How Private Industry Protects Our Country's Secrets. James Kirk

Similar documents
INDUSTRIAL SECURITY LETTER

Defense Security Service

Windows 7 / Server 2008 R2 Configuration Overview. By: Robert Huth Dated: March 2014

Office of Inspector General

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

DSS Secret Internet Protocol Router Network (SIPRnet) Processing Procedures

2015 Cybersecurity Awareness

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Office of Inspector General

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

Requirements For Computer Security

Outside Director and Proxy Holder Training: Module 1: Intro to DSS and Foreign Ownership, Control, or Influence (FOCI) Defense Security Service

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

FISMA / NIST REVISION 3 COMPLIANCE

Computer and Network Security Policy

Standard: Event Monitoring

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

What s New in Centrify Server Suite 2013 Update 2

Defense Security Service Office of the Designated Approving Authority

The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Did you know your security solution can help with PCI compliance too?

Reference Guide for Security in Networks

Mapping EventTracker Reports and Alerts To FISMA Requirements NIST SP Revision 3 Prism Microsystems, August 2009

Implications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009

POSTAL REGULATORY COMMISSION

In this topic we will cover the security functionality provided with SAP Business One.

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

Security Self-Assessment Tool

Improvements Needed With Host-Based Intrusion Detection Systems

NetIQ FISMA Compliance & Risk Management Solutions

How To Protect Your Data From Being Stolen

Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors. By Ipswitch, Inc. Network Managment Division

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Security Certification & Accreditation of Federal Information Systems A Tutorial

How To Manage A System Vulnerability Management Program

EAC Decision on Request for Interpretation (Operating System Configuration)

Defense Security Service (DSS)

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Security Best Practice


GE Measurement & Control. Cyber Security for NEI 08-09

DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

AHS Flaw Remediation Standard

Evaluation of DHS' Information Security Program for Fiscal Year 2015

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

PUBLIC REPORT. Red Team Testing of the ES&S Unity Voting System. Freeman Craft McGregor Group (FCMG) Red Team

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release February 2014

Information Technology Internal Controls Part 2

2015 Security Training Schedule

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

Industrial Security Field Operations

White Paper Levels of Linux Operating System Security

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

EMC Smarts Network Configuration Manager

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

The Operating System Lock Down Solution for Linux

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Office of Inspector General Audit Report

CHIS, Inc. Privacy General Guidelines

INSIDER THREAT PROGRAM DEVELOPMENT TRAINING (INSIDER THREAT SECURITY SPECIALIST COURSE)

White Paper. Support for the HIPAA Security Rule PowerScribe 360

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities

Achieving PCI Compliance: How Red Hat Can Help. Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl.

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION

Implementation Guide

UNCLASSIFIED. Trademark Information

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

Network Working Group. S. Crocker Trusted Information Systems, Inc. B. Fraser. Software Engineering Institute. November 1991

FSIS DIRECTIVE

DEPARTMENT OF DEFENSE DeCAD HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee, VA August 1, Information Management

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Managing Windows Environments with Group Policy

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Introduction. PCI DSS Overview

e-governance Password Management Guidelines Draft 0.1

SMSe Privacy Impact Assessment

Transcription:

An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls: How Private Industry Protects Our Country's Secrets James Kirk

Outline Background DOD Agency Responsible for Interpretation and Enforcement Security Control Development Document Drafting and Approval Testing of Security Controls Enforcement The fun stuff gaps in security controls

Background/Disclaimer What kind of data are we talking about? National Industrial Security Program (NISP) Executive Order 12829 1. National Industrial Security Program Policy Advisory Committee (NISPPAC) National Industrial Security Program Operating Manual (NISPOM) 1. DoD 5220.22-M National Industrial Security Program: Operating Manual.

DOD Agency Responsible for Interpretation and Enforcement The Defense Security Service (DSS) Agency Structure Directorates (IS, CI, DISCO, and CDSE) ODAA Field Offices

Basics of Certification and Accreditation (C&A) What is C&A? Certification Accreditation ISSP role RDAA role 1., 2. Enough background on the DSS, lets get into security controls 1. Industrial Security Field Operations (ISFO) Process Manual for the Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM) and NIST 800-53. 2. Master System Security Plan (MSSP) Template for Peer-to-Peer Networks.

Security Controls Where do they originate from? Linux controls 1. Audit Areas 1./bin 2./usr/bin 3./etc 4./sbin 5./usr/sbin 6./var/audit 7./usr/local 8./opt 9./home 1. ISL 2007-01

Security Controls cont. Linux cont. 1., 2. DISA STIG vs NISPOM/DSS ISL 1. Standardization of Baseline Technical Security Configurations. 2. UNIX: Security Technical Implementation Guide.

DISA STIG The SA will ensure audit data files have permissions of 640, or more restrictive. - Logon (unsuccessful and successful) and logout (successful) - Process and session initiation (unsuccessful and successful) - Discretionary access control permission modification (unsuccessful and successful use of chown/chmod) DSS NISPOM/ISL (2) Audit Trail Protection. The contents of audit trails shall be protected against unauthorized access, modification, or deletion. (b) Successful and unsuccessful logons and logoffs. (a) Enough information to determine the date and time of action (e.g., common network time), the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved. N/A - Unauthorized access attempts to files (unsuccessful) (c) Successful and unsuccessful accesses to securityrelevant objects and directories, including creation, open, close, modification, and deletion. - Use of privileged commands (unsuccessful and N/A successful) - Use of print command (unsuccessful and successful) N/A - Export to media (successful) N/A - System startup and shutdown (unsuccessful and N/A successful) - Files and programs deleted by the user (successful and unsuccessful) N/A Unless it s considered a Security Relevant Object - All system administration actions (d) Changes in user authenticators. - All security personnel actions N/A 1. Standardization of Baseline Technical Security Configurations. 2. UNIX: Security Technical Implementation Guide.

ISL 2009-01 and Windows Baseline Standards ISL 2009-01 1. Standardization of Baseline Technical Security Configurations March 2009 This process manual is not directive in nature, but adherence to the standards in this process manual by NISP contractors is recommended in order for DSS to be able to expeditiously issue Interim Approvals to Operate (IATO) and Approvals to Operate (ATO). FISMA (NIST 800-53) - June 2011 Linux left out (must be super secure on its own) 1. Standardization of Baseline Technical Security Configurations.

ISFO Manual Updates (Summary of Changes) 1 Finally 14 character passwords required for all systems and 60 day change reqs. Patching is addressed now, in a semi-ambiguous way in section 5.2.8.1 The ISSM will identify ISs containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The ISSM will install security-relevant software upgrades (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. 1. ISFO Process Manual Revision 3: Summary of Changes.

ISFO Manual Updates (Summary of Changes) 1 USB Drives Addressed sorta. Audit requirements expanded on 1. Enough information to determine the action involved, the date and time of the action, the system on which the action occurred, the system entity that initiated or completed the action, and the resources involved (if applicable). 2. Successful and unsuccessful logins and logoffs. 3. Unsuccessful accesses to security-relevant objects and directories. 4. Changes to user authenticators. 5. The blocking or blacklisting of a user ID, terminal, or access port. 6. Denial of Access from an excessive number of unsuccessful login attempts. 1. ISFO Process Manual Revision 3: Summary of Changes.

ISFO Manual Updates (Summary of Changes) cont. 1 Security Seals Approved tamper-proof, pre-numbered seals should be used on hardware components (to include monitors and keyboards) anytime the hardware may be subject to access by uncleared personnel (i.e. used for periods-processing, or relocation). 1. ISFO Process Manual Revision 3: Summary of Changes.

Document Drafting and Approval ISFO Process Manual and Standardization Documents drafting Linux document development, and its death.

Security Setting Testing Inadequate Labs Test Resources Limited

Enforcement The Special Agent The 0080 (Industrial Security Specialist) and 2210 Specialties (IT Specialist) Training and authority Subjectivity

Enforcement cont. Inspection selection and process Size of facility and complexity Partners with Industry What happens if non-compliance

Inadequate Controls - Windows Patching 1. USB Virtual Environments UAC Admin actions not audited Classified data not audited Tamper Controls 1. Standardization of Baseline Technical Security Configurations.

Inadequate Controls - *nix Lack of expertise and training in agency leads to ostrich effect. 1. Job listings do not require any Unix or Linux experience. List is too long to list of files/services/versions that are not addressed. Make it easy on themselves and use one of the configuration guides already in use. Auditing Rules not required to be in use in Red Hat really? 1. Standardization of Baseline Technical Security Configurations.

Inadequate Controls- *nix cont. Same issues affecting Windows, affect the Unix/Linux environment as well. 1. Patching USB Virtualized Environments Auditing Tamper Controls 1. Standardization of Baseline Technical Security Configurations.

Wrap-up So why the talk? Education how many actually know how the U.S. protects classified data at the collateral level? Enlightenment I think it s important to bring issues that are detrimental to the nations security to the forefront. These issues have been brought up to the agency, and ignored. STUXNET and Flame

References DoD 5220.22-M National Industrial Security Program: Operating Manual. Department of Defense: Under Secretary of Defense for Intelligence. (2006). Industrial Security Field Operations (ISFO) Process Manual for the Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM) and NIST 800-53. Washington DC: Department of Defense: Defense Security Service. (2011). ISFO Process Manual Revision 3: Summary of Changes. Defense Security Service Office of the Designated Approving Authority. (2011). ISL 2007-01. Department of Defense: Defense Security Service, Industrial Security Program Office. (2007). Master System Security Plan (MSSP) Template For Peer-to-Peer Networks. Defense Security Service Office of the Designated Approving Authority. (2011). SIPRNet Contractor Approval Process (SCAP). Department of Defense: Office of the Designated Approving Authority. (2011). Standardization of Baseline Technical Security Configurations. Defense Security Service Office of the Designated Approving Authority. (2009). UNIX: Security Technical Implementation Guide. Defense Information Systems Agency. (2006).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information