A good security professional has a list of tools that they know they can always rely on and a list of strategies they know they can always follow. A good security professional also knows the common things to look for when tasked with ensuring that a computer or web app is secure. They can either spend years compiling data and common mistakes from trial-and-error experiences, or they can use a premade list, like DISA STIG.
The DISA STIG viewer (Defence Information Systems Agency Security Technical Implementation Guide) is a list of security vulnerabilities created by the US government agency DISA to help combat security threats. You can download the viewer hereand the correct STIG’s for your operating system here. You can use it to follow along with me, or just look at my screenshots.
First off, open the viewer.
Not much to see right now, first, we have to load the STIG by clicking File and Import STIG.
Now your viewer will look something like this:
This page isn’t actually all that useful to us, so go ahead and click Checklist and then Create Checklist – Selected STIG
This may look a little daunting, but it’s actually really simple. Down the middle is the full list of every common vulnerability for the operating system you chose. They can be divided by how dangerous they are by clicking the CAT I, CAT II, CAT III tabs. CAT I is the most dangerous, CAT III the least. All you have to do is select an item, click the Check Content tab on the right side, and follow the instructions. If it turns out to be a “finding” also known as a vulnerability, click the “Open” radio button on the right side, next to Status, and write down some information in the Finding Details and Comments sections if you want. Now just go through each one (or download a program to do it for you), and start tackling each “Open” finding one by one.
And that’s about it, click around to find out some more administrative/bureaucratic stuff, and when you’re finished with the list, save or export it.