuration.

The Security Content Automation Program (SCAP) is automated software 
that can help agencies implement the standard configuration by 
monitoring adherence to the configuration by applications and system 

Not all agencies support a standard configuration. Some people are 
concerned, however, that OMB and the National Institute of Standards and 
Technology have been so transparent in publishing documents for the FDCC 
standard and SCAP that hackers could exploit vulnerabilities, she said.

It is possible that we could be vulnerable, but right now, I would have 
to say that we cant be more vulnerable than where we are today, Evans 
said today at a security conference sponsored by NIST. We have utter 
chaos going on. Were losing information. We dont know whats coming and 
going. Were losing laptops that people didnt even know we had.

Agencies that want to deviate from the configuration must apply for a 
waiver and document why their operations require it. NIST will track 
these changes to determine if there is a pattern that reflects a problem 
with settings in the standard configuration, Evans said.

We did err on the high side of these settings so there would be more 
security, she said.

OMB also requires that vendors incorporate SCAP to ensure that their 
software and hardware products operate as intended on the federal secure 
configuration, and agencies must verify that the companies have 
satisfied that requirement. Vendor products must not alter the standard 

NIST, for example, has worked with Microsoft to develop a secure 
configuration for its operating systems that opens in a window over the 
desktop in a virtual machine image, said Matthew Barrett, co-lead of 
NISTs Information Security Automation Program.

Because it is automated, SCAP will let agencies stay on top of 
vulnerabilities better than manual methods, said Alan Paller, research 
director at the SANS Institute. Senior managers also can get full 
visibility into the security status of systems and networks.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com