Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Beyond Standards. Standards ISFO Manual Threats Case Study Future 2 Beyond Standards.

Similar presentations


Presentation on theme: "1 Beyond Standards. Standards ISFO Manual Threats Case Study Future 2 Beyond Standards."— Presentation transcript:

1 1 Beyond Standards

2 Standards ISFO Manual Threats Case Study Future 2 Beyond Standards

3 3 Audit Policy Event Logs Configuration User rights Security options Network, Firewall, Port protocol Others Baseline Standards

4 4 Audit Policy  Basic Audit versus Advanced Audit Poli c y Event Logs  Retain old events and Automatically backup log when full Baseline Standards

5 5 User Rights  Add workstations to domain  Synchronize directory service data Bypass traverse checking Baseline Standards

6 6 User Rights  Impersonate a client after authentication Devices: Allow undock without having to log on Baseline Standards

7 7 Security Options  Domain controller: Refuse machine account password changes Domain controller: Allow server operators to schedule tasks Baseline Standards

8 8 Networking  Internet Communication Events.asp Links Turn Off Handwriting Personalization Data Sharing  Power Options Require a Password When a Computer Wakes Network Connections Route all traffic through internal network Baseline Standards

9 9 Networking  NTP server : Configure Windows NTP client localtimeserver Type Set to NT5D5. ( Set to NT5DS if the system is not PDC)  TCPIP Settings\IPv6 Transition Technologies IPHTTPS Url Firewall Display Notification ( Set to Yes) Firewall log file ( currently set to %windir%.log) Set to Baseline Standards

10 10 Networking  Firewall IPv6 Block of UDP 3544  Remote Desktop Services Do not use temporary folders per session should be associated with Remote Desktop Session Host\Temporary folders.  Search Setting Search-Allow indexing of encrypted files Search-Enable indexing uncached Exchange folders Baseline Standards

11 11 Services  Remote Desk Services Crashes on refresh of GPO  Remote Desktop Help Session Manager ( ignored on windows 7 and windows 2008)  SNMP Trap Service is SNMP Trap  Simple Service Discovery Protocol Discovery Service is SSDP Discovery ( needed for plug and play)  World Wide Web Publishing Services is World Wide Web Publishing Service Baseline Standards

12 12 Virtualization  Allow log on through Remote Desktop Services  Deny log on through Remote Desktop Services Set to Everyone ( should be Guests)  Virtual OS Baseline Standards

13 13 Security Relevant Objects  SROs for NT5 (XP, 2003) but not used by NT6 (7,2008)  c:\windows\system32\kdcsvc.dll  c:\windows\system32\msgina.dll  c:\windows\system32\ntbackup.exe  c:\windows\system32\ntdsa.dll  c:\windows\system32\ntdsatq.dll  c:\windows\system32\regedit.exe  c:\windows\system32\rshx32.exe  c:\windows\syswow64\rshx32.exe  c:\windows\syswow64\spool\printers Baseline Standards

14 14 Others Difference in baseline between NT5 and NT6  NT5 Audit: Shut down system immediately is. Enabled.  NT6 Audit: Shut down system immediately is Undefined.  NT5 Restrict CD-ROM access to locally logged-on user only is Enabled.  NT6 Restrict CD-ROM access to locally logged-on user only is Disabled. Baseline Standards

15 15 Others Difference in baseline between NT5 and NT6  NT5 Interactive logon: Number of previous logons to cache is 0 NT6 Interactive logon: Number of previous logons to cache is 2 logons or less  NT5 Shutdown: Clear virtual memory page file is Enabled  NT6 Shutdown: Clear virtual memory page file is Disabled NT6 Every Administrative actions required authentication Baseline Standards

16 16 ODAA Process Manual v3.2, November 15, 2013 Summary of Changes ODAA Process Manual

17 17 ODAA Process Manual Aligned under National Institute of Standards and Technology (NIST) Controls

18 18 ODAA Process Manual C&A Documentation Process Divided into Three Categories Management Controls, 3.0 Operational Controls, 4.0 Technical Controls, 6.0

19 19 ODAA Process Manual NIST Control Mapping 10.0 (page 86)

20 20 ODAA Process Manual Publication date: November 15, 2013 Effective date: May 15, 2014

21 21 ODAA Process Manual Removable Media Restrictions (p. 51) Write ability will be restricted to people designated and briefed by ISSM. The default will be to disable write ability for all forms of removable media.

22 22 ODAA Process Manual SIPRNet Section 9.0 (pp ) Command Cyber Readiness Inspections (CCRI) NISP SIPRNet Circuit Acquisition Process

23 23 ODAA Process Manual Defense Industrial Base Cyber Security Accreditation Process (DIBNet) 9.2 Use to report cyber security incidents

24 24 ODAA Process Manual Self-Certification Requirements (p.32) Introduction to NISP C&A Process NISP C&A Process: A Walk-Through Technical Implementation of C&A

25 25 ODAA Process Manual Logon Banner (pp 68-70) NISPOM compliant systems (p. 69) DoD Warning Banner for SIPRNet (p. 70)

26 26 ODAA Process Manual Other Items: But nothing really new

27 27 ODAA Process Manual Examples of reasons to deny an IATO: Missing or incomplete UID ISSM did not sign the IS Security Package Statement Missing H/W List – S/W List – Configuration Diagram Physical security not adequately explained

28 28 ODAA Process Manual Examples of reasons to deny an IATO: No signed DSS Form 147 – for Closed Area No Certification Test Guide Results provided Missing letter from GCA if variances are needed Identification and authentication not fully addressed

29 29 ODAA Process Manual Periods Processing (p. 19) Clearing can be used to overwrite HD for reuse at same or higher level. Not for TS

30 30 ODAA Process Manual Sanitizing (pp 41-43) Spills can be cleaned up by overwriting Get GCA approval prior to or after incident If GCA does not respond after 30 days assume approved GCA may require destruction

31 31 ODAA Process Manual Incident Response Plan The contractor shall develop an incident response plan. Distribute copies of the incident response plan to appropriate incident response personnel. The incident response plan shall be reviewed and revised when appropriate to ensure accuracy.

32 32 ODAA Process Manual Classified Spill Cleanup Procedures Coordination with sender / receiver / data owner Wiping Utility Instructions (p. 45) Reporting (NISPOM 1-303)

33 33 ODAA Process Manual Trusted Download Alternate Trusted Download procedures need letterhead memo signed by data owner or GCA. (p. 53)

34 34 ODAA Process Manual Weekly Audits (p.71-72) Audits need to be done at least weekly “At least weekly” means once per calendar week

35 35 Threat Cyber Threat Insider Threat

36 36 Threat Insider Any person with authorized access to any United States Government resource to include personnel, facilities, information, equipment, networks, or systems. Insider Threat: The threat that an insider will use his/her authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of resources or capabilities.

37 37 Insider Threat mitigation has become an urgent requirement for DoD agencies Presidential Memorandum and Executive Order (EO) –Created steering committee –Executive Agent for Safeguarding Classified Info on Networks –National Insider Threat Task Force Produce national policy, standards Provide assistance and assessments to departments/agencies EO 10450, Security Requirements for Government Employment Authority to investigate any information that comes to its attention that indicates retaining any officer or employee of the agency may not be consistent with national security interests Provides authority to conduct inquires both prior to an actual hiring and after an individual has been hired by the agency “In the wake of an unprecedented document dump that is straining U.S. diplomatic relations in some corners of the world, the administration ordered agencies last month to ensure that unauthorized employees do not get access to sensitive or classified information.” UNCLASSIFIED//FOUO

38 38 Threat (not all-inclusive) Excessive and abnormal intranet browsing, beyond the individual's duties and responsibilities, of internal file servers or other networked system contents Attempts to obtain classified or sensitive information by an individual not authorized to receive such information Unauthorized copying, printing, faxing, ing, or transmitting classified material Contact with an individual who is known or suspected of being associated with a foreign intelligence or security organization Hacking or cracking activities, social engineering, electronic elicitation, spoofing or spear phishing

39 39 Case Study What would you do?

40 40 Questions ? Contact DSS….


Download ppt "1 Beyond Standards. Standards ISFO Manual Threats Case Study Future 2 Beyond Standards."

Similar presentations


Ads by Google