FITSP-M. Lab Activity Guide

Transcription

1 These lab exercises will walk you through the steps of the Risk Management Framework (RMF), with an activity for each step. FITSP-M Lab Activity Guide

2 Table of Contents Introduction... 3 Documentation... 3 Lab Activity 1: Searching for Guidance... 4 Lab Activity 2: Categorizing Information Systems... 5 Information System: HGA LAN, Washington, DC... 5 Information System: Public Access Directory... 5 Lab Activity 3: Selecting Security Controls Selection... 6 Lab Activity 4: Security Control Implementation... 7 Integrating Security Control Technologies... 7 Common Configuration Enumeration... 8 Defining Security Control Monitoring Strategy... 8 Lab Activity 5: Update the HGA LAN SSP... 9 Lab Activity 6: Building an Assessment Case... 9 Table of Figues Table 1 - Documents to Support Lab Activities... 3 Table 2 - Documenting System Categorization... 5 Table 3 - Selecting Security Controls from Catalog... 6 Table 4 - Security Control Implementation... 7 Table 5 - Baseline Configuration from USGCB... 8 Table 6 - Monitoring Strategy... 8 Table 7 - Building an Assessment Case... 10

3 Introduction These lab exercises will walk you through the steps of the Risk Management Framework (RMF), for the Hypothetical Government Agency (HGA), from the Risk Management Scenario reading assignment. You will apply abbreviated steps of the RMF process outlined in the NIST SP r1. You will start with the categorization of information and information systems using the NIST r1. Then, mitigation of risk will be addressed through the selection and implementation of appropriate security controls listed in the NIST Finally, you will build an assessment case for one of security controls using guidance from the NIST Ar1. Documentation You may document this information in any application you feel comfortable, preferably MS Office Excel, or Word. Most of this information is suitable for table format. There is an Excel workbook that you may use as an example/template called LabActivityWorkingData.xlsx. Please use this as your primary output working document. You will eventually move only the relevant data to the system security plan. There is a staggering amount of information detailed in the NIST information and security control catalogs. Information can be organized and used as input tools during this process, as well. There are several documents that will help you navigate through this information, so that you can find what you re looking for, and store it in such a way as to promote reusability. The following documents, templates and examples are at your disposal to make these activities less time consuming: Document Name Document Type Description Table 1 - Documents to Support Lab Activities Mapping_NICE.accdb Input Access database that lists all controls. USGCB-Windows-Settings.xls Input Excel worksheet that documents all of the mandated configuration settings for multiple Windows OS platforms LabActivityWorkingData.xlsx Output Excel worksheet that provides a template with examples of how to organize your data, as you go through the lab activities HGA System Security Plan.docx Output Word document that provides examples and placeholders for information that you will add to the plan, as you complete the lab activities.

4 Lab Activity 1: Searching for Guidance Using Internet search engines, find the following information: 1. So far, DHS has issued two FISMs (Federal Information Security Memorandums) for FY2011. Find those FISMs and answer the following: a. The subject for FISM is b. The Department of Homeland Security issues Federal Information Security Memoranda to inform federal departments and agencies of their responsibilities, required actions, and effective dates to achieve [hint: FISM footnote] c. The subject of FISM is 2. Continuous monitoring is the next stage in the evolution of FISMA compliance. On the NIST website (csrc.nist.gov) you can find a wealth of information relating to the technical aspects of FISMA compliance. Go to the Drafts section, and open the latest document regarding Continuous Monitoring. a. What is the document number? b. Referencing the Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains Table of Contents, what is this draft document s Relationship to Existing Standards and Specifications Please list the other 3 document numbers relating to CM: i. ii. iii. 3. Do a search for OMB Memorandum. Navigate to the White House Memorandum (current year). This is one of the key areas for dissemination of information relating to all OMB policies, including information security and systems security. a. The OBM memorandums are organized by b. There is a memo from 2011 that clarifies Chief Information Officer Authorities (and responsibilities); Agency CIOs will be held accountable for lowering operational costs, terminating and turning around troubled projects, and delivering meaningful functionality at a faster rate while enhancing the security of information systems. What are the four areas of responsibilities? i. ii. iii. iv. 4. Every year, the OMB releases updated reporting instructions for FISMA. a. The memo number for 2011 is. b. The first page of this memo emphasizes Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS), " What is on the 2 nd page of this memo? And what is the significance of that second page?! c. The most significant portion of this memo is the Frequently Asked Questions, which tend to be a slight variation of the FAQs from the previous year. Please make note of the following questions, and their corresponding answers They represent a considerable shift in compliance: #9, #10, #28.

5 Lab Activity 2: Categorizing Information Systems We are going to create artifacts that we will use to build a system security plan for one of our information systems; the HGA LAN, in Washington, DC. Your first artifact will document the system category, which will list the following: 1. The name of the information system 2. The information types discovered (this information will be given) 3. The provisional impact level for each information type 4. Any justification for modifying the impact level of the information or information system 5. The High Water Mark, or impact rating for each of your information systems Information System: HGA LAN, Washington, DC HGA s locally hosted LAN server contains a mix of management, and mission-specific information, such as draft regulations, internal correspondence and a variety of other business documents, memos and reports. Currently, remote, wireless, and mobile device access is not available. The cost per fiscal year to operate the LAN is $1.2 million per year. The following information types have been discovered on the HGA LAN system: Workplace Policy Development & Management Training and Employment Worker Safety Health Care Administration Public Resources, Facility and Infrastructure Management Information Infrastructure Management International Development and Humanitarian Aid You will find these information types and their associated impact levels in the NIST SP Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. Information System: Public Access Directory Information System Category: Low Table 2 - Documenting System Categorization Information Type Confidentiality Integrity Availability General Information Low Low Low 1. Name Low Low Low 2. Address Low Low Low 3. Phone Low Low Low Personal Identifiable Information Moderate Moderate Moderate High Water Mark Moderate Adjusted Impact Level Low Down Scope Justification PII information processed, stored, and transmitted on this system can be found in the public domain.

6 Lab Activity 3: Selecting Security Controls Selection The SP rev 3, Recommended Security Controls for Federal Information Systems and Organizations, is a catalog of security controls that define the baseline security configurations for low, moderate and high systems. In this exercise, you will select all of the relevant, Priority 1 controls, from the Access Control (AC) family. Document them in a table (Task 2-2). Indicate, in the CCC column, if the control would be a good Common Control candidate. (Task 2-1) The example below shows all of the relevant, Priority 1 & 2 controls, from the System and Information Integrity (SI) family, applicable to the Public Access Directory system with a low impact categorization. You can find all of these controls in the Mapping_NICE.accdb file NO CNTL_NAME Common CNTL_DESCRIPTION SI-1 System And Information Integrity Policy & Procedures SI-2 SI-3 SI-5 Flaw Remediation Malicious Code Protection Security Alerts, Advisories, And Directives Yes (Task 2-1) Table 3 - Selecting Security Controls from Catalog Develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: a. A formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance Develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: b. Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls a. Identifies, reports, and corrects information system flaws b. Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation c. Incorporates flaw remediation into all configuration management process a. Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: - Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or - Inserted through the exploitation of information system vulnerabilities b. Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures c. Configures malicious code protection mechanisms to: - Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and - [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system a. Receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis b. Generates internal security alerts, advisories, and directives as deemed necessary c. Disseminates security alerts, advisories, and directives to [Assignment: organizationdefined list of personnel (identified by name and/or by role)]

7 Lab Activity 4: Security Control Implementation You will now select one of the Security Controls from the previous exercise, and document how you plan to implement (Task 3-1) and monitor (Task 2-3) the security control. The security control will typically be implemented by integrating another technology, such as installing antivirus software, or by modifying the configuration of existing technologies, such as configuring and deploying Windows Group Policies Objects (GPOs). Integrating Security Control Technologies Security control technologies, targeted for deployment, within the information system, are allocated to specific system components, responsible for providing a particular security capability. For example, to satisfy SI-3 security control, I have implemented SEP11 anti-virus software for my client workstations, and ScanMail antivirus for my Exchange servers. You should consider the use of information technology products that have been tested, evaluated, or validated by approved, independent, third-party assessment facilities. Table 4 - Security Control Implementation NO SI-3 SI-3 CNTL NAME Malicious Code Protection Malicious Code Protection CC Provider CNTL_Implementation Platforms Monitoring Strategy Systems Anti-Virus signature file Integrity age detection is provided Division by SMS. Systems Integrity Division Symnantec Endpoint Protection v.11 - The AntiVirus Program provides anti-virus software support to Domestic Bureaus, Consular and Executive Offices, IRM Systems Managers, Overseas Posts and Tenant Organizations Department-wide. Fortinet FortiMail, FortiGate, Micro ScanMail. To protect the network backbone infrastructure, i.e., gateways and Windows Exchange Servers from penetration by hostile hacker software tools, the Department implemented network "on the fly" anti-virus software support. The contract with the Symantec Corporation for Symantec Endpoint Protection (SEP) supports the following operating system platforms: Windows File and Exchange Servers, and client workstations, Current Operating Systems (Windows NT, 2000, XP, 2003, Vista),Macintosh, HomeUse: Windows 2003, 2008, XP, Vista, Windows 7, and Macintosh (Apple) OS. Implemented network anti-virus software support using: Fortinet FortiMail - SMTP, Spam, Phishing,Fortinet FortiGate - SMTP, FTP and HTTP Scanning, Trend Micro ScanMail for Microsoft Exchange Servers - SMTP, Spam, Content Filtering. The date on the signature file is compared to the current date. There is no score until a grace period of 6 days has elapsed. Beginning on day 7, a score of 6.0 is assigned for each day since the last update of the signature file. In particular, on day 7 the score is 42.0.

8 Common Configuration Enumeration For configuration settings, you must ensure that mandatory configuration settings are established and implemented on information technology products, in accordance with federal and organizational policies (e.g., Federal Desktop Core Configuration (FDCC), or the US Government Configuration Baseline (USGCB)). The example below shows passwordrelated settings mandated by the USGCB. You can find USGCB Windows setting in the USGCB-Windows-Settings.xls file. NO Implementation USGCB Setting Impact Rationale IA-5 Minimum password length IA-5 AC-3 CM-6 CM-7 SC-5 IA-5 AC- 11 Password must meet complexity requirement Maximum password age Account lockout threshold 12 characters To make brute force password guessing attacks more difficult. Enabled To make brute force password guessing attacks more difficult. 60 days A user's account is at greater risk of compromise through brute force attacks when the same password is used for an extended period of 5 invalid logon attempts time. To render infeasible password guessing attacks. Table 5 - Baseline Configuration from USGCB Requiring long passwords increases the risk that users will write down their passwords in order to remember them. It is recommended that agencies provide users advice on password creating using ideas such as passphrases. Requiring complex passwords increases the risk that users will write down their passwords in order to remember them. Users will have to specify a new password every 60 days. Configuring this to a lower number of days may actually lower security because it increases the risk that users will write down their passwords in order to be able to remember them. Locked-out accounts will continue to be locked out until they are reset by an administrator or until the 15 minute account lockout duration expires. Its probable that this setting will increase help desk calls. Defining Security Control Monitoring Strategy Table 6 - Monitoring Strategy NO Implementation USGCB Setting AC-3 CM-6 CM-7 SC-5 IA-5 Maximum password age Monitoring Strategy 60 days AD Users monitors the age of user account passwords (PWs). DoS policy requires all passwords be changed every 60 days. This includes service accounts. The date the password was changed is compared to the current date. There is no score for 60 days. Beginning on day 61, a score of 1.0 is assigned for each day since the last password change. However, under any of the following conditions, the score remains 0.0: The user account is disabled The user account requires two-factor authentication for login If ipost cannot determine the date of the last password reset, e.g., if the user account has restrictive permissions, then a flat score of 200 is assigned. Finally, if the account is set to never expire, an additional 5 points are added to whatever score was calculated above.

9 Note: This implementation shows a cross section of controls from four different control families: Access Control (AC), Configuration Management (CM), System and Communications Protection (SC), and Identification and Authentication (IA). Monitoring whether each individual control (900) is in place and operating as intended could be very costly. Many argue that is not sufficient to understand the effectiveness of the entire security program. Lab Activity 5: Update the HGA LAN SSP Open the HGA System Security Plan.docx and select a category in Section 2, then cut and paste your security controls implementation table under section 13, and your Monitoring Strategy under section 14. Choose today s date for questions 15. Save the document as {GroupName} HGA SSP.docx. Lab Activity 6: Building an Assessment Case An assessment case represents a worked example of an assessment procedure, identifying the specific actions that an assessor might carry out during the assessment of a security control or control enhancement in an information system. There is one assessment case per control, covering all assessment objectives from the assessment procedure in Appendix F for that control (both base control and all enhancements). The assessment case provides an example by experienced assessors of a potential set of specific assessor action steps to accomplish the assessment that were developed with consideration for the list of potential assessment methods and objects, and incorporating the level of coverage and depth to be applied and the specific purpose to be achieved by each assessor action. This additional level of detail in the assessment cases provides assessors with more prescriptive assessment information. Yet, while being more prescriptive, the assessment cases are not intended to restrict assessor flexibility provided as part of the design principles in Special Publication A. The assessor remains responsible for making the specified determinations and for providing adequate rationale for the determinations made. Please build an assessment case for AC-7.1 Unsuccessful Login Attempts, using the assessment case template and example worksheets from LabActivityWorkingData.xlsx workbook. The following is an example of the specific evidence gathering actions that build the assurance case for AC [Use the USGCB as guidance for verifying configuration of specific settings, relating to control AC-7]

10 Table 7 - Building an Assessment Case Action Step AC AC AC AC AC Potential Assessor Evidence Gathering Actions Examine information system access control policy and procedures, physical and environmental protection policy and procedures, security plan, or other relevant documents; reviewing for the automated mechanisms and configuration settings to be employed to defines the time period of user inactivity after which the information system initiates a session lock; Examine System Configuration Guide, describing the current configuration settings for an agreed-upon specific sample of automated mechanisms identified AC-11.1; reviewing for indication that the mechanisms are configured as identified in AC11.1. Examine GPO Screen Saver Setting User Configuration\Administrative Templates\Control Panel\Personalization is enabled, and set to time out after 900 seconds. Test, by observing the information system, to see if initiates a session lock after 15 minutes of inactivity. Test the information system, by observing the system for 30 minutes, to see if it retains the session lock until the user reestablishes access using established identification and authentication procedures. Legend AA: Alphanumeric characters representing security control family in Special Publication N: Numeric character representing the security control number within the family of controls. n: Number of determination statements in the assessment object. m: Number of action steps associated with a specific determination statement.