Embed Size (px)
Citation preview
1
GAO’s Information Security Audits
Presented to:
Cyber Security Exchange
October 2, 2012
• Source of Audits• Audit Methodology for IS Controls• Assessing Finding Significance• Communicating Audit Results• Recent GAO Reports• Q & A
2
Cyber Security Exchange
Agenda
Source of Audits
• Statutory mandates• Congressional requests• Comptroller General’s authority• Engagement acceptance meeting
3
FISMA- Mandate Report / Annual Analysis- Small, Micro, & Independent Agencies- Census, NTSB, NMB- FCC ESN- Cyber risk management- High impact systems
Privacy- Taxpayer Privacy Protections- Privacy of Location-Based Information- Data Breach Notification and Response- Computer Matching Agreements
Critical IT Systems & Infrastructure- Smart Grid- Communications Networks Security- Security of Mobile Devices- Maritime Cyber Threats and Security- Federal Cyber Coordination w/ States & Locals
Emerging Issues- Cybersecurity Strategies- Oversight of Contractor Security- Implantable Medical Devices- Cyber Incident Handling & Response- Continuous Monitoring- FedRAMP
Training/Methodology & External Liaison
- FISCAM- GAO Internal Controls- Internal/External Training- Technical Assistance to Hill- OMB/NIST/NASCIO
Consolidated Financial Statements- IRS- BPD/Federal Reserve- FDIC- SEC- OIGs
- TARP- FHFA - SOSI- CFPB
Audit Methodology for IS Controls• Federal Information System Controls Audit Manual (GAO-09-
232G)• Objective: To assess effectiveness of agency’s security
controls in protecting the confidentiality, integrity, and availability of its information systems and information.
• Scope: • Access controls• Configuration management• Segregation of duties• Contingency planning• Security management
5
Audit Methodology for IS Controls (cont.)Technical & Audit Guidance:• Federal Laws – FISMA
• Office of Management and Budget (OMB)
• National Institute of Standards & Technology (NIST)
• Defense Information Systems Agency (DISA)
• National Security Agency (NSA)
• Vendor Guidance and Industry Practices
• Government Auditing Standards
6
7
Iterative and HolisticAssessment Approach
Audit Methodology for IS Controls (cont.)
8
Audit Methodology
Understanding the Environment• Identify most important assets (information,
databases, systems)
• Approach: formal and informal discussions
• Network diagrams and simple tools (telnet, for instance or nmap)
• Confirm our understanding of environment
9
Audit Methodology – Logical Access
Control Areas
Focus on main controls that might stop an intruder, based on knowledge of latest vulnerabilities such as:
browser – Java, ActiveX, Flash, PDF
“spoofed” emails
10
Audit Methodology – Controlling Access To and From
NetworksIf exploited, how does information go out? HTTP, HTTPS, DNS
Authentication of network routing protocols (EIGRP, BGP)
Cisco SAFE (Security Reference Architecture)
VPN – use of TLS v SSL
Firewall rules (Cisco ASA, Checkpoint, etc.)
Data loss prevention solutions
11
Audit Methodology – Controlling Access To and From
Host Devices• Ask agencies to run scripts to
get key configuration settings (Windows, Linux/Unix, etc)
• Database scanner • Email server (sendmail,
postfix) settings• Internet Explorer, MS Office
settings• Conformance to vendor
guidance (Microsoft, Apple)• Up to date patches• Virtualization – hypervisor
security settings, Storage Area Network (SAN) configurations
12
Audit Methodology
Consider Trust RelationshipsFormal trust – Windows domains
Informal – any device connecting to VPN
Check Windows Active Directory group policy
Weak links that may be exploited
13
Vulnerabilities should be assessed in context to the network and the impact on the organization’s mission.
Assessing Finding Significance
14
Communicating Audit ResultsFocus on most important problems – the ones that’ll help agency become more secure
Criteria – CIS, NIST, vendor guidanceCondition – describe problemEffect – explain what couldhappen if exploitedCause – sometimes unclear, often related to immature information security program
Communicating Audit Results (cont.)• Reports:
• Publicly available• Limited distribution
• Testimony statements
• Congressional briefings
• Media Interviews
15
Recent GAO Reports• GAO-12-757, Information Security: Better Implementation of
Controls for Mobile Devices Should Be Encouraged (Sept. 2012)
• GAO-12-961T, Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape (July 2012)
• GAO-12-926T, Cybersecurity: Challenges in Securing the Electricity Grid (July 2012)
• GAO-12-696, Information Security: Environmental Protection Agency Needs to Resolve Weaknesses (July 2012)
• GAO-12-876T, Information Security: Cyber Threats Facilitate Ability to Commit Economic Espionage (June 2012)
16
Recent GAO Reports (cont.)• GAO-12-666T, Cybersecurity: Threats Impacting the Nation
(April 2012)• GAO-12-424R, Management Report: Improvements Needed
in SEC’s Internal Control and Accounting Procedure (April 2012)
• GAO-12-393, Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data (March 2012)
• GAO-12-361, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks (March 2012)
• GAO-12-507T, Cybersecurity: Challenges in Securing the Modernized Electricity Grid (February 2012)
Page 17
Recent GAO Reports (cont.)• GAO-12-92, Critical Infrastructure Protection: Cybersecurity
Guidance is Available, but More Can Be Done to Promote Its Use (December 2011)
• GAO-12-8, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination (November 2011)
• GAO-12-130T, Information Security: Additional Guidance Needed to Address Cloud Computing Concerns (October 2011)
• GAO-12-137, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements (October 2011)
Page 18
Recent GAO Reports (cont.)• GAO-11-751, Personal ID Verification: Agencies Should Set a
Higher Priority on Using the Capabilities of Standardized Identification Cards (September 2011)
• GAO-11-708, Information Security: FDIC Has Made Progress, but Further Actions Are Needed to Protect Financial Data (August 2011)
• GAO-11-695R, Defense Department Cyber Efforts: Definitions, Focal Point, and Methodology Needed for DOD to Develop Full-Spectrum Cyberspace Budget Estimates (July 2011)
• GAO-11-865T, Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure (July 2011)
Page 19
Recent GAO Reports (cont.)• GAO-11-149, Information Security: State Has Taken Steps to
Implement a Continuous Monitoring Application, but Key Challenges Remain (July 2011)
• GAO-11-75, Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber Activities (July 2011)
• GAO-11-605, Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate (June 2011)
• GAO-11-463T, Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure and Federal Information Systems (March 2011)
• GAO-11-308, Information Security: IRS Needs to Enhance Internal Control Over Financial Reporting and Taxpayer Data (March 2011)
Page 20
21
Contact Information
Greg WilshusenDirector, Information Security Issues
202.512.6244 – [email protected]
Naba Barkakati, Ph.DDirector, Center for Science, Technology & Engineering
Chief Technologist202.512.4499 – [email protected]
