Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment...
-
Upload
matthew-hampton -
Category
Documents
-
view
217 -
download
0
Transcript of Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment...
![Page 1: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/1.jpg)
Hosted by
How to Conduct an Information Security (INFOSEC) Assessment
The NSA INFOSEC Assessment Methodology (IAM)
Stephen Mencik, CISSP
ACS Defense, Inc.
![Page 2: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/2.jpg)
Hosted by
Agenda
What is an INFOSEC Assessment?
The need for a common Assessment
Methodology
The NSA INFOSEC Assessment
Methodology (IAM)
![Page 3: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/3.jpg)
Hosted by
What Is an INFOSEC Assessment?
A review of the Information System
Security (INFOSEC) posture of
operational system(s) for the purpose of
identifying potential vulnerabilities.
Once identified, recommendations are
provided for the elimination or
mitigation of the vulnerability.
![Page 4: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/4.jpg)
Hosted by
INFOSEC Assurance Vulnerability Discovery Triad
Cooperative High
Level Overview
Information /
Mission Criticality
Analysis
Includes Policy,
Procedure &
Information Flow
No hands on
testing
Hands-on process
Cooperative Testing
Specific Technical
Expertise
Penetration Tools
Diagnostic Tools
Non-cooperative
External
Penetration Tests
Simulation of
Appropriate
Adversary
Assessments (Level 1)
Evaluations (Level 2)
Red Team (Level 3)
![Page 5: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/5.jpg)
Hosted by
INFOSEC Assessment Characteristics
No hands-on testing
Management buy-in
Success depends on cooperation of
people
Non-attribution
![Page 6: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/6.jpg)
Hosted by
What Is the Purpose of an INFOSEC Assessment?
An INFOSEC Assessment allows one to:
• Determine which information is critical to the organization
• Identify the systems that process, store, or transmit that critical information
• Determine the proper INFOSEC posture for these systems
• Identify potential vulnerabilities
• Recommend solutions to mitigate or eliminate those vulnerabilities
![Page 7: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/7.jpg)
Hosted by
Why the Need for a Common Assessment Methodology?
Compare results over time
Compare assessments done by different
teams
![Page 8: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/8.jpg)
Hosted by
The NSA INFOSEC Assessment Methodology
Developed by the National Security
Agency (NSA) during the mid-late 1990’s• NSA had more assessment requests than they could
handle
• Needed a common methodology to be used by all
contractors performing assessments on NSA’s behalf
Provided to the public sector as a
community service
![Page 9: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/9.jpg)
Hosted by
IAM Phases
Categorize & Define
Information Value
Identify Systems and
Boundaries
Collect System &
Security
Documentation
Generate Assessment
Plan
Team Assignment &
Coordination
Analysis of INFOSEC
Posture (18 Baseline
Categories)
Level 1
•Document Review
•Interviews
•System Demos
Level 1+
•Non-Intrusive Scans
Exit Brief: Strengths and
Weaknesses
Analysis &
Report
Generation:
•Completed
45 – 60 days
after Phase 2
•Proprietary to
Customer
Phase 1 Phase 2 Phase 3
Pre-Assessment Assessment Post-Assessment
On-Site
On/Off-Site
![Page 10: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/10.jpg)
Hosted by
Pre-assessment Phase
Purpose
• Gain an understanding of the criticality of the
customer’s information
• Identify system, including system boundaries
• Coordinate logistics with the customer
• Write an assessment plan
![Page 11: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/11.jpg)
Hosted by
On-site ActivitiesPurpose
• To explore and confirm the information and
conclusions made during the Pre-Assessment Phase
• To perform data gathering and validation Interviews
Documentation
System demonstrations
• To provide initial analysis and feedback to the
customer
![Page 12: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/12.jpg)
Hosted by
Post-assessment
Finalize analysis
Preparation and coordination of a final
report
![Page 13: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/13.jpg)
Hosted by
On-site Details
Gather and validate system information
• Interviews
• System demonstrations
• Documentation review
Analyze assessment information
Develop initial recommendations
![Page 14: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/14.jpg)
Hosted by
Interviews
Used to:
• Gain information from a larger cross section of
the organization
• Learn how operations “really” occur
![Page 15: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/15.jpg)
Hosted by
System Demonstrations
Useful tool to supplement information
gathering
Can be used to resolve conflicting
information
![Page 16: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/16.jpg)
Hosted by
Additional Documentation Review
Supplements information gathered
during interviews
Added assurance if it is documented
Lack of documentation is a finding
![Page 17: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/17.jpg)
Hosted by
Baseline Information Categories
1. INFOSEC documentation
2. INFOSEC Roles and
Responsibilities
3. Identification & Authentication
4. Account Management
5. Session Controls
6. External Connectivity
7. Telecommunications
8. Auditing
9. Virus Protection
10. Contingency Planning
11. Maintenance
12. Configuration
Management
13. Back-ups
14. Labeling
15. Media Sanitization /
Disposal
16. Physical Environment
17. Personnel Security
18. Training and Awareness
![Page 18: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/18.jpg)
Hosted by
1. INFOSEC Documentation
Policy
Guidelines / requirements
System Security Plans (SSP)
Standard Operating Procedures (SOP)
User system security manuals
![Page 19: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/19.jpg)
Hosted by
2. INFOSEC Roles and Responsibilities
Upper Level Management
Systems Operation
User Community
![Page 20: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/20.jpg)
Hosted by
3. Identification & Authentication
Fundamental building block of INFOSEC
Three methods of implementation
• “Something you know”
• “Something you have”
• “Something you are”
![Page 21: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/21.jpg)
Hosted by
4. Account Management
Documented account management policy
and procedures
Written formal account request
• General and privileged user agreements
• Supervisor and data owner approval for access
• Minimal privilege access
Account initialization
![Page 22: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/22.jpg)
Hosted by
4. Account Management (Cont.)
Account termination
Account maintenance
Special accounts
![Page 23: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/23.jpg)
Hosted by
5. Session Controls
Protected, logged on workstation
Time-outs
Lock-screen capability with password
Warning banner
![Page 24: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/24.jpg)
Hosted by
6. External Connectivity
Internet
Modems
Dedicated
![Page 25: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/25.jpg)
Hosted by
7. TelecommunicationsDocumented requirements and procedures
for transmitting sensitive information
Encryption issues
• Purpose (confidentiality, integrity, non-
repudiation)
• Trust in communications medium
• Strength of algorithm
Alternate routes for increased availability
![Page 26: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/26.jpg)
Hosted by
8. Auditing
Policy requiring mandatory auditing
SOP defining what to audit
Audit analysis and reporting on a timely
basis
SSA trained in audit analysis
![Page 27: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/27.jpg)
Hosted by
9. Virus Protection
Written policy• Personal software allowed?
Scan incoming software
System scans
Update tools
Employee education/training
![Page 28: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/28.jpg)
Hosted by
10. Contingency Planning
Documented plan
Identify mission or business critical
functions
Uninterruptible Power Supply (UPS)
![Page 29: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/29.jpg)
Hosted by
11. Maintenance
Policy and procedures
Personnel clearance level
Control of diagnostic software
Remote maintenance access
![Page 30: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/30.jpg)
Hosted by
12. Configuration Management
Documented configuration control plan
Configuration Control Board (CCB)
Software loading issues for SSA approval
![Page 31: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/31.jpg)
Hosted by
13. Back-ups
Documented in SSP and SOP
Schedule
Proper storage
Periodic testing of back-ups
![Page 32: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/32.jpg)
Hosted by
14. LabelingPolicy/SOPs
Document what/why information is sensitive
Employees trained on proper marking procedures
Removable media
System components
![Page 33: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/33.jpg)
Hosted by
15. Media Sanitization/Disposal
Documented policy and SOPs
Media sanitization methods
Establish responsibilities
User education/training
Contract concerns
![Page 34: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/34.jpg)
Hosted by
16. Physical Environment
Physical environment can be used to
offset lack of system security capabilities
Ramifications to INFOSEC posture
![Page 35: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/35.jpg)
Hosted by
17. Personnel Security
Background checks
Security clearance
Signed user agreements
Employee awareness of social
engineering techniques
![Page 36: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/36.jpg)
Hosted by
18. Training and Awareness
Users are usually the weakest link in
security
Documented responsibilities
Formal INFOSEC training program for
users and SSA
![Page 37: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/37.jpg)
Hosted by
Baseline Information Categories Summary
All categories need to be addressed
Category details will be dependent on
the specific system
Additional categories can be included
![Page 38: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/38.jpg)
Hosted by
Analysis of Vulnerabilities
Identify weaknesses or vulnerabilities in
the system and operations that could
potentially be exploited by an adversary
![Page 39: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/39.jpg)
Hosted by
Threat Aspects
Environmental
Human
• External
• Internal malicious
• Internal inadvertent
![Page 40: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/40.jpg)
Hosted by
Develop Recommendations
The assessment team will develop a list
of recommended technical and
operational security countermeasures to
the identified system vulnerabilities
![Page 41: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/41.jpg)
Hosted by
Post-assessment Activities Phase
Additional review of documentation
Additional expertise
Report Coordination
![Page 42: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/42.jpg)
Hosted by
Summary IAM Baseline Activities
Pre-Assessment
• On-site customer coordination Information criticality analysis with matrices
Customers concerns
• Documented INFOSEC assessment plan
![Page 43: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/43.jpg)
Hosted by
Summary IAM Baseline Activities
On-site Assessment
• Information gathering Interviews
Documentation review
System demonstrations
• 18 baseline information categories
![Page 44: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/44.jpg)
Hosted by
Summary IAM Baseline Activities
Post-Assessment
• Documented report
![Page 45: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/45.jpg)
Hosted by
Useful Linkshttp://www.iatrp.com/iam.cfm Official IAM
site
http://www.iatrp.com/indivu2.cfm List of
individuals certified to perform assessments
using IAM
http://www.iatrp.com/certclass.cfm
Information on 2-day IAM training leading to
certification
![Page 46: Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649e395503460f94b2a7b7/html5/thumbnails/46.jpg)
Hosted by
Contact InformationStephen MencikSr. INFOSEC EngineerACS Defense, Inc.9020 Mendenhall Ct., Suite J.Columbia, MD 21045(410) [email protected]@mencik.com