Presenter

Presentation Notes

© 2016 Maze & Associates Revision 10 (April 2016) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved

Categorize

Select

Implement

Assess

Authorize

Monitor

Presenter

Presentation Notes

Picture: New Orleans, LA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 4

Categorize

Select

Implement

Assess

Authorize

Monitor

Presenter

Presentation Notes

RMF Step 3 Security Control Implementation Assign responsibility Use best practices when implementing controls Ensure mandatory configuration United States Government Configuration Baseline (USGCB) Was the Federal Desktop Core Configuration (FDCC) It is a good idea to test as you go to identify weaknesses early Security Control Documentation Document the security control implementation Provide a functional description of the control implementation Security control documentation describes how system-specific, hybrid, and common controls are implemented FIPS Publication 200; NIST Special Publications 800-30, 800-53, 800-53A; CNSS Instruction 1253; Web: SCAP.NIST.GOV.

Presenter

Presentation Notes

Implementation Guidance NIST SP 800-70 Rev1National Checklist Program for IT Products—Guidelines for Checklist Users and Developers Other NIST Special Publication discuss specific topics http://csrc.nist.gov/ Federal Desktop Core Configuration (FDCC) http://nvd.nist.gov/fdcc/index.cfm The United States Government Configuration Baseline (USGCB) http://usgcb.nist.gov/ Security Technical Implementation Guide (STIG) http://iase.disa.mil/stigs/stig/index.html Security Content Automation Protocol (SCAP) NIST's security automation agenda SANS Consensus Audit Guidelines (CAG) The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security. http://usgcb.nist.gov/

Presenter

Presentation Notes

Picture: Japanese Garden, Seattle, WA; Photo by Donald E. Hester all rights reserved

Presenter

Presentation Notes

The Problem Compliance does not equal security Our highest priority is to secure our systems Compliance is required but not our highest goal We need a solution based on risk

Prioritized by greatest risk first

“This recommended sequencing prioritization helps ensure that foundational security controls upon which other controls depend are implemented first, thus enabling organizations to deploy controls in a more structured and timely manner in accordance with available resources. “- NIST SP 800-53 rev3

Presenter

Presentation Notes

A Prioritized Baseline How do we prioritize controls Intelligence Knowledge of actual attacks Controls that can prevent know attacks should be given a higher priority A consensus report has been developed to document 20 critical controls

Presenter

Presentation Notes

Focus Focus attention and resources on the most critical risk Defend against current and near term attacks They will be the highest payoff areas Top, shared priority for CIO, CISO and IGs

Presenter

Presentation Notes

Risk Based Countermeasures should focus on addressing High probability attack High impact attacks Consistent implementation Automated and continuously monitored Additional technical activities should be used to defend systems

“The priority allocation section provides the recommended priority codes used for sequencing decisions during security control implementation” - NIST SP 800-53 rev3

“Organizations can use the recommended priority code designation associated with each security control in the baselines to assist in making sequencing decisions for control implementation “- NIST SP 800-53 rev3

Presenter

Presentation Notes

Compliance The reality of limited resources does not mean we can ignore controls. Compliance requires all controls to be in place. A prioritized approach helps us implement the most important controls or the controls that give us the biggest bang first.

“The implementation of security controls by sequence priority code does not imply the achievement of any defined level of risk mitigation until all of the security controls in the security plan have been implemented. The priority codes are used only for implementation sequencing, not for making security control selection decisions.“- NIST SP 800-53 rev3

Presenter

Presentation Notes

Implementation Sequence Source: NIST SP 800-53 Rev 3

Presenter

Presentation Notes

Collaborators Attack Data Resources DoD Blue Team Members (Incident Response) US-CERT Military Investigators FBI and other Police organizations DoE Cybersecurity Experts Forensic Experts DoD Red Team Members (Penetrations Tests) Civilian Penetration Testers Federal CIOs and CISOs GAO

Presenter

Presentation Notes

Prioritized Controls SANS Consensus Audit Guidelines (CAG) 20 controls 15 controls that can be validated in part automatically 5 controls that must be validated manually Each control has sub-controls Reinforce, NISP SP 800-53, SCAP, FDCC, FISMA, DHS software assurance

Presenter

Presentation Notes

Categorize Sub-controls Quick Wins (Low hanging fruit) Improved Visibility and Attribution Hardened Configuration and Improved Information Security Hygiene Advanced

Presenter

Presentation Notes

Source: 20 Critical Security Controls, Twenty Critical Controls for Effective Cyber Defense: Consensus Audit, Version 2.3: November 13, 2009 SANS Consensus Audit Guidelines (CAG)

Presenter

Presentation Notes

Testing Periodic and/or Continual testing of controls Use as much automation as possible Tools for remotely gathering, analyzing and updating configuration Items such as workstations, servers and network devices

http://www.sans.org/critical-security-controls/

Presenter

Presentation Notes

Critical Controls Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure configurations for Hardware and Software on laptops, workstations and servers Secure configurations for Network Devices such as firewalls, routers and switches SANS Consensus Audit Guidelines (CAG)

Presenter

Presentation Notes

Critical Controls Boundary Defense Maintenance, Monitoring and Analysis of Security Audit Logs Application Software Security Controlled use of Administrative Privileges Controlled access based on need to know SANS Consensus Audit Guidelines (CAG)

Presenter

Presentation Notes

Critical Controls Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control of Network Ports, Protocols and Services Wireless Device Control Data Loss Prevention SANS Consensus Audit Guidelines (CAG)

Presenter

Presentation Notes

Critical Controls Secure Network Engineering Penetration Tests and Red Team Exercises Incident Response Capability Data Recovery Capability Security Skills Assessment and Appropriate Training to fill gaps SANS Consensus Audit Guidelines (CAG)

Presenter

Presentation Notes

National Security Systems NSS use NIST SP 800-53 Appendix F controls NSS do not use priority and baseline allocations in NIST SP 800-53 The baseline allocation specifications which apply are provided in Appendix D of CNSSI No. 1253 No prioritization of security controls is specified by CNSSI No. 1253 Organization defined values are provided in Appendix J of CNSSI No. 1253

Presenter

Presentation Notes

http://gcn.com/articles/2011/05/12/white-house-cybersecurity-proposal.aspx

Presenter

Presentation Notes

Class Discussion Why is it important to prioritize the control we plan to implement? Would every system have the same prioritization for implementing controls? Does being compliant mean your system is secure? What should be our main consideration when we select the order in which we implementation controls? Can control prioritization be used in the selection of controls?

Presenter

Presentation Notes

Configuration Management Picture: Los Vaqueros Reservoir, CA; Photo by Donald E. Hester all rights reserved

Provides Reliance and Quality Control

Presenter

Presentation Notes

NIST SP 800-53 Rev 4 Controls

Presenter

Presentation Notes

USGCB United States Government Configuration Baseline http://usgcb.nist.gov/

Presenter

Presentation Notes

IT Standards National Institute of Standards and Technology (NIST) NIST SP 800-53 Rev 3, CM Section NIST SP 800-128, DRAFT Guide for Security Configuration Management of Information Systems NIST SP 800-117, SCAP NIST SP 800-40 ver 2.0, Patch Management NIST IR 7275 Rev 3, XCCDF Control Objectives for Information and related Technology (COBIT) Information Technology Infrastructure Library (ITIL) International Standards Organization (ISO)

Presenter

Presentation Notes

The Facts Source: IDC study on Causes of Network Downtime 2004

Presenter

Presentation Notes

High-Performance IT organizations Common Characteristics 1 admin for every 100 servers More planned work than unplanned work More staff early in lifecycle Collaboration Posture of compliance (IT standards) Culture of change management Understand causality Manage by facts Source: The Visible Ops Handbook Implementing ITIL in 4 Practical and Auditable Steps; by the IT Process Institute; ISBN 0-9755686-1-2

Presenter

Presentation Notes

The missing pieces Configuration Management Change Management Patch Management Release Management Incident Management Problem Management

Presenter

Presentation Notes

Benefits of Configuration Management Good CM does not increase workload it decreases it Fewer Incidents Greater Return on Investment (ROI) Faster Recovery (MTTR) Improve IS quality Improve IT service

Presenter

Presentation Notes

CM Lifecycle Configuration identification Baseline, gold standard Configuration control Change management, change control Configuration status accounting Enforcement Configuration audits Testing

Presenter

Presentation Notes

Configuration Identification Configuration Management Database (CMDB) A repository of information related to all the components of an information system Configuration files Group Policy settings Image files for operating systems Details about the important attributes and relationships between them

Presenter

Presentation Notes

Policy Develop, disseminate, and review/update A documented configuration management policy Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

Presenter

Presentation Notes

Baseline Develop, document, and maintain under configuration control, a current baseline configuration Checklists Images Builds CMDB Configuration files Automated Configuration GPO (Group policy objects) Automated Validation

Presenter

Presentation Notes

Checklist Tiers NIST SP 800-70 Rev 1

Presenter

Presentation Notes

Baselines A place to start The United States Government Configuration Baseline (USGCB) Federal Desktop Core Configuration (FDCC) CIS Benchmarks Modify based upon your needs You may have different configurations for different workstations Compatibility issues Interoperability issues

Presenter

Presentation Notes

Control Change Determine the types of changes to the information system that are configuration controlled Approve configuration-controlled changes Coordinate and provide oversight for configuration change control activities Document approved configuration-controlled changes

Presenter

Presentation Notes

Impact Analysis Analyze changes to the information system to determine potential security impacts prior to change implementation Confidentiality Integrity Availability Interoperability Compatibility

Presenter

Presentation Notes

Restrict Changes to the System Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system Limit who can make changes This means no local admins Automate if possible

Presenter

Presentation Notes

Least Functionality Configure the information system to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services If it is not needed why have it?

Presenter

Presentation Notes

Inventory Develop, document, and maintain an inventory of information system components Accurately reflect the current system At a level of granularity deemed necessary

Presenter

Presentation Notes

Resources NIST (USGCB) http://usgcb.nist.gov/ NIST (FDCC) http://nvd.nist.gov/fdcc/index.cfm National Checklist Program Repository http://Checklists.nist.gov Center for Internet Security (CIS) Benchmarks http://cisecurity.org/ Institute of Configuration Management http://www.icmhq.com/ IT Governance Institute (ITGI) http://www.itgi.org/

Presenter

Presentation Notes

Class Discussion What are some of the benefits of configuration management? What are some of the challenges to configuration management? Why is it important to control changes to systems? What are some automated solutions for configuration management? If configuration management saves time, money and resources why don’t more organizations implement a CM program? Why is inventory important to change management?

Presenter

Presentation Notes

Security Procedures Picture: Elliott Bay, Seattle, WA; Photo by Donald E. Hester all rights reserved

Presenter

Presentation Notes

Security Procedures Purpose Procedure ensure that there is a uniform application (repeatable) Provide users with instructions on “how to” Problems Administrator may not follow because it is routine or take longer to complete a given task Responsibility System owner should develop Administrators should consider them mandatory Disciplinary action for failure to follow

Needs analysis

Development

Review

Implement

Review

Retire / Update

Presenter

Presentation Notes

Procedures Style Concise – Don’t go overboard Easy to understand Modular fashion – easy navigation and updating Not in the System Security Plan Formatting Need to be written not ‘ad hoc’ Date and revision Signed Bulleted lists Screen shots

Presenter

Presentation Notes

Access Access Procedures need to be available by those who need them when they need them Stored in multiple locations and by means Paper and electronic Maintenance Living documents, will need to change as the system changes Built into the change management process May trigger an update or change to disaster recovery processes Keep past versions

Presenter

Presentation Notes

Procedures in the RMF (C & A) process Establish process and requirements Should be documented in the System Security Plan Failure to follow procedures increases risk Procedures are tested as a part of security testing Weaknesses in procedure should be documented and placed in remediation

Presenter

Presentation Notes

Summary Procedures Describe the tasks to be done and how to do them Adds constancy to the process Reference but not in the System Security Plan Easily accessible Clear and concise Updated as needed (Change management)

Presenter

Presentation Notes

Class Discussion: Procedures System administrators consistently ignore procedures. What are some potential reasons for them not following procedures? What would you do to ensure they follow documented procedures? What type of procedures do you typically have problems with?

Presenter

Presentation Notes

Picture: Pebble Beach Lone Cypress, Monterey, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 pg 105-111

Presenter

Presentation Notes

The Solution How do you protect your organization’s data when it is someone else's system? A formal agreement establishing Required levels of protection Required reporting Time period Called a memorandum of understanding (MOU) or memorandum of agreement (MOA) Interconnection security agreement (ISA) supports the MOU/MOA – specifics

Presenter

Presentation Notes

Agreements in the RMF process The purpose is to ensure that all systems supporting an organizations data are accredited at the same levels That systems outside the control of the system owner provide the same level of protection for the data Supports the understanding of different system owners Provides a level of assurance

Presenter

Presentation Notes

Systems Interconnection NIST SP 800-100

OMB recommends that agencies use NIST SP 800-47 to ensure compliance for connections to non-agency systems.

Presenter

Presentation Notes

Communication Between Parties is Important NIST SP 800-100 Ensure that the interconnection is properly maintained and that security controls remain effective; Facilitate effective change management activities by making it easy for both sides to notify each other about planned system changes that could affect the interconnection; and Enable prompt notification by both sides of security incidents and system disruptions and facilitate coordinated response, if necessary.

Phase 1

•Planning the interconnection

•Establish joint planning team

•Define business case

•Perform C & A•Determine interconnection requirements

•Document interconnection agreement (MOU/MOA)

•Approve or reject interconnection

Phase 2

•Establishing the interconnection

•Develop implementation plan

•Execute implementation plan

•Activate interconnection

Phase 3

•Maintaining the interconnection

•Maintain the equipment

•Manage users•Security reviews•Analyze audit logs

•Report and respond

•Contingency planning

•Change management

•Maintain SSP

Phase 4

•Disconnecting the interconnection

•Phase out•Emergency•Restoration of interconnection

Presenter

Presentation Notes

Sample MOU/MOA NIST SP 800-100 Chapter 6

Presenter

Presentation Notes

Sample ISA NIST SP 800-100 Chapter 6

Presenter

Presentation Notes

Time Issues Legal document that obligate the organizations Ensure the agreements are executed before the connections are made Provisions for prompt and timely notification of security breach Provisions for actions if agreement has been breached Provisions for cancellation

Presenter

Presentation Notes

Exceptions You do not need an agreement between a Major Application and the GSS system Requirements may be in other documentation Remote access is covered under rules of behavior Service-level agreement Maintenance agreements

Presenter

Presentation Notes

Maintaining Agreements Agreement must have an ending date Must be reviewed during recertification process Keep in touch with other parties They may need a change in the agreement

Presenter

Presentation Notes

Summary Essential to provide assurance Formal understanding between system owners Data moves from system to system and security needs to be ensured Indirect control not direct control Documented MOU/MOA, ISA

Presenter

Presentation Notes

Class Discussion: Interconnection Agreements An interconnection between your system and an external system predates the accreditation of your system. What are some likely issues you will face in trying to implement an MOU/MOA on an existing connection? How soon would you require notification from the owner of interconnected system after they have had an incident? How often should you contact the system owner of an interconnected system? You contact the system owner of an interconnected system. No one at that organization seems to be aware of the MOU/MOA. What do you do?