Presentation on theme: "For Security Professionals"— Presentation transcript:
1 For Security Professionals INFORMATION SYSTEMSECURITYFor Security ProfessionalsThis presentation highlighting the changes to chapter 8 which went into effect on 1 May 2001, was developed by the North East Region Information System Security Managers Association (NERISSMA). It has been modified only slightly to cover any unique information.
2 Objectives Discuss the principles of Computer Security Identify required IS security documentationIdentify the purpose of a System Security Plan (SSP)A. Tie InThis section provides an overview of what needs to be included in the System Security PlanB. ObjectivesUsing NISPOM, Chapter 8 Section 6, paragraph 610:Define the security documentation that is needed for accredited IssDefine the purpose of the SSPIdentify what information must be included in an SSP.
3 Foundations of Computer Security ConfidentialityIntegrityAvailabilityCIAParagraph NISPOM
4 CONFIDENTIALITYPROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE
5 INTEGRITYProtection of data software used or processed on classified systems.FROM:MANIPULATIONDELETION
6 or natural disasters AVAILABILITY Protecting the computer from malicious logicor naturaldisasters
7 Protection Levels NISPOM 8-402 PL-1DedicatedPL-3CompartmentedPL-2System High
8 Protection Level (PL) 1 Dedicated Security Mode Clearance, N-T-K and, if applicable, all formal access approvals for all informationTSIt equates to having the combination to a container. Before you are given that combination, it is verified that you have the appropriate clearance and need-to-know for all information in that container.Most systems accredited out there are in this modeNo technical IS security is required. Access is determined by physical and administrative controlsJust keep unauthorized persons out of the area.TS
9 Protection Level (PL) 2 System High Security Mode Clearance and access approvals for all information but with different N-T-KTSbThere are systems out there accredited at this level, but much less than dedicated mode.It is more complicated, there more stringent protection requirements-need-to-protection or discretionary access controls - the owner of a file has control over who gains access to it, through logical partitions = including user ids and passwords. Object reuse issues are addressed here.Includes physical partitions = printers/monitors segregated to protect NTKa
10 Protection Level (PL) 3 Compartmented Security Mode Clearance for most restrictive information, but different formal access approvalsPertained to SCI and SAP, NATO, CNWDI and CRYPTO type informationIt’s the sensitivity level of the information that’s the concernNATOCRYPTOTS- NATOTOP SECRETCNWDISAP
14 Levels of Concern 8-403 Integrity Must be contractually imposed.
15 Availability MatrixMust be contractually imposed.
16 Levels of Concern 8-403 Availability Must be contractually imposed.
17 Cognizant Security Agency Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC.Provide oversight for information systems that process classified information. This includes the review of your security program to get to a point where DSS can certify and accredit information systems to process classified information.Establish a line of authority for training. We’ll talk later bout some recommended methods and resources you can use.Segue: Remember from this morning, who administers the program for DoD, the CSA? DSS, who is the CSO.8-101a, NISPOM
18 Cognizant Security Office The entitydesignated by the Head of a CSA to administer industrial security on behalf of the CSA.Provide oversight for information systems that process classified information. This includes the review of your security program to get to a point where DSS can certify and accredit information systems to process classified information.Establish a line of authority for training. We’ll talk later bout some recommended methods and resources you can use.Segue: Remember from this morning, who administers the program for DoD, the CSA? DSS, who is the CSO.Performs oversight, program review, training, and certification and accreditation of ISs used by its contractors8-101a, NISPOM
19 Contractor Role Publish and promulgate an IS Security Policy Appoint and train an Information Systems Security Manager (ISSM)Contractor RoleContractor management will publish and promulgate an IS Security Policy addressing the classified processing environment.Appoint ISSM (old ISSR). An IS Security Manager will be appointed with oversight responsibility for the development, implementation and evaluation of the facility’s IS security program.Train ISSM. Contractor management will assure that the ISSM is trained to a level commensurate with the complexity of the facility’s IS. This course meets that requirement. You can also take any nationally known or government agency information system security training which includes testing or certification.8-101b, NISPOM
20 IS Security Manager (ISSM) Not necessarily the Facility Security Officer (FSO)Designated by ManagementThe CSA’s point of contact for IS securityGenerally a very nice guyISSMThe ISSM can be the FSO or it can be delegated to someone else. In any case, the ISSM should have a background in computers.The ISSM is appointed by manaagementIf FSO and ISSM different people, ISSM reports security issues and problems to the FSOThe FSO has overall security responsibility, however, relies on the ISSM for technical issues just as the ISRep relies on their ISSP for technical issues.The ISSM will be the point of contact for the CSA regarding information systems that process classified information.
21 IS Security Officer (ISSO) Appointed by ISSM in facilities with multiple accredited ISAssists in day-to-day IS security operationsHas PCL, NTK, and formal access approvals for all information processed on accredited ISNot so niceThe ISSO is appointed by ISSM in facilities with multiple accredited IssAssists in day-to-day IS security operationsHas PCL, NTO, formal access approvalsHave students turn to paragraph 8-104Examples of responsibilities ISSM can assign:Prepare, maintain, implement the SSP for the assigned IS.Implement security measures in accordance with facility procedures:CM program, unauthorized personnel not granted access to IS, proper marking, handling, controlling of accredited IS, proper media and equipment destructionNotify ISSM when an IS no longer processes classified information or whenchanges occur that might affect accreditation
22 Security Documentation 8-610 NISPOM System Security PlanProfileConfiguration PlanRisk Acceptance LetterMemorandum of UnderstandingProtected Distribution SystemLesson Title: Certification and AccreditationDate Prepared: March 2001Time Required for Lesson: min (.5 hr)Method(s) of Instruction: LectureInstructor(s): OneClassroom(s) Requirements: OneInstructional Aids: Powerpoint slidesEquipment: Computer/projector/screenHandout Materials: Copy of slides
23 Basis for Accreditation SafeguardsDocumentation (SSP)PolicyEvaluation of security risks34
24 System Security Plan Defines Security Policy Includes Configuration Management PlanCovers the life-cycle of systemTarget audience includes users, system administrative, government, and security staffBest single security toolThe NISPOM identifies specific security documentation for Iss processing classified information.Before any processing of classified information on an IS, these documents must be written:Management’s information systems security policy.A Configuration Management Plan which includes a list of the hardware and software.System Security Plan. The SSPCertification and Accreditation documentationThese documents can be rolled up into the SSP8-610
25 Self-Certification Master/Profile Concept System Security PlanMSSPPPSSPPPWhat is the purpose of the SSP?The SSP is the basic system protection document and evidence that the proposed system or update to an existing system, meets the protection profile requirements.It provides the Users with their instructions on how to process classified information-it is their guide.The SSP also serves as the basis for inspections of the system.Additionally, if you use the DSS provided template, it allows for uniformity, consistency. DSS has over 11,500 facilities. It would be very difficult to review this required documentation if there wasn’t some uniformity.Practical Exercise will be required, writing an SSP
26 Self-Certification Concept Profile Requirements Same classificationSame PL levelSame Level of ConcernSame EnvironmentApproved O/SSame system typeApproved TDApproved Periods ProcessingApproved Mobile SystemsApproved Test EquipmentThe SSP is the basic system protection document and evidence that the proposed system or update to an existing system, meets the protection profile requirements.It provides the Users with their instructions on how to process classified information-it is their guide.The SSP also serves as the basis for inspections of the system.Additionally, if you use the DSS provided template, it allows for uniformity, consistency. DSS has over 11,500 facilities. It would be very difficult to review this required documentation if there wasn’t some uniformity.Practical Exercise will be required, writing an SSP
27 Self-Certification Concept Not Authorized SIPRNETWAN self-certsSystems requiring variancesAudit variancesAlternate TD proceduresLegacy O/SThe SSP is the basic system protection document and evidence that the proposed system or update to an existing system, meets the protection profile requirements.It provides the Users with their instructions on how to process classified information-it is their guide.The SSP also serves as the basis for inspections of the system.Additionally, if you use the DSS provided template, it allows for uniformity, consistency. DSS has over 11,500 facilities. It would be very difficult to review this required documentation if there wasn’t some uniformity.Practical Exercise will be required, writing an SSP
28 System Identification SSP INCLUDESSystem IdentificationPurposeSecurity personnelSystem descriptionMission or purposeArchitectureClassification LevelFormal Access ApprovalsSystem requirementsPersonnel Clearance Level of UsersNeed to Know of UsersProtection LevelPhysical controlsMarking requirementsSSP Must Include (slide changed):System IdentificationSecurity Personnel: name, location and phone number of the responsible system owner, the ISSM and ISSO (if applicable)System Description- The system description is a brief narrative of the mission or purpose of the system (such as - will be used for creation of classified drawings of the Stealth Bomber)- The system description also includes the architecture of the IS, including subnetworks, communications devices and protocols. A block diagram of the components that show the interconnections between the components as well as to other systems and an information flow diagram should be included. Also need to include a brief description of the security support structure including all controlled interfaces, interconnection criteria and security requirements. Addressed in more detail in the Interconnected Systems Mgmt blockSSS addressed briefly in ISL question: 44.8-610a.(1)(a)
29 SSP-Protection Measures Audit CapabilitiesAccess ControlsResource ControlsSystem RecoverySecurity TestingData TransmissionI & ASession ControlsSystem AssurancePhysical SecurityProtection Measures: See Chap 8, Section 4, Table 5 (8-4-3)List of protection measures that must be addressed in the SSP. Depending on the identified Protection Level of the IS, determines what protection measures must be in place and documented in the SSP.Table 5:. These are the items that need to be addressed. The items are detailed in section 6 of the chapter 8.Go to exercise in book (page 26)Lets look at how this works--go to table 5, What is the Audit requirements at PL 1? Answ: Audit 1What does Audit 1 say (students need to go to 8-602) have them read “(1)Automated Audit Trail Creation: The system shall automatically create and maintain an audit trail or log.What is the Access Control requirement for PL 2? Answ: Access 2Students read “Discretionary Access controls shall be provided.Resource Controls - System Recovery - is a UPS required; Testing - are the security features appropriate and functional; Data Transmission - is the classified data being protected when it moves through areas where unauthorized persons could have access; I&A - are the user’s unique logon procedures working, Session Controls - are the appropriate warning banners being used, System Assurance - are only those authorized access to the O/S getting access?The next several blocks will address each of these items in more detail.
30 SSP-Protection Measures Trusted DownloadingSoftware controlsMedia controlsMaintenanceClearing and sanitizationSelf InspectionsSSP -AdditionalTrusted Downloading. If you intend to download unclassified or lower classified information to media you need to include procedures on how this is going to be done. These procedures must be tested and certified.The SPP must also identify how the software and media that is used for classified processing is going to be protected. This includes examining and reviewing the hardware and media output.Need to include maintenance procedures in the SSP. How it will maintenance be performed and by whom, whether they will be cleared or uncleared personnel.Clearing and sanitization for the type of media and memory involved must also be addressed.More on all of these topics in the blocks to come.
31 SSP-Variances and RAL letters Description of approved variances from protection measuresAttach documentationDocumentation of any unique threat or vulnerabilities to systemDocument if none existsSSP - Variances & VulnerabilitiesSSP will also include any variances from the protection measures identified- Examples:1. Manual logs vs. automated audit trails.Approval documentation must be attached to the SSP.2. Write protect media vs. test, review media after installWrite protect procedures must be documented & approvedA description of the risk assessment of any threats or vulnerabilities unique to the system must be documented.Accreditation of a system located in a room where on the other side of the wall is a foreign owned and run firm. That may or may not be an issue but it needs to be explored.If any vulnerabilities are identifie countermeasures must be implemented to mitigate and described in the SSP.If unable to mitigate, an alternative solution must be documented, approved and included in the SSP.If no threats/vulnerabilities, a statement to that effect included in SSP
32 SSP-May Also IncludeMOU for connections to separately accredited networks & systemsSpecial purpose type systemsembedded systemsOther contractual issuesSSP - Might Also includeMOU - If connections to other systems exist, a MOU is necessary if the systems are approved by a person other than the CSA responsible for this system. A copy of the MOU with other agencies must be attached to the SSP.Special categories, such as pure servers, embedded systems, must not be overlooked. Descriptions and protection measures need to be defined.Other contractual Issues - Other contractual issues, such as Integrity, Availability requirements need to be addressed.TEMPEST - Also, if the contract requires TEMPEST, that is extra measures to protect against emanations, particularly on transmission lines. These issues may also need to be addressed in the SSP.Your IS Rep will take a look at the DD 254s involved to see if there are any special requirements that need to be addressed.
33 Audit Records Who fills out what? What logs are required? - Manual ISSOs & UsersWhat logs are required? - ManualMaintenanceHardware & SoftwareUpgrade/DowngradeSanitizationWeekly Audit LogSeal Log (If Applicable)Receipt/Dispatch (If Applicable)Depending on the size of the system, the ISSO may fill out all the logs or delegate it to the users. The larger systems with a lot of people on the access list (may work more than 1st shift also), usually the users annotates the logs. The ISSO will see this when they check the logs weekly and annotate the "weekly" audit log.
34 Audit Records - cont’d What logs are required - Automated if technically capableSuccessful and unsuccessful logons and logoffsUnsuccessful accesses to security-relevant objects and directories, including:creationopenmodification and deletionPoint out that the increased audit log requirement will take up a lot of space on your systems. Think about saving archives to tape or alternative disk
35 Audit Records - cont’d Changes in user authenticators, i.e., passwords Denial of system access resulting from an excessive number of unsuccessful logon attempts.If not technically capable, the Authorized Users list will be retained as an audit recordPoint out that the increased audit log requirement will take up a lot of space on your systems. Think about saving archives to tape or alternative disk
36 Re-Accreditation & Protection Measures Every Three YearsMajor ChangesIf no changes updatedSSP may not be required.Reaccreditation is required every three years or when there are major changes to the ISDefine what constitutes a major change: Operating System, i.e., Windows NT to Windows 2000, Unix to Windows, Hardware that is not “like” equipment, security relevant software, i.e., biometrics, firewall software, etc.Protection Measures - Every user must have a unique identifier and be capable of some sort of authentication: Passwords, biometrics, smart cards. The User ID shall be associated with all auditable actions taken by the individual.
37 Passwords Minimum 8* Characters Classified to the highest level of the systemChanged at least every 365* daysChanged when compromisedAutomated generation when possibleReemphasize the password requirements. Need to specify in the profile:1. Password generation method2. If the system is technically capable of enforcing password length3. Password composition enforcement capabilities.4. Technical or procedural controls for ensuring passwords are changed when required.5. Boeing CSRM (Computing Security Requirements Manual) requires passwords to be changed at least every 180 days.
38 DoD Warning Banner Required Positive User Action Prominently displayed DoD Warning Banner is required.There must be some positive user action to get past the banner.If technically impossible to display on the system, it needs to be prominently displayed.Tape it to the monitor screen so the user has to lift the banner prior to working on the system.
39 Login Attempts Maximum of 5* attempts Lockout for 15* minutes At a minimum and if technically possible,The system should be set to allow a maximum of 5 login attemptsThe login attempts should be limited to 5 minutesIf there is a failed login, the account should be disabled for a minimum of 5 minutes, or until an authorized administrator re-sets the account.
40 Customer can require additional requirements above NISPOM Special Categories Section 5, Chapter 8 May not meet all NISPOM RequirementsSingle-users Stand-alonesOnly one users accesses systemPure ServersNo user code on systemTactical, Embedded Special-Purpose SystemsConfigured as directed by customerCustomer can require additional requirements above NISPOM
41 Clearing and Sanitization You probably won’t sanitize the floppies, but in some cases (SAPs) they require you do so prior to shredding.Sanitizing the printer requires printing one unclassified page such as the font test. After review, you can treat the page as unclassified The printer must be powered down
42 ClearingRemoval of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes). DCID 6/3ClearingThe definition from the Director of Central Intelligence Directive (DCID) 6/3“Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e. keyboard strokes)”
43 SanitizationThe process of removing information from media or equipment such that data recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings DCID 6/3Sanitizing definition taken from the DCID 6/3Sanitization is the process of removing the data from media before reusing the media or equipment in an environment that does not provide an acceptable level of protection for the data that was in the media before sanitization.Sanitized media can be released outside the protected enviornment.
44 Clearing and Sanitization Matrix www.dss.mil Hard drivesMay be degaussed or destroyed at end of life cycleCPUsRemove power for one minutePrintersPrint one page (font test) then power downYou probably won’t sanitize the floppies, but in some cases (SAPs) they require you do so prior to shredding.Sanitizing the printer requires printing one unclassified page such as the font test. After review, you can treat the page as unclassified The printer must be powered down
45 Configuration Management Plan Formal change control procedures for security-relevant hardware and softwareManagement of all documentationImplement, test andverify CM plan12. CM PlanThe facility CM program shall be documented in a CM plan and shall include:a. Formal change control procedures to ensue the =review an approval of security -relevant hardware and software: O/S, media, any hardware where there is a sanitization issueb. Procedures for management of all documentation, such the SSP and security test plansc. Workable processes to implement, periodically test and verify the CM pland. A verification process to provide additional assurance that the CM process is working effectively and changes outside the CM process are technically or procedurally not allowed
46 CM Plan Documents:Procedures to identify and document type, model and brand of IS hardwareProcedures to identify and document product names and version or release numbers and location of security relevant softwareSystem connectivityCM DocumentationCM procedures must be a part of the security documentation. It is documented procedures for controlling, changing, maintaining, and acceptability of the system hardware and software.CM document must contain:- Type, model and brand of system or network components (e.g. a workstation, PRINTER, or router ,KEYBOARDS AND MONITORS)- Security relevant software product names and version or release numbers and physical location. In other words-a hardware/software listing for the systems.- System connectivity, including any software used for wireless communication and any communications media.8-311
47 Periods Processing Separate Sessions Different Classification Levels Different Need-To-KnowRemovable Media for each processing sessionPeriods processing is using the same equipment for different levels and needs to know running in separate sessions.Removable media is required. Each program will have their own removable media.
48 Summary Principals of Computing Security System Security Plan PurposeContentsNISPOM = WhatSSP = HowSummaryWe have reviewed the purpose and contents of the SSP. The NISPOM tells you what you need to include and the SSP tells the users and the government how you are implementing those NISPOM requirements for your specific system.So, what is the purpose of the SSP? It’s the basic system protection document. It evidence that the accredited IS meets the protection profile requirements. If provided the Users with instructions on how to use the IS to process classified information; and serves as an inspection guide.Contents: CONOPS (Sys Id & Specification Requirements); identifies classification level; PCL, NTK, hardware/software baselines, physical security, hardware/software controls, maintenance, auditing, clearing/sanitization, etc.NISPOM = What. NISPOM identifies what the security requirements are for the various levels of Iss processing classified information.SSP = identifies how these requirements will be carried out.