Posted on Feb 24, 2016
Have you ever had to dig into STIGs for an Information System?
6.37K
13
18
1
1
0
Posted in these groups: 
Computer & Network Security
Cybersecurity
Information Assurance
System Administrator
Cyber
Computer & Network Security Cybersecurity Information Assurance System Administrator Cyber
Edited 8 y ago
Posted 9 y ago
Responses: 3
1
1
0
Are you looking for specific information or is this just a general question?
(1)
(0)
PO1 Sojourner "Chancy" Phillips
SGT (Join to see) - You are welcome! Oh and you can drop the ma'am. I am not that old......yet! :-)
(0)
(0)
SGT (Join to see)
Fair. By the way, I can't unsee that your name reminds me of this great NBA player. I couldn't resist.
http://espn.go.com/nba/player/_/id/63/chauncey-billups
http://espn.go.com/nba/player/_/id/63/chauncey-billups
Get the latest news, career stats and more about point guard Chauncey Billups on ESPN.com.
(1)
(0)
(1)
(0)
PO1 Sojourner "Chancy" Phillips
SGT Jacqueem Spratley - So here are the rules that I have learned over time and from mentors .
http://iase.disa.mil/stigs/srgs/Pages/index.aspx
• UTILIZE the IASE STIG PAGES!!!! The DISA pages and the helpdesk are your friend!!! Don't be afraid to ask for assistance or guidance.
• Utilize SRG/STIG Applicability Guide and Collection Tool
• Read the SRGs and the STIGs that you plan to apply. You cannot fix a setting down the road if you cannot understand what the setting is for in the beginning.
• Review the STIGs configuration changes with system admins, developer and system engineers to get complete buy in on the settings prior to applying. If there is a setting that will impact the operations of an application or system, you need to know up front so that mitigation can be determined. There may be mitigating factors that prevent application from having certain setting applied.
• Utilize the Checklist and DOCUMENT, DOCUMENT, DOCUMENT the commands/system changes/settings that will be applied and any deviations or customization to settings. Configuration management is the key!
• Set points within the STIG that check functionality of applications or operations of applications, system or network. It is easier to back out if you know the list set of changes made. I learned this working with training systems that had very specialized software application that did not function if certain setting were applied.
• Change the Administrator name and password first and create and additional admin/root account. One of the most common issues that occur in applying OS STIGS is that the administrator gets completely locked out of the system and ends up reloaded the OS to start all over.
• Don’t just run STIG scripts, once settings are applied and systems restarted all kinds of bad things can happen like not being able to get into your system or applications may not function properly. Many times STIGS have to be manually applied.
• IF at all possible apply OS STIGS on a clean install prior to implementing any specialized software or applications.
• If at all possible only apply STIGs in a test or development environment before production.
• Scan scan scan, vulnerability scan!!! This will help greatly in the implementation and remediation need that will occur.
http://iase.disa.mil/stigs/srgs/Pages/index.aspx
• UTILIZE the IASE STIG PAGES!!!! The DISA pages and the helpdesk are your friend!!! Don't be afraid to ask for assistance or guidance.
• Utilize SRG/STIG Applicability Guide and Collection Tool
• Read the SRGs and the STIGs that you plan to apply. You cannot fix a setting down the road if you cannot understand what the setting is for in the beginning.
• Review the STIGs configuration changes with system admins, developer and system engineers to get complete buy in on the settings prior to applying. If there is a setting that will impact the operations of an application or system, you need to know up front so that mitigation can be determined. There may be mitigating factors that prevent application from having certain setting applied.
• Utilize the Checklist and DOCUMENT, DOCUMENT, DOCUMENT the commands/system changes/settings that will be applied and any deviations or customization to settings. Configuration management is the key!
• Set points within the STIG that check functionality of applications or operations of applications, system or network. It is easier to back out if you know the list set of changes made. I learned this working with training systems that had very specialized software application that did not function if certain setting were applied.
• Change the Administrator name and password first and create and additional admin/root account. One of the most common issues that occur in applying OS STIGS is that the administrator gets completely locked out of the system and ends up reloaded the OS to start all over.
• Don’t just run STIG scripts, once settings are applied and systems restarted all kinds of bad things can happen like not being able to get into your system or applications may not function properly. Many times STIGS have to be manually applied.
• IF at all possible apply OS STIGS on a clean install prior to implementing any specialized software or applications.
• If at all possible only apply STIGs in a test or development environment before production.
• Scan scan scan, vulnerability scan!!! This will help greatly in the implementation and remediation need that will occur.
Security Requirement Guide (SRG) - A compilation of Control Correlation Identifiers (CCIs) grouped into more applicable, specific technology areas at various levels of technology and product specificity. An SRG provides DoD specificity to CCI requirements (organizationally defined parameters). An SRG is used by DISA FSO and vendor guide developers to build Security Technical Implementation Guides (STIGs). There are basically two types of SRGs....
(1)
(0)
0
0
0
Yes I have. Though the last time that I seriously dug into one was back in the late 90's.
Considering all of the IT Security questions that have been flying around for the past few years in the military services, makes me wonder if they are actually being used or not.
Considering all of the IT Security questions that have been flying around for the past few years in the military services, makes me wonder if they are actually being used or not.
(0)
(0)
0
0
0
Jacqueem, you're going to have to phrase your questions in English for us old farts. This military jargon is lightyears ahead of us!!!
(0)
(0)
Read This Next
Continue with Facebook 
Continue with Google