S 2.35 Obtaining information on security weaknesses of the system

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management, Administrators

In case of security flaws that have become known or have been disclosed in publications, the required organisational and administrative measures must be taken or additional security hardware/software be employed.

Therefore, it is very important to obtain information on vulnerabilities which have recently become known. Sources:

• Bundesamt für Sicherheit in der Informationstechnik (BSI), P.O.B. 20 03 63, D-53133 Bonn; telephone: ++49+228/9582-444, fax: -427, E-mail: cert@bsi.de

• Manufacturers or distributors of the operating system inform registered customers about detected security flaws of their systems and provide them with corrected alternate versions of the system or patches for remedying those security flaws

• Computer Emergency Response Teams (CERTs) are organisations which supply information on detected operating system flaws and on how to remedy them

Computer Emergency Response Team / Coordination Center (CERT/CC), Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890,

Tel. ++1+412 268-7090 (24 hour Hotline), E-Mail: E-mail: cert@cert.sei.cmu.edu, or cert@cert.org, ftp: cert.sei.cmu.edu (192.88.209.5).

CERT messages are published in News Groups (comp.security.announce and info.nsfnet. cert) and through mailing lists (inclusion by E-mail for transmission to: cert-advisory-request@cert.org).

• CERT in Germany:

• BSI-CERT, Bundesamt für Sicherheit in der Informationstechnik (BSI), P.O.B. 20 03 63, D-53133 Bonn; telephone: ++49+228/9582-444, fax: -427, E-mail: cert@bsi.de

• DFN-CERT, Zentrum fuer sichere Netzdienste GmbH (to be founded), Vogt-Kölln-Straße 30, 22527 Hamburg, Tel. (040)42883-2262, FAX -2241, E-mail: dfncert@cert.dfn.de,

ftp: ftp.cert.dfn.de

WWW: www.cert.dfn.de

Mailing lists for discussions: win-sec@cert.dfn.de

Mailing lists for security information: win-sec-ssc@cert.dfn.de

Inclusion in the mailing list for CERT messages by E-mail to: win-sec-request@cert.dfn.de or win-sec-ssc-request@cert.dfn.de

• Micro-BIT Virus Centre/CERT, Karlsruhe University, P.O.B. 6980, D-76128 Karlsruhe; tel. ++49+721/376422; fax ++49+721/32550; E-mail: cert@rz.uni-karlsruhe.de

• Manufacturer-specific and system-specific as well as security-specific News Groups

• IT trade journals

Additional controls:

• Is the administrator regularly in contact with the manufacturers of the handled systems? Have these systems been registered? Have maintenance contracts been concluded?

• Have all known information sources been used?

• Are new information sources being used?

• Are detected security flaws remedied as soon as possible?