Security Assessment P1

Chia sẻ: Tran Thach | Ngày: | Loại File: PDF | Số trang:30

0
120
lượt xem
27
download

Security Assessment P1

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Welcome to the National Security Agency (NSA) Information Assurance Methodology (IAM). In 1998, the NSA IAM was developed to meet the demand for information security (INFOSEC) assessments—a demand that was increasing due to Presidential Decision Directive 63 (PDD-63) while at the same time NSA was downsizing. NSA sought a way to maximize its resources to assist as many customers as possible. Due to Public Law 100-235, NSA was responsible for providing security guidance to all federal government classified computer systems. PDD-63 expanded this requirement to include direct support for all federal agency classified systems....

Chủ đề:
Lưu

Nội dung Text: Security Assessment P1

  1. solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: I One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. I “Ask the Author” customer query forms that enable you to post questions to our authors and editors. I Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. I Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions
  2. Security Assessment Case Studies for Implementing the NSA IAM Russ Rogers Greg Miles Ed Fuller Ted Dykstra Matthew Hoagberg
  3. Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 FGH73IP1LM 002 59MVZC6H9Q 003 4XFQIP4MCX 004 GLEQ71P9NC 005 7JHJ8FWEX2 006 VBP9EFC6K9 007 TYN8MF3TYH 008 64YTFXSQ9P 009 H8K3BN4GTV 010 IYGTE37V6N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Security Assessment: Case Studies for Implementing the NSA IAM Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro- duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-932266-96-8 Acquisitions Editor: Catherine B. Nolan Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Copy Editor: Darlene Bordwell Indexer: Nara Wood Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada.
  4. Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States by O’Reilly & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen and to all the others who work with us, but whose names we do not know (yet)! The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. A special thanks to all the folks at Malloy who have made things easy for us and espe- cially to Beth Drake and Joe Upton. v
  5. Contributors Greg Miles (CISSP, CISM, IAM) is a Co-Founder, President, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Greg is a key contributor not only to Security Horizon’s manage- ment, but also in the assessment, information security policy, and incident response areas. Greg is a United States Air Force Veteran and has served in military and contract support for the National Security Agency, Defense Information Systems Agency, Air Force Space Command, and NASA supporting worldwide security efforts. Greg has been a featured speaker at the Black Hat Briefings series of security conferences and APCO conferences and is a frequent con- tributor to “The Security Journal.” Greg holds a bachelor’s degree in electrical engineering from the University of Cincinnati, a master’s degree in management from Central Michigan University in Management, and a Ph.D. in engineering management from Kennedy-Western University. Greg is a member of the Information System Security Association (ISSA) and the Information System Audit and Control Association (ISACA). Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, Chief Executive Officer, Chief Technology Officer, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider. Russ is a key contrib- utor to Security Horizon’s technology efforts and leads the technical security practice and the services business development efforts. Russ is a United States Air Force Veteran and has served in military and contract support for the National Security Agency and the Defense Information Systems Agency. Russ is also the editor-in-chief of “The Security Journal” and a staff member for the Black Hat Briefings series of security conferences. Russ holds a bachelor’s degree in computer science from the University of Maryland and a master’s degree in computer systems management also from the vii
  6. University of Maryland. Russ is a member of the Information System Security Association (ISSA), the Information System Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners. Russ was recently awarded The National Republican Congressional Committee’s National Leadership Award for 2003. Ed Fuller (CISSP, GSEC, IAM) is Senior Vice President and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Ed is the lead for Security Training and Assessments for Security Horizon’s offerings. Ed is a retired United States Navy Veteran and was a key participant on the development of Systems Security Engineering Capability Maturity Model (SSE-CMM). Ed has also been involved in the development of the Information Assurance Capability Maturity Model (IA-CMM). Ed serves as a Lead Instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM) and has served in military and con- tract support for the National Security Agency and the Defense Information Systems Agency. Ed is a frequent contributor to “The Security Journal.” Ed holds a bachelor’s degree from the University of Maryland in information systems management and is a member of the Center for Information Security and the Information Systems Security Engineering Association. Matthew Paul Hoagberg is a Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Matt contributes to the security training, assess- ments, and evaluations that Security Horizon offers. Matt’s experi- ence includes personnel management, business development, analysis, recruiting, and corporate training. He has been responsible for implementing a pilot 3-factor authentication effort for Security viii
  7. Horizon and managing the technical input for the project back to the vendor. Matt holds a bachelor’s degree in psychology from Northwestern College and is a member of the Information System Security Association (ISSA). Ted Dykstra (CISSP, CCNP, MCSE, IAM) is a Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider.Ted is a key contrib- utor in the technical security efforts and service offerings for Security Horizon, and an instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM).Ted’s background is in both commercial and government support efforts, focusing on secure architecture development and deployment, INFOSEC assessments and audits, as well as attack and penetration testing. His areas of specialty are Cisco networking products, Check Point and Symantec Enterprise Security Products, Sun Solaris, Microsoft, and Linux systems.Ted is a regular contributor to “The Security Journal,” as well as a member of the Information System Security Association (ISSA) and a leading supporter of the Colorado Springs, Colorado technical security group: dc719. ix
  8. Contents Introduction xxv Chapter 1 Laying the Foundation for Your Assessment 1 Introduction 2 Determining Contract Requirements 3 What Does the Customer Expect? 4 Customer Definition of an Assessment 4 Sources for Assessment Work 7 Contract Composition 7 What Does the Work Call For? 11 What Are the Timelines? 16 Understand the Pricing Options 18 Understanding Scoping Pitfalls 20 Common Areas of Concern 21 Customer Concerns 21 Customer Constraints 21 “Scope Creep” and Timelines 22 Uneducated Salespeople 23 Bad Assumptions 24 Poorly Written Contracts 25 Staffing Your Project 27 Job Requirements 27 Networking and Operating Systems 27 Hardware Knowledge 28 Picking the Right People 28 Adequately Understanding Customer Expectations 30 The Power of Expectations 30 What Does the Customer Expect for Delivery? 30 Adjusting Customer Expectations 30 xi
  9. xii Contents Educating the Customer 31 Helping the Customer Understand the Level of Effort 31 Explaining Timeline Requirements 31 Understand the Commitment 32 Project Leadership 32 Constant Communication with the Customer 32 Constant Communication with Team Members 33 Timeliness of the Effort 34 Long Nights, Impossible Odds 35 Initial Resistance Fades to Cooperation 35 Case Study: Scoping Effort for the Organization for Optimal Power Supply 36 Summary 39 Best Practices Checklist 40 Frequently Asked Questions 42 Chapter 2 The Pre-Assessment Visit 45 Introduction 46 Preparing for the Pre-Assessment Visit 47 Questions You Should Ask 48 Determining the Network Environment of the Assessment Site 48 Determining the Security Controls of the Assessment Site 50 Understanding Industry Concerns for the Assessment Site 50 Scheduling 52 Understanding Special Considerations 53 Managing Customer Expectations 53 Defining the Differences Between Assessment and Audit 54 Results, Solutions, and Reporting 56 Interference on Ops 57 Impact on Organization Security 58 Defining Roles and Responsibilities 60 Who Is the Decision Maker? 61
  10. Contents xiii Who Is the Main Customer POC? 61 Who Is the Assessment Team Leader? 62 Suggestions for the Assessment Team 63 Possible Members of the Customer Team 63 Planning for the Assessment Activities 65 Developing Mission Identification 66 Understanding Industry Differences 67 Relating the Mission to Pre-Assessment Site Visit Products 68 Defining Goals and Objectives 69 Understanding the Effort: Setting the Scope 69 Information Request 69 Coordinate 70 Establish Team Needs for Remaining Assessment 70 Industry and Technical Considerations 70 Case Study:The Bureau of Overt Redundancy 71 The Organization 71 Summary 75 Best Practices Checklist 76 Frequently Asked Questions 77 Chapter 3 Determining the Organization’s Information Criticality 81 Introduction 82 Identifying Critical Information Topics 86 Associating Information Types with the Mission 90 Common Issues in Defining Types 91 Common Mistakes in Defining Types 92 Identifying Impact Attributes 93 Common Impact Attributes 95 Confidentiality 96 Integrity 96 Availability 96 Additional Impact Attributes 97 Based on Regulatory or Legal Requirements 97 Personal Preference 98 Recommendation of a Colleague 99
  11. xiv Contents Creating Impact Attribute Definitions 99 Understanding the Impact to the Organization 99 Can We Live Without This Information? 100 Example Impact Definitions 100 High, Medium, and Low 100 Numbered Scales 103 Creating the Organizational Information Criticality Matrix 104 Prioritizing Impact Based on Your Definitions 105 The Customer Perception of the Matrix 107 Case Study: Organizational Criticality at TOOT 108 TOOT Information Criticality Topics 109 Identifying Impact Attributes 110 Creating Impact Definitions 110 Creating the Matrix 111 Summary 113 Best Practices Checklist 115 Frequently Asked Questions 116 Chapter 4 System Information Criticality 119 Introduction 120 Stepping into System Criticality 121 Defining High-Level Security Goals 123 Locating Additional Sources of Requirements 126 Determining System Boundaries 128 Physical Boundaries 128 Logical Boundaries 128 Defining the Systems 130 What Makes a System Critical? 132 Breaking the Network into Systems 133 What Makes Sense? 134 Creating the System Criticality Matrix 134 The Relationship Between OICM and SCM 135 Refining Impact Definitions 136 A Matrix for Each System 137 Unexpected Changes 138 Case Study: Creating the SCM for TOOT 140
  12. Contents xv Locating System Boundaries 140 Completing the System Criticality Matrix 141 Summary 145 Best Practices Checklist 147 Frequently Asked Questions 149 Chapter 5 The System Security Environment 151 Introduction 152 Understanding the Cultural and Security Environment 154 The Importance of Organizational Culture 154 Adequately Identifying the Security Environment 156 Defining the Boundaries 159 Physical Boundaries 160 Logical Boundaries 161 Never the Twain Shall Meet—Or Should They? 162 Identifying the Customer Constraints and Concerns 162 Defining Customer Constraints 163 Types of Operational Constraints 163 Types of Resource Constraints 164 Environmental Constraints 164 Architectural Constraints 165 Determining Customer Concerns 166 Why Are You There in the First Place? 166 Specific Criteria to Assess 166 Handling the Documentation Identification and Collection 167 What Documentation Is Necessary? 169 Policy 169 Guidelines/Requirements 169 Plans 170 Standard Operating Procedures 170 User Documentation 170 Obtaining the Documentation 171 Use the Customer Team Member 171 Tracking the Documents 171 Determining Documentation Location 172 What If No Documentation Exists? 172 Ad Hoc Security 173
  13. xvi Contents Case Study: Higher Education 174 Summary 179 Best Practices Checklist 179 Frequently Asked Questions 181 Chapter 6 Understanding the Technical Assessment Plan 183 Introduction 184 Understanding the Purpose of the Technical Assessment Plan 184 The TAP: A Plan of Action 187 The TAP: A Controlled and Living Document 187 Linking the Plan to Contract Controls 188 Understanding the Format of the TAP 190 Point of Contact 191 Mission 192 Organizational Information Criticality 193 System Information Criticality 194 Customer Concerns and Constraints 195 System Configuration 196 Interviews 197 Documents 198 Timeline of Events 200 Customizing and Modifying the TAP to Suit the Job at Hand 200 Modifying the Nine NSA-Defined Areas 201 Level of Detail 201 Format 202 Case Study:The Bureau of Overt Redundancy 202 The BOR TAP 202 Contact Information 203 Mission 204 Organization Information Criticality 206 System Information Criticality 208 Concerns and Constraints 209 System Configuration 209 The Interview List 210
  14. Contents xvii Documentation 211 Events Timeline 213 Summary 215 Best Practices Checklist 216 Frequently Asked Questions 217 Chapter 7 Customer Activities 219 Introduction 220 Preparing for the Onsite Phase 220 Assessment Team Preparation 221 Administrative Planning 222 Technical Planning 223 Customer Preparation 224 Scheduling 225 Communication 225 Setting the Onsite Tone 226 Understanding the Opening Meeting (The Inbriefing) 227 Conducting the Opening Meeting 228 Meeting Format 228 Information to Take Away 228 Establishing and Maintaining the Onsite Expectations 229 Understanding the Process 229 Understanding the Results 230 Keeping the Customer Involved 230 Continued Customer Education 230 Information Exchange 231 NSA IAM Baseline INFOSEC Classes and Categories 232 Management Aspects 233 INFOSEC Documentation 234 INFOSEC Roles and Responsibilities 234 Contingency Planning 235 Configuration Management 236 Technical Aspects 236 Identification and Authentication 237 Account Management 238 Session Controls 239 Auditing 240
  15. xviii Contents Malicious Code Protection 240 Maintenance 241 System Assurance 241 Networking/Connectivity 242 Communications Security 243 Operational Aspects 243 Media Controls 243 Labeling 244 Physical Environment 244 Personnel Security 245 Education Training and Awareness 245 The Fine Art of the Interview 246 Interview Characteristics 246 Whom Do I Interview? 247 Interview Scheduling 248 Interview Environment 248 Attributes of a Successful Interviewer 249 Breaking the Barriers 249 Gaining Needed Information 252 Case Study: Interviews With University Staff 254 The Management Interview 258 The Technical Interview 260 Group Interview with Computer Science Systems Administrators 260 Individual Interview with Marcia 262 Summary 264 Best Practices Checklist 265 Frequently Asked Questions 266 Chapter 8 Managing the Findings 269 Introduction 270 Demonstration Versus Evaluation 271 What Are System Demonstrations? 271 The Good and the Bad 272 What Are System Evaluations? 273 Manual Checks 274 Tailored Scripts 274
  16. Contents xix Tools 274 Findings and Dependencies 276 When Is a Finding Considered Dependent? 277 Is It Good or Bad? Does It Matter? 278 Mapping Findings to Requirements and Constraints 278 Justification 279 Mapping Requirements 280 Creating Recommendation Road Maps 281 Cost Effectiveness 281 Applicability 281 Importance 282 Users 282 Options for Increasing the Security Posture 282 The Yugo Implementation 283 The Ford Solution 284 The Cadillac Solution 284 Case Study: Medical Management 284 System Description 286 Information Criticality 286 Summary of Findings 287 Excerpt of Findings 288 Recommendation Road Map 298 Summary 305 Best Practices Checklist 305 Frequently Asked Questions 307 Chapter 9 Leaving No Surprises 309 Introduction 310 Determining the Audience for the Closeout Meeting 310 Who Is Your Audience? 311 Who Should Attend? 311 Organizing the Closeout Meeting 312 Determining Time and Location 312 Time of Meeting 313 Day of Week 313 Meeting Room 313 Determining Supply List for the Closeout Meeting 313
Đồng bộ tài khoản