IS Inspection Trends - jsac

Download Report

Transcript IS Inspection Trends - jsac

Information Systems (IS)
Inspection Trends
April 17 – 18, 2013
Stan Sterns, CISSP
Lockheed Martin Aeronautics
1
Agenda
•
•
•
•
Cognizant Security Agency
Common Security Plans Deficiencies
Common System Validation Vulnerabilities
DSS Inspection Overview
– General Comments
– Interview Questions
– Recommendations
– Observations
– Vulnerabilities
– Enhancements
• Partnership/Sharing and Collaboration
• Closing
2
Cognizant Security Agency (CSA)
• Defense Security Service (DSS) is the primary government entity
responsible for approving cleared contractor information systems
to process classified data.
• Works with industry partners to ensure information system
security controls are in place to limit the risk of compromising
national security information.
• Ensures adherence to national industrial security standards.
–
–
–
–
–
National Industrial Security Program Operating Manual (NISPOM), Feb 2006)
Industrial Security Field Operations (ISFO) Process Manual, Jun 2011
Standardization of Baseline Technical Security Configurations, Mar 2009
Industrial Security Letters (ISLs)
Others, as applicable
3
Top 10 Deficiencies – Security Plans
• SSP Incomplete or missing attachments
• Inaccurate or incomplete configuration diagram or system
description
• SSP not tailored to the system
• Sections in general procedures contradict protection profile
• Missing certifications from the ISSM
• Missing variance, waiver, risk acknowledgement letter
• Incorrect or missing ODAA UID in plan submission
• Integrity & Availability not addressed completely
• Inadequate anti-virus procedures
• Inadequate trusted download procedures
(Riley, 2013)
4
Security Plan Deficiencies
Missing certifications from the
ISSM, 6%
Integrity & Availability not
addressed completely, 5%
Incorrect or missing ODAA UID
in plan/plan submission
Missing variance waiver risk
6%
acknowledgement letter 6%
Inadequate anti-virus
procedures 4%
SSP Not Tailored to the
System, 14%
Inadequate trusted download
procedures, 2%
Inaccurate or Incomplete
Configuration diagram/system
description, 15%
SSP Is incomplete or missing
attachments, 27%
Sections in General
Procedures contradict
Protection Profile, 12%
# Deficiencies
# Plans w/ Deficiencies
# Plans Reviewed
Avg Deficiency per Plan
Denials
Rejections
Feb-12 Mar-12 Apr-12 May-12 Jun-12
247
196
196
192
175
114
100
102
96
83
435
425
442
300
360
0.57
0.46
0.44
0.64
0.49
37
26
47
34
24
22
8
7
11
5
Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13
194
162
224
172
147
88
163
102
79
104
82
82
52
94
339
330
365
315
277
262
330
0.57
0.49
0.61
0.55
0.53
0.34
0.49
25
25
34
19
9
15
28
9
6
8
5
15
5
18
5
Top 10 Vulnerabilities – System Validations
• Security relevant objects (SROs) not protected
• Inadequate auditing controls
• Improper session controls: Failure to have proper user
activity/inactivity, logon, system attempts enabled.
• SSP does not reflect how the system is configured
• BIOS not protected
• Topology not correctly reflected in (M)SSP
• Identification & Authentication controls
• Integrity & Availability not addressed completely
• Physical security controls
• Inadequate anti-virus procedures
(Riley, 2013)
6
On-site Validation Vulnerabilities
I & A: Identification &
Authentication, 4%
SSP Does Not Reflect How
System is Configured, 10%
Topology not Correctly Reflected
in (M)SSP 6%
Bios not Protected 6%
Physical Controls 4%
Inadequate Anti-virus
Procedures 3%
Configuration Management:
Improper protection
implemented and maintained,
6%
Session Controls: Failed to have
proper user activity/inactivity,
10%
Security Relevant Objects not
Protected, 22%
Auditing, 19%
# Vulnerabilities
# Onsites w/ vulnerabilities
# Onsites
Avg Vulnerability per Onsite
Feb-12
163
78
427
0.38
Mar-12
166
67
372
0.45
Apr-12
119
71
315
0.38
May-12 Jun-12
94
124
62
73
278
284
0.34
0.44
Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12
94
96
95
104
67
92
68
51
63
62
45
59
305
256
286
285
219
207
0.31
0.38
0.33
0.36
0.31
0.44
Jan-13
128
78
247
0.52
7
General Comments (DSS Inspection)
• Rack mounted systems (all components must be marked)
• Interview ISSOs (education, certifications, system
knowledge)
• Removed CPU casing to view serial numbers on hard drive
• Wanted to see a year’s worth of audit logs (Sys, Sec, App)
• Power Users
• Access permissions on Security Relevant Objects (SROs)
• Anti-virus folder
• Regedit
• Windows/repair .dll files
• Audit log folder
8
General Comments (DSS Inspection)
•
•
•
•
•
•
•
•
•
•
•
•
Reviewed DD 147, Closed Area approval documentation
ISSO created a test account
Deploying tools to aid in management of system
General user demo/explained Trusted Download procedure
Self-Inspections
Weekly Audit Analysis
Protected Distribution Systems (NSTI 7003)
Simplified Network Security Plan (NSP)
Group Accounts
ISSO duties and responsibilities
End-of-day Out-brief
After Hours Check
9
Interview Questions (ISSO/User)
• What is your clearance level?
• How often do you access classified information?
• What is your background in regards to information systems
security?
• What would you do if a stranger asked you about your job?
• What would you do if you received an unusual email?
• What is the definition of adverse information?
• What are the three levels of classified information?
• Have you had any foreign travel?
10
Interview Questions (ISSO)
•
•
•
•
•
•
•
•
How are new systems certified?
How are the weekly user audits performed?
When is the last time service patches were installed?
What is the process for issuing a temporary password?
What is the process for issuing a new hard drive?
Does the ISSM recertify each new hard drive?
Do you use a Seal Log?
Do you courier classified material off the facility?
11
Recommendations
•
•
•
•
•
•
•
•
•
Two-person integrity for all Trusted Downloads
“Deny” access group for expired user accounts
Sysadmin account disabled when not needed
Identify each room/closed area on hardware baseline
Should be keeping originally signed user briefing forms
LED monitors vs CRT monitors
Request audit variance for hard drives with limited use
Separate maintenance log for security relevant actions
Recording password changes in maintenance log (NR)
12
Observations
•
•
•
•
•
•
•
•
•
ATO/Self-Cert letters must reflect caveats
Must have justification for “power users”
Non-SCI should reflect NOFORN
Systems with configuration variations should be “SSP”
ISSOs/AISSOs cannot verify their own clearances
Single system with WAN connection (MUSA or P2P?)
Privileged accounts should not be obvious
BIOS resets to default when removed from system
If users must be “administrators” – identify limitations
13
Observations
• Restricted area processing – mark current level
• Security seals over screws
• Mark unclassified equipment with a 5-foot radius
Possible Enhancements/Best Practices:
• Automated user briefing statements
• Formal system shutdown procedures
• Trusted download warning banner pops up whenever a
user logs in
• Background banners – must be accurate to include caveats
14
Common Vulnerabilities
• Security relevant software not on software baseline
• Privilege account box not checked on briefing statement
• Incorrect audit settings on SROs
• McAfee, ORACLE Desktop Client
• SRO not secured from unauthorized access
• Users had “read” permissions to “SecEvent”
• Configuration management
• Incorrect serial numbers on hardware baseline
• (ex: 56719B1 and should be 5671981)
• Patch management – systems not patched to SP3
15
Common Vulnerabilities
•
•
•
•
Local accounts on client/server configuration
Restricted area procedures not being followed
Built-in administrator password set to never expire
DoD banner not displayed when connecting to remote
system
• Certification Process- HDDs incorrectly marked while the
external chassis was marked correctly
• Test account still active
16
Enhancements (2013)
•
•
•
•
•
•
•
•
•
•
•
Category 1 Company Sponsored Events
Category 2 Internal Education Brochures and Products
Category 3 Security Staff Professionalism
Category 4 Information Product Sharing within the Community
Category 5 Active Membership in the Security Community
Category 6 Contractor Self Review
Category 7 Counterintelligence Integration
Category 8 Cyber Security
Category 9 FOCI/International
Category 10 Classified Material Controls/Physical Security
Category 11 Information Systems
17
Sharing and Collaboration
• Partnership
• Information Security Working Groups
– National Classification Management Society
– Information Systems Special Interest Group
• Sharing of tools, resources, and general information
– Joint Security Awareness Council
• Luncheons
– Enhancement Ideas
– Best Practice Considerations
– System Configurations
18
Closing
•
•
•
•
Cognizant Security Agency
Security Plan Deficiencies
System Validation Vulnerabilities
DSS Inspection Overview
–
–
–
–
–
–
General Comments
Interview Questions
Recommendations
Observations
Vulnerabilities
2013 Enhancements
• Partnership/Sharing and Collaboration
19
Any Questions
References:
Riley, R. (2013, February). NISPPAC C&A Working Group Update for the Committee.
Defense Security Service, Office of Designated Approval Authority