NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Schedules of organizational principals or their exact location (whether on or off the premises) Information on the composition or preparation of hazardous materials or toxins 32 Sensitive information relating to homeland security Investigative records Financial records (beyond those already publicly available) Medical records The organization’s physical and information security procedures Information about organization’s network and information system infrastructure (e.g., address ranges, naming conventions, access numbers) Information that specifies or implies physical security vulnerabilities Plans, maps, diagrams, aerial photographs, and architectural plans of organizational building, properties, or installations Information on disaster recovery or continuity of operations plans except as absolutely required Details on emergency response procedures, evacuation routes, or organizational personnel responsible for these issues Copyrighted material without the written permission of the owner Privacy or security policies that indicate the types of security measures in place to the degree that they may be useful to an attacker. Organizations should not use public Web servers to host sensitive information intended to be accessed only by internal users. The compromise of a public Web server often leads to the compromise of such data. To ensure a consistent approach, an organization should create a formal policy and process for determining and approving the information to be published on a Web server. In many organizations, this is the responsibility of the CIO and/or public affairs officer. Such a process should include the following steps: Identify information that should be published on the Web Identify the target audience (Why publish if no audience exists?) Identify possible negative ramifications of publishing the information 32 email addresses are much more likely to receive spam. Two, personally identifying email addresses can provide useful information to an attacker (e.g., possible usernames, information for social engineering attempts). For more guidance on protecting this type of information, see the White House Memorandum dated March 19, 2000, Action to Safeguard Information Regarding Weapons of Mass Destruction and Other Sensitive Documents Related to Homeland Security (http://www.usdoj.gov/oip/foiapost/2002foiapost10.htm). 6-2
GUIDELINES ON SECURING PUBLIC WEB SERVERS Identify who should be responsible for creating, publishing, and maintaining this particular information Create or format information for Web publishing Review the information for sensitivity and distribution/release controls (including the sensitivity of the information in aggregate) Determine the appropriate access and security controls Publish information Verify published information Periodically review published information to confirm continued compliance with organizational guidelines. Any policy or process for determining and approving the information to be published on a Web server can benefit from the use of automated tools. Tools can scan incoming content for keywords, formatting, or metadata, and flag it for review, easing the burden of those required to verify content. Similarly, an internal automated system that allows users to post potential material to an internal Web site and notifies approving personnel (possibly via e-mail) of the posting allows material to be reviewed and posted to the public Web site more quickly through a repeatable process. Using an automated system also aids accountability because logs track who submitted the document and who approved it. An often-overlooked area of Web content is the information sometimes hidden within the source code of a Web page. This information can be viewed from any Web browser using the “view source code” menu option. The source code can, for example, contain points of contact and reveal portions of the directory structure of the Web server. Organizations often do not pay attention to the contents of the source code on their Web sites, even though this code may contain sensitive information. Attackers scour not only the obvious content of the Web site but also details within the source code. Thus, Web administrators or Webmasters should periodically review code on their public Web server. 6.2 Observing Regulations about the Collection of Personal Information Federal and state laws and regulations apply to the collection of user information on publicly accessible government Web sites. In addition, many government agencies have privacy guidelines that address the type of information that could be collected about users. Governmental organizations with Web sites should be aware of the appropriate and applicable laws, regulations, and agency guidelines. Private organizations may wish to use these guidelines and examples of sound security practices but should consult appropriate legal counsel and their privacy officials for the applicable legal and policy implications. However, Federal laws, regulations, and applicable agency guidelines do apply to commercial organizations that operate Web sites on behalf of Federal agencies. Organizations should be aware of changes to legal, regulatory, and contractual requirements and seek advice from knowledgeable legal and policy experts. Federal agencies that collect PII must do so in accordance with Federal law and the Constitution. The Privacy Act, for example, requires agencies to minimize the information collected to that which is 6-3
Page 1 and 2:
Special Publication 800</st
Page 3 and 4: GUIDELINES ON SECURING PUBLIC WEB S
Page 53: GUIDELINES ON SECURING PUBLIC WEB S
Page 105 and 106:
GUIDELINES ON SECURING PUBLIC WEB S
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?