Embed Size (px)
DESCRIPTION
Beyond Standards. Beyond Standards. Standards ISFO Manual Threats Case Study Future. Baseline Standards. Audit Policy Event Logs Configuration User rights S ecurity options Network, Firewall, Port protocol Others. Baseline Standards. Audit Policy - PowerPoint PPT Presentation
Citation preview
1
Beyond Standards
• Standards• ISFO Manual • Threats• Case Study• Future
2
Beyond Standards
3
• Audit Policy Event Logs Configuration• User rights Security options• Network, Firewall, Port protocol• Others
Baseline Standards
4
Audit Policy Basic Audit versus Advanced Audit Policy
Event Logs Retain old events and Automatically backup log
when full
Baseline Standards
5
User Rights
Add workstations to domain Synchronize directory service data
Bypass traverse checking
Baseline Standards
6
User Rights
Impersonate a client after authenticationDevices: Allow undock without having to log on
Baseline Standards
7
Security Options
Domain controller: Refuse machine account password changesDomain controller: Allow server operators to schedule tasks
Baseline Standards
8
Networking Internet Communication
Events.asp LinksTurn Off Handwriting Personalization Data
Sharing Power Options
Require a Password When a Computer Wakes Network ConnectionsRoute all traffic through internal network
Baseline Standards
9
Networking
NTP server : Configure Windows NTP clientlocaltimeserver Type
Set to NT5D5. ( Set to NT5DS if the system is not PDC)
TCPIP Settings\IPv6 Transition TechnologiesIPHTTPS Url
FirewallDisplay Notification ( Set to Yes)
Firewall log file ( currently set to %windir%.log)Set to
Baseline Standards
10
Networking Firewall
IPv6 Block of UDP 3544 Remote Desktop Services
Do not use temporary folders per session should be associated with Remote Desktop Session Host\Temporary folders.
Search SettingSearch-Allow indexing of encrypted filesSearch-Enable indexing uncached Exchange folders
Baseline Standards
11
Services Remote Desk Services Crashes on refresh of GPO
Remote Desktop Help Session Manager ( ignored on windows 7 and windows 2008)
SNMP Trap Service is SNMP Trap Simple Service Discovery Protocol Discovery Service is
SSDP Discovery ( needed for plug and play) World Wide Web Publishing Services is World Wide Web
Publishing Service
Baseline Standards
12
Virtualization
Allow log on through Remote Desktop Services
Deny log on through Remote Desktop ServicesSet to Everyone ( should be Guests)
Virtual OS
Baseline Standards
13
Security Relevant Objects
SROs for NT5 (XP, 2003) but not used by NT6 (7,2008) c:\windows\system32\kdcsvc.dll c:\windows\system32\msgina.dll c:\windows\system32\ntbackup.exe c:\windows\system32\ntdsa.dll c:\windows\system32\ntdsatq.dll c:\windows\system32\regedit.exe c:\windows\system32\rshx32.exe c:\windows\syswow64\rshx32.exe c:\windows\syswow64\spool\printers
Baseline Standards
14
OthersDifference in baseline between NT5 and NT6 NT5 Audit: Shut down system immediately is. Enabled. NT6 Audit: Shut down system immediately is Undefined. NT5 Restrict CD-ROM access to locally logged-on user
only is Enabled. NT6 Restrict CD-ROM access to locally logged-on user
only is Disabled.
Baseline Standards
15
OthersDifference in baseline between NT5 and NT6
NT5 Interactive logon: Number of previous logons to cache is 0
• NT6 Interactive logon: Number of previous logons to cache is 2 logons or less
NT5 Shutdown: Clear virtual memory page file is Enabled NT6 Shutdown: Clear virtual memory page file is Disabled
NT6 Every Administrative actions required authentication
Baseline Standards
16
ODAA Process Manual v3.2, November 15, 2013
Summary of Changes
ODAA Process Manual
17
ODAA Process Manual
Aligned under National Institute ofStandards and Technology (NIST) 800-53 Controls
18
ODAA Process Manual
C&A Documentation Process Divided into Three Categories
• Management Controls, 3.0
• Operational Controls, 4.0
• Technical Controls, 6.0
19
ODAA Process Manual
NIST 800-53 Control Mapping 10.0 (page 86)
SECURITY CONTROL IDENTIFIERS AND FAMILY NAMES
ID FAMILY ID FAMILY
AC Access Control MP Media Protection
AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment and Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management
Refer to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf for a more comprehensive list of the entire catalog of security controls.
20
ODAA Process Manual
Publication date: November 15, 2013
Effective date: May 15, 2014
21
ODAA Process Manual
Removable Media Restrictions 4.7.2 (p. 51)
• Write ability will be restricted to people designated and briefed by ISSM.
• The default will be to disable write ability for all forms of removable media.
22
ODAA Process Manual
SIPRNet Section 9.0 (pp. 81-84)
• Command Cyber Readiness Inspections (CCRI)
• NISP SIPRNet Circuit Acquisition Process
23
ODAA Process Manual
Defense Industrial Base Cyber Security Accreditation Process (DIBNet) 9.2
Use to report cyber security incidents
24
ODAA Process Manual
Self-Certification Requirements (p.32)
• Introduction to NISP C&A Process
• NISP C&A Process: A Walk-Through
• Technical Implementation of C&A
25
ODAA Process Manual
Logon Banner (pp 68-70)
• NISPOM compliant systems (p. 69)
• DoD Warning Banner for SIPRNet (p. 70)
26
ODAA Process Manual
Other Items:
But nothing really new
27
ODAA Process Manual
Examples of reasons to deny an IATO:
• Missing or incomplete UID
• ISSM did not sign the IS Security Package Statement
• Missing H/W List – S/W List – Configuration Diagram
• Physical security not adequately explained
28
ODAA Process Manual
Examples of reasons to deny an IATO:
• No signed DSS Form 147 – for Closed Area
• No Certification Test Guide Results provided
• Missing letter from GCA if variances are needed
• Identification and authentication not fully addressed
29
ODAA Process Manual
Periods Processing 3.2.10.2 (p. 19)
Clearing can be used to overwrite HD for reuse at same or higher level.
Not for TS
30
ODAA Process Manual
Sanitizing 4.4.2 (pp 41-43)
• Spills can be cleaned up by overwriting
• Get GCA approval prior to or after incident
• If GCA does not respond after 30 days assume approved
• GCA may require destruction
31
ODAA Process Manual
Incident Response Plan 4.5.2
• The contractor shall develop an incident response plan.
• Distribute copies of the incident response plan to appropriate incident response personnel.
• The incident response plan shall be reviewed and revised when appropriate to ensure accuracy.
32
ODAA Process Manual
Classified Spill Cleanup Procedures 4.5.3
• Coordination with sender / receiver / data owner
• Wiping Utility Instructions 4.5.4 (p. 45)
• Reporting (NISPOM 1-303)
33
ODAA Process Manual
Trusted Download 4.7.4
Alternate Trusted Download procedures need letterhead memo signed by data owner or GCA. (p. 53)
34
ODAA Process Manual
Weekly Audits 6.7.1 (p.71-72)
• Audits need to be done at least weekly
• “At least weekly” means once per calendar week
35
Threat
Cyber Threat
Insider Threat
36
Threat
InsiderAny person with authorized access to any United States Government resource to include personnel, facilities, information, equipment, networks, or systems.
Insider Threat: The threat that an insider will use his/her authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of resources or capabilities.
37
Insider Threat mitigation has become anurgent requirement for DoD agencies
• Presidential Memorandum and Executive Order (EO) 13587– Created steering committee– Executive Agent for Safeguarding Classified Info on Networks– National Insider Threat Task Force• Produce national policy, standards • Provide assistance and assessments to departments/agencies
•EO 10450, Security Requirements for Government Employment• Authority to investigate any information that comes to its
attention that indicates retaining any officer or employee of the agency may not be consistent with national security interests
• Provides authority to conduct inquires both prior to an actual hiring and after an individual has been hired by the agency
“In the wake of an unprecedented document dump that is straining U.S. diplomatic relations in some corners of the world, the administration ordered agencies last month to ensure that unauthorized employees do not get access to sensitive or classified information.”
UNCLASSIFIED//FOUO
UNCLASSIFIED//FOUO
38
Threat
(not all-inclusive)
Excessive and abnormal intranet browsing, beyond the individual's duties and responsibilities, of internal file servers or other networked system contents
Attempts to obtain classified or sensitive information by an individual not authorized to receive such information
Unauthorized copying, printing, faxing, e-mailing, or transmitting classified material
Contact with an individual who is known or suspected of being associated with a foreign intelligence or security organization
Hacking or cracking activities, social engineering, electronic elicitation, e-mail spoofing or spear phishing
39
Case Study
What would you do?
40
Questions ?
Contact DSS….
