Non-intrusive assessment approach and improving security of computer systems based on DISA standards
DOI:
https://doi.org/10.34767/SIMIS.2010.02.02Keywords:
: authentication, authorization, application, checklist (manual procedure), database, GoldDisk, passwords, interface, Linux, logs, Microsoft Windows, network services, operating system, PKI (Public Key Infrastructure), requirements, security, SRR, STIG, system event logging, Unix, user accountsAbstract
This article is an attempt to analyze the available, non-intrusive methods of analyzing and assessing if the overall security of computer systems. These methods do not interfere directly in the working systems, focusing largely on static analysis of the system. The analysis base on the finding of compliance with the various safety requirements, formed by the DISA organization. This organization presents its requirements in three ways: by creating the static requirements, so-called STIGs, manual procedures (checklists), helped in the analysis of the security and automated scripts for system components (SRR). The scope of the systems covered by the requirements is very big, including operating systems, database systems, the network and applications created by software developers. This article also contains a brief analysis of some shortcomings, disadvantages and drawbacks of the above-mentioned methods and is an attempt to answer for the question: what should be done in the nearest future for static security analysis.
References
Marcin Kołodziejczyk - Applying of security mechanisms to low layers of OSI/ISO network model - Automatyka, wyd. AGH, Kraków 2010
Michael Howard, David LeBlanc, John Viega -The 19 Deadly Sins of Software Security – McGraw-Hill/Osborne, California 2005
Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone - Handbook of Applied Cryptography - CRC Press 1996 (wersja online)
Marek R.Ogiela - Security of computer systems - Wydawnictwa AGH, Kraków 2002
The Top 10 Most Critical Internet Security Threats - (2000-2001 Archive)
Marcin Kołodziejczyk - Tablice tęczowe jako skuteczna optymalizacja algorytmu brute-force - Elektrotechnika i Elektronika, wyd.AGH.Kraków 2009/2010
