IT Baseline Protection Manual S 2.35 Obtaining information on security weaknesses of the system
S 2.35 Obtaining information on security weaknesses of the system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
In case of security flaws that have become known or have been disclosed in publications, the required organisational and administrative measures must be taken or additional security hardware/software be employed.
Therefore, it is very important to obtain information on vulnerabilities which have recently become known. Sources:
Bundesamt für Sicherheit in der Informationstechnik (BSI), P.O.B. 20 03 63, D-53133 Bonn; telephone: ++49+228/9582-444, fax: -427, E-mail: cert@bsi.de
Manufacturers or distributors of the operating system inform registered customers about detected security flaws of their systems and provide them with corrected alternate versions of the system or patches for remedying those security flaws
Computer Emergency Response Teams (CERTs) are organisations which supply information on detected operating system flaws and on how to remedy them
Computer Emergency Response Team / Coordination Center (CERT/CC), Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890,
CERT messages are published in News Groups (comp.security.announce and info.nsfnet. cert) and through mailing lists (inclusion by E-mail for transmission to: cert-advisory-request@cert.org).
CERT in Germany:
BSI-CERT, Bundesamt für Sicherheit in der Informationstechnik (BSI), P.O.B. 20 03 63, D-53133 Bonn; telephone: ++49+228/9582-444, fax: -427, E-mail: cert@bsi.de
DFN-CERT, Zentrum fuer sichere Netzdienste GmbH (to be founded), Vogt-Kölln-Straße 30, 22527 Hamburg, Tel. (040)42883-2262, FAX -2241, E-mail: dfncert@cert.dfn.de,
ftp: ftp.cert.dfn.de
WWW: www.cert.dfn.de
Mailing lists for discussions: win-sec@cert.dfn.de
Mailing lists for security information: win-sec-ssc@cert.dfn.de
Inclusion in the mailing list for CERT messages by E-mail to:
win-sec-request@cert.dfn.de or win-sec-ssc-request@cert.dfn.de
Manufacturer-specific and system-specific as well as security-specific News Groups
IT trade journals
Additional controls:
Is the administrator regularly in contact with the manufacturers of the handled systems? Have these systems been registered? Have maintenance contracts been concluded?
Have all known information sources been used?
Are new information sources being used?
Are detected security flaws remedied as soon as possible?