FAST FILE TRANSFER INFORMATION ASSURANCE ASSESSMENT REPORT
|
|
- Dinah Stafford
- 8 years ago
- Views:
Transcription
1 DEFENSE INFORMATION SYSTEMS AGENCY JOINT INTEROPERABILITY TEST COMMAND INDIAN HEAD, MARYLAND FAST FILE TRANSFER INFORMATION ASSURANCE ASSESSMENT REPORT DOC NR: 5G OCTOBER 2007
2 FAST FILE TRANSFER INFORMATION ASSURANCE ASSESSMENT REPORT OCTOBER 2007 Submitted by: Adam K. Britt Chief, Information Assurance Branch Approved by: Gary M. Metcalf Chief, Homeland Security and Information Assurance Portfolio Prepared Under the Direction of: Ronald Ford JITC Action Officer Joint Interoperability Test Command Indian Head, Maryland
3 (This page intentionally left blank.)
4 EXECUTIVE SUMMARY The Joint Interoperability Test Command (JITC) is an independent evaluator of information systems deployed within the Department of Defense (DoD) and is one of the responsible organizations that conducts Interoperability (IOP) and Information Assurance (IA) testing of network components that will be connected to or operate over the Global Information Grid (GIG). The Office of the Assistant Secretary of Defense for Public Affairs (OASDPA) requested that the JITC perform an IA assessment of the Fast File Transfer (FFT) client and server software applications, which were developed by Northrop Grumman Mission Systems. This assessment took place at the JITC Indian Head, Maryland, test facility from August 15 through August 20, During this assessment, a series of tests were performed on the FFT v2.4 client and server software applications in an environment similar to that deployed throughout the DoD GIG. The goal of this assessment was to identify and assess any deficiencies that required correction in order for the FFT applications comply with DoD requirements to operate over the Unclassified-but- Sensitive Internet Protocol Router Network (NIPRNet) and Secret Internet Protocol Router Network (SIPRNet). The assessment revealed the FFT v2.4 client and server software applications worked in a simulated GIG network environment without any major findings, data packets were sent from the server to the client machine with out any packets being lost or altered while in transit. Data integrity was maintained through extensive error detection during the testing phase and no physical evidence of easily decrypted or decoded format was found. Based on the test results the FFT client and server applications should be ready to submit to the Defense Information Systems Network (DISN) Security Accreditation Working Group (DSAWG) for recommendation to operate over the NIPRNet and the SIPRNet.
5 (This page intentionally left blank.) ii
6 TABLE OF CONTENTS Page EXECUTIVE SUMMARY... i SYSTEM FUNCTIONAL DESCRIPTION... 1 TEST BACKGROUND... 1 TEST PURPOSE... 1 SCOPE... 2 TEST ENVIRONMENT... 3 LIMITATIONS... 4 METHODOLOGY... 4 TEST RESULTS... 4 ANALYSIS... 6 CONCLUSION... 7 LIST OF APPENDICES ACRONYMS... A-1 REFERENCES... B-1 POINTS OF CONTACT...C-1 LIST OF FIGURES 1 Simulated End-To-End Test Network Environment... 3 iii
7 (This page intentionally left blank.) iv
8 SYSTEM FUNCTIONAL DESCRIPTION Northrop Grumman Mission Systems Fast File Transfer (FFT) version 2.4 (v2.4) product consists of Microsoft-Windows-based client and server software applications that provide a mechanism for transferring data files in an encrypted format at a fast transfer rate while maintaining internal file integrity. The FFT v2.4 client and server software applications are designed to overcome many of the existing problems with current technologies for transferring large files, such as unencrypted data transfer, incomplete transfers, and inefficient use of available network bandwidth. The FFT v2.4 solution to these problems has been accomplished by breaking up each file transmitted into small data segments, encrypting the contents, and then sending the segments over multiple data streams simultaneously. A side-effect of this data segmentation is increased network reliability over low-speed, high-latency, communication links, such as satellite connections. TEST BACKGROUND This assessment supports the Office of the Assistant Secretary of Defense for Public Affairs (OASDPA) ultimate goal of obtaining Defense Information Systems Network (DISN) Security Accreditation Working Group (DSAWG) accreditation/certification to operate FFT v2.4 over the Unclassified-but-Sensitive Internet Protocol Router Network (NIPRNet) and the Secret Internet Protocol Router Network (SIPRNet) as an alternative to File Transfer Protocol (FTP). The FFT v2.4 was originally developed as a commercial application; formal government testing has been previously performed on a previous FFT v2.4 to identify its Information Assurance (IA) posture or how the client and server applications would operate within the Joint environment. According to Department of Defense (DoD) Directive (DoDD) (paragraph 4.2), all DoD information systems shall maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability that reflects a balance among the importance and sensitivity of the information and assets; documented threats and vulnerabilities; the trustworthiness of users and interconnecting systems; the impact of impairment or destruction to the DoD information system; and cost-effectiveness. TEST PURPOSE The goal of this assessment was to evaluate the IA posture of the FFT v2.4 client and server software applications, while operating within a simulated DoD Global Information Grid (GIG) network environment. Additionally, the assessment identifies any deficiencies/vulnerabilities that would require correction in order for the FFT v2.4 to move forward in obtaining accreditation/certification to operate over the NIPRNet and the SIPRNet. 1
9 SCOPE The scope of this assessment consisted of the following activities: Capture and analyze data transmissions between the FFT v2.4 client and server applications in the proposed test environment configurations to identify: - Any authentication credentials transmitted in clear text or other easily decrypted/decoded formats - Any data transmitted in clear text or other easily decrypted/decoded format - The Transmission Control Protocol/Internet Protocol (TCP/IP) network ports used - The type and size of TCP/IP packets used - The smallest, largest, mean, and median sizes of the TCP/IP packets transmitted during the test - Any potential fingerprints that the FFT v2.4 and/or its protocol left in the data transmissions Identify and validate the FFT v2.4 client and server applications methods/capabilities for: - Controlling access to the following functions: Administration Configuration Program execution File system navigation File uploading (write) File downloading (read) File over-writing (append) - The FFT v2.4 software applications adherence to file access rights and permissions that exist at the file-system level - The FFT v2.4 software server components capabilities to restrict access to a fixed root directory on a host file system - The FFT v2.4 software components capabilities to record and maintain auditing information in accordance with the DoD and CJCS requirements - The FFT v2.4 software components compliance with DoD and CJCS user authentication requirements - The FFT v2.4 software components compatibility with Internet Protocol version 6 (IPv6) 2
10 - All cryptographic modules used by the FFT v2.4 software application and their compliance with Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules Validate the FFT v2.4 application s authentication system, as follows: - Perform a series of authentication attempts using various username / password combinations that are authorized to connect to the FFT v2.4 server application - Perform a series of authentication attempts using various username/ password combinations that are not authorized (incorrect or invalid) to connect to the FFT v2.4 server application Validate the integrity of files after transmission by transmitting a series of various sized files from the server to the client using the FFT v2.4 software components Validate the preservation of filenames by transmitting a series of files, using various filename lengths and characters within the Latin-1 character set, from the server to the client using the FFT v2.4 software components TEST ENVIRONMENT To accomplish the FFT v2.4 assessment, the JITC designed and used a network architecture that simulates the DoD environment. Figure 1 illustrates the simulated endto-end network environment, as it appeared during test execution. Figure 1. Simulated End-to-End Test Network Environment To ensure that testing encompassed the majority of the Microsoft-Windowsbased Operating Systems (OS) currently deployed within the DoD GIG, the following Microsoft Windows test-environment configurations were used: 3
11 Microsoft Windows 2000 Professional non-domain-based configuration Microsoft Windows 2000 Professional domain-based configuration Microsoft Windows 2000 Server non-domain-based configuration Microsoft Windows 2000 Server domain-based configuration Microsoft Windows 2000 Server domain-controller-based configuration Microsoft Windows XP Professional non-domain-based configuration Microsoft Windows XP Professional domain-based configuration Microsoft Windows 2003 Server non-domain-based configuration Microsoft Windows 2003 Server domain-based configuration Microsoft Windows 2003 Server domain-controller-based configuration All operating system configurations were secured using the most current Security Technical Implementation Guides (STIG) available from the DISA Field Security Operations (FSO) and the National Security Agency (NSA). LIMITATIONS The JITC verifies the compliance of the FFT v2.4 software application s cryptographic modules with FIPS by reviewing the FFT v2.4 technical documentation. Only the National Voluntary Laboratory Accreditation Program (NVLAP) accredited Cryptographic Modules Testing (CMT) laboratories are authorized to test cryptographic modules; the JITC is not an NVLAP-accredited laboratory. METHODOLOGY To properly assess the IA posture of the FFT v2.4 client and server software applications, the JITC reviewed all applicable DoD and CJCS directives, manuals, memorandums, and instructions relevant to the FFT v2.4 and its potential future operating environments. Thereafter, the JITC developed a series of tests encompassing the broadest possible range of identified IA requirements. TEST RESULTS During the test phase of this assessment, a large amount of data was gathered from several points in the network test environment using a packet analysis tool. As part of the data-reduction process, the JITC analyzed the network data captured from data transmissions. From this analysis, the JITC identified some notable information, as detailed below. At no time during a data transmission between the FFT v2.4 client and server did the test team see any clearly identifiable data movement in a clear text format. All information contained within the application layer appeared in a scrambled format. As the JITC is not equipped to determine whether the data was being scrambled using a 4
12 specific encryption implementation, the test team could only confirm that no clear text was observed. Both the FFT v2.4 client and server software applications allow for a specific TCP/IP network port number to be used as part of its basic configuration. The default port number identified in the FFT v2.4 documentation, as well as in the FFT v2.4 configuration Graphical User Interface, was 923. This port number is currently listed as unassigned by the Internet Assigned Numbers Authority. The test team encountered no difficulty in using this port number during any of the tests. Aside from the configured TCP/IP network port number, the test team was unable to identify any fingerprints ; (i.e., clearly repeating patterns in the transmitted data). Access control of the FFT v2.4 client and server software applications was performed using the underlying OS access-control capabilities. The FFT v2.4 server application uses local Windows accounts and groups to define those users who are authorized to connect and transfer files. From results gathered during the tests, only an authorized active account had the permissions to launch the client application and was able to view and change the system-wide client configuration. The test team was unable to identify any means of restricting either the uploading or downloading capabilities when using an authorized FFT v2.4 account. All authorized accounts were able to upload and download any FFT v2.4 client - and/or serverreadable file. The FFT v2.4 server was found to have a built-in IA control measure to restrict access by remote users to the local file system. This measure places a remote user account into a configured root directory (commonly known as a chroot jail ). The remote user account, having been place into this directory, cannot traverse to a lower directory. Having this control enhances the IA posture of the FFT v2.4 server and serves as a part of a multi-layered protection system. At no time did the test team observe the FFT v2.4 client or server as overwriting an existing file. If a file already existed during a file transfer, the transferred filename was altered to append the date and time of the transfer in universal-time-coordinate format. Both the FFT v2.4 client and server respected the file access rights and permissions existing at the file-system level. If a file were configured to prevent a currently logged-on local Windows user from accessing it, the FFT v2.4 client would not transfer the file to the server. Conversely, the FFT v2.4 server would not transfer a file to the client if that file were configured to prevent the FFT v2.4 server from gaining access to it. According to a DoD 5000 series Memorandum from the Assistant Secretary of Defense (ASD) Chief Information Officer (CIO), assets being developed, procured, or acquired shall be IPv6-capable (in addition to maintaining interoperability with IPv4 systems/capabilities). As this requirement will play a part in the accreditation/certification of the FFT v2.4 client and server software applications to 5
13 operate over the NIPRNet and SIPRNet, tests were run to confirm the FFT v2.4 s IPv6 capability. The test hosts were configured to use IPv6 networking, and a connection was made between the FFT v2.4 client and server by using the IPv4 address of the host running the FFT v2.4 server application. This connection was made successfully, indicating that FFT v2.4 will operate on Windows hosts having both IPv4 and IPv6 enabled. The test team s review of the provided FFT v2.4 documentation neither confirmed nor denied the vendors stance on IPv6 support within the FFT v2.4 applications. No future support roadmap was identified, nor were there any indications that an IPv6 implementation was present in the applications. Testing was performed to ensure the FFT v2.4 client and server software applications accepted account credentials (i.e., usernames and passwords) that met the DoD and CJCS requirements, as defined in CJCS Manual (CJCSM) , CJCS Instruction (CJCSI) D, DoD Directive (DoDD) , and DoD Instruction (DoDI) All tested password combinations were successfully accepted. Enforcement of a password policy to ensure that these requirements were met was outside the scope of the FFT v2.4 application, as they use the underlying Windows authentication system that controls the applications password policy. Several tests were performed using various user accounts to determine whether the authentication system would prevent connecting unauthorized accounts. Each test confirmed that the authentication system would prevent access if the account were disabled, not a member of the defined FFT v2.4 account group, or invalid. The test team identified documentation indicating the FFT v2.4 client and/or server applications made use of a FIPS certified cryptographic module. Additional information regarding encryption was a reference to the use of Data Encryption Standard (DES); a standard based upon an encryption algorithm acknowledged by both the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST), as well as defined by FIPS Publication (PUB) To ensure the integrity of transferred files, the test team executed a series of tests to compare the cryptographic signature hashes of all transferred files. For each file that was successfully transferred, the signature was identical, before and after transfer, thereby confirming that the integrity of the file was maintained. ANALYSIS During an extensive review of the previously DSAWG-defined protocols, along with guidance on implementation (or removal) of protocols, the test team identified three specific protocols that are similar to that of FFT v2.4: FTP, FTP over Secure Socket Layer (FTPS), and Secure Shell. 6
14 Conversations with the vendor verified that the encryption functions used by the FFT v2.4 rely upon the underlying cryptography Application Program Interface (API) of the Windows OS. Since this is the case, the test team believes that the vendor has met this requirement. This should give the FFT v2.4 a better chance of obtaining a higher assurance level when the DSAWG reviews it for inclusion in the Ports, Protocols, and Services Assurance Category Assignment List. Based upon observations during the permission-assignment tests, the FFT v2.4 server application appears to execute under a local, non-system account but does not provide any functionality besides listening to incoming connections. The underlying Windows authentication system has built-in auditing capabilities that are enabled whenever a host is configured following a DISA STIG. When authentication requests come in from the FFT v2.4 server application, then these events are all logged into the main security event log. CONCLUSION The testing and analysis of the FFT v2.4 client and server software applications revealed the FFT v2.4 made the recommended changes to its client and server software and has conformed to the requirements placed by the DoD. The FFT v2.4 client and server software applications should be able to proceed with the accreditation/certification process as determined by the vendor/sponsor. 7
15 APPENDIX A ACRONYMS AIS API ASD CIO CJCS CJCSM CJCSI CMT DES DISA DISN DoD DoDD DoDI DSAWG FFT FIPS FSO FTP FTPS GIG Automated Information Systems Application Programming Interface Assistant Secretary of Defense Chief Information Officer Chairman, Joint Chiefs of Staff Chairman, Joint Chiefs of Staff Manual Chairman, Joint Chiefs of Staff Instruction Cryptographic Modules Testing Data Encryption Standard Defense Information Systems Agency Defense Information Systems Network Department of Defense Department of Defense Directive Department of Defense Instruction Defense Information Systems Network (DISN) Security Accreditation Working Group Fast File Transfer Federal Information Processing Standard Field Security Operations File Transfer Protocol File Transfer Protocol over Secure Socket Layer Global Information Grid IA Information Assurance IOP Interoperability IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 JITC NII NIPRNet NIST NSA NVLAP Joint Interoperability Test Command Network and Information Integration (ASD) Unclassified-but-Sensitive Internet Protocol Router Network National Institute of Standards and Technology National Security Agency National Voluntary Laboratory Accreditation Program A-1
16 ACRONYMS (continued) OASDPA OS PKI PUB SIPRNet STIG TCP/IP Office of the Assistant Secretary of Defense for Public Affairs Operating System Public Key Infrastructure Publication Secret Internet Protocol Router Network Security Technical Implementation Guide Transmission Control Protocol/Internet Protocol A-2
17 APPENDIX B REFERENCES Chairman, Joint Chiefs of Staff (CJCS) Manual (CJCSM) , Defense in Depth: Information Assurance (IA) and Computer Network Defense (CND), Change 3, 8 March 2006 CJCS Instruction (CJCSI) D, Information Assurance (IA) and Computer Network Defense (CND), 15 June 2004 Department of Defense Directive (DoDD) , Information Assurance, 24 October 2002 DoDI , Information Assurance Implementation, 06 February 2003 Department of Defense Instruction (DoDI) Memorandum, Internet Protocol Version 6 (IPv6), Assistant Secretary of Defense/Networks and Information Integration (ASD/NII) Chief Information Officer (CIO), 9 June 2003 Federal Information Processing Standard (FIPS) Publication (PUB) 46-3, Data Encryption Standard (DES), 25 October 1999 FIPS 140-2, Security Requirements for Cryptographic Modules, 25 May 2001 Ports, Protocols, and Services (PPS) Assurance Category Assignments List, Release 5.6, Defense Information Systems Agency (DISA), March 2006 B-1
18 (This page intentionally left blank.) B-2
19 APPENDIX C POINTS OF CONTACT NAME ORGANIZATION PHONE/E MAIL Britt, Adam JITC IA Chief (GOVT) Ford, Ronald JITC IA AO Gourdin, Vaughn NGMS Task Lead (CONT) Mercado, Freddy NGMS Program Manager (CONT) Joint Interoperability Test Command 3341 Strauss Avenue, Suite 236 Indian Head, MD Joint Interoperability Test Command 3341 Strauss Avenue, Suite 236 Indian Head, MD Joint Interoperability Test Command 3341 Strauss Avenue, Suite 236 Indian Head, MD Joint Interoperability Test Command ATTN: NGMS 3341 Strauss Avenue, Suite 236 Indian Head, MD (301) DSN Fax (301) E mail: Adam.Britt@disa.mil (301) DSN Fax (301) E mail: Ronald.Ford@disa.mil (301) DSN Fax (301) E mail: Vaughn.Gourdin.ctr@disa.mil (301) DSN Fax (301) E mail: Freddy.Mercado.ctr@disa.mil C-1
20 (This page intentionally left blank.) C-2
Department of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8551.01 May 28, 2014 DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: See Enclosure 1 1. PURPOSE. In accordance with the authority
More informationLAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS
LAB FORWARD WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS Medical diagnostics are a vital part of the modern healthcare system, and instrument uptime is critical
More informationUNCLASSIFIED. Trademark Information
SAMSUNG KNOX ANDROID 1.0 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 1 3 May 2013 Developed by Samsung Electronics Co., Ltd.; Fixmo, Inc.; and General Dynamics C4 Systems,
More informationUNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series. Secure Baseline Attachment
UNITED STATES PATENT AND TRADEMARK OFFICE AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series Secure Baseline Attachment Date of Issuance: Effective Date: TABLE OF CONTENTS I. Purpose
More informationDEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0
DEFENSE INFORMATION SYSTEMS AGENCY JOINT INTEROPERABILITY TEST COMMAND FORT HUACHUCA, ARIZONA DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0
More informationThe DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions
The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationCMS Operational Policy for Infrastructure Router Security
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS Operational Policy for Infrastructure Router Security September 2005 Document Number: CMS-CIO-POL-INF05-01
More informationNOV. 2 2 2q11. DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTOr D.C. 20301-6000
DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTOr D.C. 20301-6000 CHIEF INFORMATION OFFICER NOV 2 2 2q11 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOINT CHIEFS OF STAFF
More informationHow Reflection Software Facilitates PCI DSS Compliance
Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit
More information2007 Microsoft Office System Document Encryption
2007 Microsoft Office System Document Encryption June 2007 Table of Contents Introduction 1 Benefits of Document Encryption 2 Microsoft 2007 Office system Document Encryption Improvements 5 End-User Microsoft
More informationDepartment of Defense INSTRUCTION. Public Key Infrastructure (PKI) and Public Key (PK) Enabling
Department of Defense INSTRUCTION NUMBER 8520.02 May 24, 2011 ASD(NII)/DoD CIO SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling References: See Enclosure 1 1. PURPOSE. This Instruction:
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationREPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB
REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of
More informationCitrix MetaFrame XP Security Standards and Deployment Scenarios
Citrix MetaFrame XP Security Standards and Deployment Scenarios Including Common Criteria Information MetaFrame XP Server for Windows with Feature Release 3 Citrix Systems, Inc. Information in this document
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationIIS, FTP Server and Windows
IIS, FTP Server and Windows The Objective: To setup, configure and test FTP server. Requirement: Any version of the Windows 2000 Server. FTP Windows s component. Internet Information Services, IIS. Steps:
More informationDepartment of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing
Department of Defense INSTRUCTION NUMBER 8560.01 October 9, 2007 ASD(NII)/DoD CIO SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing References: (a) DoD
More informationU. S. Government Protection Profile Anti-Virus Applications for Workstations In Basic Robustness Environments, Version 1.0
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Common Criteria Evaluation and Validation Scheme Validation Report U. S. Government Protection Profile Anti-Virus
More information5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES
5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 141 PURPOSE (CT-IM-112; 07-30-2010) (Office of Origin: IRM/OPS/ITI/SI/IIB) The purpose of this FAM chapter is to enable the Department to
More informationDEPARTMENT OF DEFENSE ONLINE CERTIFICATE STATUS PROTOCOL RESPONDER INTEROPERABILITY MASTER TEST PLAN VERSION 1.0
DEFENSE INFORMATION SYSTEMS AGENCY JOINT INTEROPERABILITY TEST COMMAND FORT HUACHUCA, ARIZONA DEPARTMENT OF DEFENSE ONLINE CERTIFICATE STATUS PROTOCOL RESPONDER INTEROPERABILITY MASTER TEST PLAN VERSION
More informationRecommended 802.11 Wireless Local Area Network Architecture
NATIONAL SECURITY AGENCY Ft. George G. Meade, MD I332-008R-2005 Dated: 23 September 2005 Network Hardware Analysis and Evaluation Division Systems and Network Attack Center Recommended 802.11 Wireless
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION The IRS2GO Smartphone Application Is Secure, but Development Process Improvements Are Needed August 29, 2011 Reference Number: 2011-20-076 This report
More informationCHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION
CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION Directive Current as of 19 November 2014 J-8 CJCSI 8410.02 DISTRIBUTION: A, B, C, JS-LAN WARFIGHTING MISSION AREA (WMA) PRINCIPAL ACCREDITING AUTHORITY
More informationPorts, Protocols, and Services Management (PPSM)
Defense Information Systems Agency A Combat Support Agency Ports, Protocols, and Services Management (PPSM) PPSM, Project Manager 29 July 2010 NSC Org Chart DSAWG Dennis Ruth, Chair NSCA Connection Approval
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationSecuring Ship-to-Shore Data Flow
Securing Ship-to-Shore Data Flow Background on Common File Transfer Methods Today corporations, government entities, and other organizations rely on Electronic File Transfers as an important part of their
More informationGlobal Client Access Managed Communications Solutions. JPMorgan - Global Client Access. Managed Internet Solutions (EC Gateway)
Managed Communications JPMorgan - Global Client Access Managed Internet (EC Gateway) Managed Communications Overview JPMorgan offers a variety of electronic communications services that are reliable and
More informationNetwork-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2
Contents Introduction--1 Content and Purpose of This Guide...........................1 User Management.........................................2 Types of user accounts2 Security--3 Security Features.........................................3
More informationSECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions
SECUR Y IN MIRTH CONNECT Best Practices and Vulnerabilities of Mirth Connect Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions Date: May 15, 2015 galenhealthcare.com 2015. All rights
More informationMOVEIT: SECURE, GUARANTEED FILE DELIVERY BY JONATHAN LAMPE, GCIA, GSNA
MOVEIT: SECURE, GUARANTEED FILE DELIVERY BY JONATHAN LAMPE, GCIA, GSNA The MOVEit line of secure managed file transfer software products by Ipswitch File Transfer consists of two flagship products, the
More informationPowerChute TM Network Shutdown Security Features & Deployment
PowerChute TM Network Shutdown Security Features & Deployment By David Grehan, Sarah Jane Hannon ABSTRACT PowerChute TM Network Shutdown (PowerChute) software works in conjunction with the UPS Network
More informationHow Managed File Transfer Addresses HIPAA Requirements for ephi
How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts
More informationEntrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0
Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationSync Security and Privacy Brief
Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical
More informationSafeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST
Safeguarding Data Using Encryption Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST What is Cryptography? Cryptography: The discipline that embodies principles, means, and methods
More informationSUBJECT: systems. in DoD. capabilities. d. Aligns identity. (Reference (c)). (1) OSD, the Staff and
Department of Defense INSTRUCTION NUMBER 8520.03 May 13, 2011 ASD(NII)/DoDD CIO SUBJECT: Identity Authentication for Information Systems References: See Enclosure 1 1. PURPOSE. In accordance with the authority
More informationDEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549
DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549 IN REPLY REFER TO: Joint Interoperability Test Command (JTE) 12 Dec 13 MEMORANDUM FOR DISTRIBUTION SUBJECT: Extension of
More informationDepartment of Defense
Department of Defense DIRECTIVE NUMBER 8100.02 April 14, 2004 Certified Current as of April 23, 2007 ASD(NII) SUBJECT: Use of Commercial Wireless Devices, Services, and Technologies in the Department of
More informationApplying the DOD Information Assurance C&A Process (DIACAP) Overview
Applying the DOD Information Assurance C&A Process (DIACAP) Overview C&A, Risk, and the System Life Cycle 2006 Hatha Systems Agenda Part 1 Part 2 Part 3 The C&A Challenge DOD s IA Framework Making C&A
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 8 24 July 2015 Developed by Red Hat, NSA, and for the DoD Trademark Information Names, products, and
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationDRAFT Standard Statement Encryption
DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held
More informationDepartment of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling
Department of Defense INSTRUCTION NUMBER 8520.2 April 1, 2004 SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling ASD(NII) References: (a) DoD Directive 8500.1, "Information Assurance
More informationDirectives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities
Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities Wireless Infrastructure, Article 12-29-2011 The federal government, and the Department of
More informationDEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549. Thanks
DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549 Thanks IN REPLY REFER TO: Joint Interoperability Test Command (JTE) 7 Aug 13 MEMORANDUM FOR DISTRIBUTION SUBJECT: Extension
More informationConnected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)
Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.
More informationHow To Evaluate A Dod Cyber Red Team
CHAIRMAN OF THE JOINT CHIEFS OF STAFF MANUAL J-6 CJCSM 6510.03 DISTRIBUTION: A, B, C DEPARTMENT OF DEFENSE CYBER RED TEAM CERTIFICATION AND ACCREDITATION Reference(s): Enclosure F. 1. Purpose a. This manual,
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationFrequently Asked Questions (FAQs) SIPRNet Hardware Token
Air Force Public Key Infrastructure System Program Office (ESC/HNCDP) Phone: 210-925-2562 / DSN: 945-2562 Web: https://afpki.lackland.af.mil Frequently Asked Questions (FAQs) SIPRNet Hardware Token Updated:
More informationTABLE OF CONTENTS. Section 5 IPv6... 5-1 5.1 Introduction... 5-1 5.2 Definitions... 5-1 5.3 DoD IPv6 Profile... 5-3 5.3.1 Product Requirements...
, Table of Contents TABLE OF CONTENTS SECTION PAGE IPv6... 5-1 5.1 Introduction... 5-1 5.2 Definitions... 5-1 5.3 DoD IPv6 Profile... 5-3 5.3.1 Product Requirements... 5-4 i , List of Figures LIST OF FIGURES
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationBY ORDER OF THE COMMANDER USTRANSCOM INSTRUCTION 33-3 UNITED STATES TRANSPORTATION COMMAND 5 DECEMBER 2011
BY ORDER OF THE COMMANDER USTRANSCOM INSTRUCTION 33-3 UNITED STATES TRANSPORTATION COMMAND 5 DECEMBER 2011 Communications and Information MANAGEMENT OF PORTALS AND WEB SITES COMPLIANCE WITH THIS PUBLICATION
More informationSecurity. TestOut Modules 12.6 12.10
Security TestOut Modules 12.6 12.10 Authentication Authentication is the process of submitting and checking credentials to validate or prove user identity. 1. Username 2. Credentials Password Smart card
More informationDepartment of Defense INSTRUCTION. SUBJECT: Information Assurance (IA) in the Defense Acquisition System
Department of Defense INSTRUCTION NUMBER 8580.1 July 9, 2004 SUBJECT: Information Assurance (IA) in the Defense Acquisition System ASD(NII) References: (a) Chapter 25 of title 40, United States Code (b)
More informationCHAPTER 1 INTRODUCTION
1 CHAPTER 1 INTRODUCTION 1.1 Introduction Cloud computing as a new paradigm of information technology that offers tremendous advantages in economic aspects such as reduced time to market, flexible computing
More informationReport to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999
Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer February 3, 1999 Frame Relay Frame Relay is an international standard for high-speed access to public wide area data networks
More informationa) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
More informationDoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process
Inspector General U.S. Department of Defense Report No. DODIG-2015-045 DECEMBER 4, 2014 DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process INTEGRITY EFFICIENCY ACCOUNTABILITY
More informationPexip Infinity platform management and security features
Pexip Infinity platform management and security features A white paper by Jordan Owens, VP of Architecture, Pexip. 10 June, 2014 Contact Pexip: w: www.pexip.com e: info@pexip.com t: @PexipInc 1 Platform
More informationE-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)
E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationMeeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)
Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationApplication Security Policy
Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationITL BULLETIN FOR JANUARY 2011
ITL BULLETIN FOR JANUARY 2011 INTERNET PROTOCOL VERSION 6 (IPv6): NIST GUIDELINES HELP ORGANIZATIONS MANAGE THE SECURE DEPLOYMENT OF THE NEW NETWORK PROTOCOL Shirley Radack, Editor Computer Security Division
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationDepartment of Defense External Interoperability Plan Version 1.0
Department of Defense External Interoperability Plan Version 1.0 The Office of the Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer 1 INTRODUCTION...
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
More informationHow To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack
DHS 4300A Sensitive Systems Handbook Attachment Q5 To Handbook v. 11.0 Voice over Internet Protocol (VoIP) Version 11.0 December 22, 2014 Protecting the Information that Secures the Homeland This page
More informationSecurity (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012
Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret
More informationSupporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationDISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org
More informationDirectives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities
Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities Wireless Infrastructure, Article 3-15-2012 The federal government recognizes that standards based
More informationAustralasian Information Security Evaluation Program
Australasian Information Security Evaluation Program Juniper Networks, Inc. JUNOS 12.1 X46 D20.6 for SRX-Series Platforms Certification Report 2015/90 3 July 2015 Version 1.0 Commonwealth of Australia
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More informationSecure Network Communications FIPS 140 2 Non Proprietary Security Policy
Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles
More informationRemote Administration
Windows Remote Desktop, page 1 pcanywhere, page 3 VNC, page 7 Windows Remote Desktop Remote Desktop permits users to remotely execute applications on Windows Server 2008 R2 from a range of devices over
More informationWeb Plus Security Features and Recommendations
Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationNetwork Security and Firewall 1
Department/program: Networking Course Code: CPT 224 Contact Hours: 96 Subject/Course WEB Access & Network Security: Theoretical: 2 Hours/week Year Two Semester: Two Prerequisite: NET304 Practical: 4 Hours/week
More informationService Oriented Architecture (SOA) for DoD
Service Oriented Architecture (SOA) for DoD Prof. Paul A. Strassmann January 9, 2008 1 Part 1 SOA Requirements 2 The DoD Challenge 3 Most DoD Projects Have Own Data Projects 07 Budget $ Millions Number
More informationWS_FTP: The smarter way to transfer files
WS_FTP: The smarter way to transfer files DATA WEB PAGES IMAGES VIDEO GRAPHICS WS_FTP: A Complete and Secure Data Management Solution The files that you transfer every day over the Internet are vulnerable
More informationINTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002
INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before
More informationApplication Note: Onsight Device VPN Configuration V1.1
Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 4630.09 July 15, 2015 DoD CIO SUBJECT: Communication Waveform Management and Standardization References: See Enclosure 1 1. PURPOSE. This instruction: a. Reissues
More informationAlliance Key Manager A Solution Brief for Technical Implementers
KEY MANAGEMENT Alliance Key Manager A Solution Brief for Technical Implementers Abstract This paper is designed to help technical managers, product managers, and developers understand how Alliance Key
More informationXerox DocuShare Security Features. Security White Paper
Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a
More informationAUDIT REPORT. The Energy Information Administration s Information Technology Program
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Energy Information Administration s Information Technology Program DOE-OIG-16-04 November 2015 Department
More informationCompliance and Security Challenges with Remote Administration
Sponsored by Netop Compliance and Security Challenges with Remote Administration A SANS Whitepaper January 2011 Written by Dave Shackleford Compliance Control Points Encryption Access Roles and Privileges
More informationFederal Trade Commission Privacy Impact Assessment for:
Federal Trade Commission Privacy Impact Assessment for: DCBE Websites and Blogs Consumer.ftc.gov, Consumidor.ftc.gov, OnGuardOnline, AlertaenLinea, Consumer.gov, Consumidor.gov and the BCP Business Center
More information