Embed Size (px)
Citation preview
OFFICE OF INFORMATIONTECHNOLOGY
NIST COMPLIANCEINSTRUCTIONS
PREPARED FOR GEORGIA TECH’S
IT SUPPORT PROFESSIONALS
Contents
Introduction ............................................................................................................................................... 2
NIST 800-171 Requirements ................................................................................................................... 2
Non-mobile endpoints (such as servers and workstations) .......................................................... 3
Instruction 1 - Endpoint Management...................................................................................................... 3
Instruction 2 - Endpoint Detection and Response (EDR) .......................................................................... 3
Instruction 3 - Vulnerability Scanning ....................................................................................................... 4
Instruction 4 System Configuration Compliance Management ................................................................ 4
Instruction 5 System Log Management .................................................................................................... 4
Instruction 6 - Account Management ....................................................................................................... 4
Instruction 7 - Backups and Cloud Storage/Collaboration........................................................................ 4
Instruction 8 - Two Factor Requirement for Privileged Account Access .................................................. 5
Instruction 9 - Firewall Management ....................................................................................................... 5
Instruction 10 - NTP Synchronization ....................................................................................................... 5
Instruction 11 - Publicly Facing Services ................................................................................................... 6
Mobile endpoints (such as laptops and tablets) ................................................................................ 6
Instruction 12 – Encryption ....................................................................................................................... 6
Instruction 13 – Wireless Networks .......................................................................................................... 6
Instruction 14 - GT 2FA VPN ...................................................................................................................... 6
Consumer mobile devices (such as smartphones)........................................................................... 7
NIST 800-171 Compliance Instructions (Computational Instructions)
Introduction This set of instructions is not required, but are provided as recommendations to help simplify compliance with the 110 controls of NIST 800-1711. Other tools, services, and methods can be used to comply with the NIST 800-171 requirements, but the use of these instructions can make the process far easier.
The primary audience for this is the IT support professional and the primary target environments are the research lab and individual offices, although these can be used in other areas that require compliance.
NIST 800-171 Requirements Controls in the following sections are addressed by these Instructions. The numbers used below refer to specific sections of controls.:
3.1 Access Control 3.3 Audit and Accountability 3.4 Configuration Management 3.5 Identification and Authentication 3.6 Incident Response
3.7 Maintenance 3.11 Risk Assessment 3.12 Security Assessment 3.13 System and Communications Protection 3.14 and System and Information Integrity
The order of the Instructions is designed to both facilitate ease of installation, and offers a hierarchy that covers the most important items first.
It is recognized that some operating systems, such as Ubuntu Linux, may present some challenges where compliance is concerned. These are being identified and researched.
If it is determined that a deviation from an instruction is needed, that should be noted during the compliance testing.
1 The full listing of controls can be found in NIST Special Publication 800-171 Revision 1.
Non-mobile endpoints (such as servers and workstations) Instruction 1 - Endpoint Management2 Endpoint Management tools are first, as their installation should facilitate the installation of some of the other components. Note the other components can of course still be installed by other means. The tools referenced here were selected as part of Campus’s Endpoint Management Project.
Install one of the following endpoint management agents. • Windows - SCCM 3 • Linux - SaltStack4 • MacOS - JAMF 5
The current instance of SCCM can be used to meet this requirement for Windows systems. Until the other systems are available for use it is recommended that the Qualys Cloud Agent in Instruction 3 be installed and the results available via FW.noc be consulted to determine what patches might be needed. Alternatively, the machine can be checked manually, and any needed patches applied.
Instruction 2 - Endpoint Detection and Response (EDR)6 This will ensure that unknown and unseen threats are not compromising the security of the endpoint. Additionally, its cloud management component will ensure that comprise alerts are received in a timely fashion regardless of the system’s location. This is the product selected by the GT Endpoint Management project. Install the FireEye HX Agent.7 Note: remove Malwarebytes and or Tanium if installed as they duplicate services provided by the FireEye agent, and it’s generally best practices to only run a single product of this type on a system. For general installation instructions: https://security.gatech.edu/fireeyehx
• For Windows systems with SCCM agents, this has been packaged and is available for deployment. Issues with deployment to Windows 10 systems should be addressed in early November. Installation of this agent will handle necessary changes to the native Windows endpoint protection as well.
2 As the other Management Tools are made available for use, this document will be updated. 3 SCCM will be the default tool for managing and patching Windows systems with some ability to manage MacOS 4 SaltStack will be used to manage Linux systems 5 JAMF will be the primary tool for managing MacOS 6 This section will be updated as means of using the Management tools to deploy the EDR tool 7 FireEye HX is the enhanced detection and remediation solution, replacing traditional antivirus solutions, such as System Center Endpoint Protection SCEP and Malwarebytes.
Instruction 3 - Vulnerability Scanning To deal with issues of compliance risk assessment, install the Qualys Cloud endpoint agent8 to ensure accurate vulnerability scanning and system configuration management. You will not need to scan endpoints remotely if this agent is installed and this agent provides automated configuration management reporting.
• Windows systems with SCCM agents can deploy this via SCCM and details are in the instructions provided in the link below.
• Other OS deployments can follow the instructions found here: https://security.gatech.edu/qualys
Instruction 4 System Configuration Compliance Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
Automation of this process leveraging the Qualys Agent is actively being worked on, but not available as of 10/27/2017.
Instruction 5 System Log Management Systems will be configured to feed their system logs to the campus cyber security instance of Splunk9. Detailed instructions care provided here: https://security.gatech.edu/splunk
Instruction 6 - Account Management Enroll computers in GTAD, where possible, and implement computer policies (such as GPOs) recommended by your IT support professional, and those mentioned in this document. Departmental GPOs policies should support the GT cyber security policies.
Instruction 7 - Backups and Cloud Storage/Collaboration Backup project data with one of the following approved tools. Additionally, Dropbox and OneDrive/SharePoint can be used for cloud storage and sharing needs.
8 The Qualys Agent is available today and replaces the traditional subnet scan performed by Qualys and provides a means for measuring a systems baseline compliance with the controls required. 9 Georgia Tech Cyber Security runs an instance of Splunk as our Security Information and Event Management (SIEM) system
• CrashPlan10 (servers and workstations) • Dropbox11 (workstations) This must be configured using a GT provided Dropbox account • OneDrive12 (workstations) This applies only to the GT Office 365 OneDrive offering, and should
be configured using the Windows Native clients13 and not the OneDrive for Business offering found in Office 2016.
Instruction 8 - Two Factor Requirement for Privileged Account Access 3.5.3 Use multifactor authentication14 for local and network access15 to privileged accounts and for network access to non-privileged accounts.
Cyber Security will write up SSPs to address the local network access question through mitigating controls. Firewall rules for any machine accessed externally must be reviewed to confirm that access is limited to campus controlled subnets including the 2FA VPN. Access to external addresses should be very specific and noted as part of the SSP.
Instruction 9 - Firewall Management 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Use the FW.noc16 firewall management service to configure the firewall to deny all inbound by default and only allow necessary traffic to pass.
Instruction 10 - NTP Synchronization 3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records
Use the GT Network Time Protocol (NTP) servers17 to get system time.
10 CrashPlan Endpoint Device Backup Infrastructure Hosting and Support see: http://www.oit.gatech.edu/service-alias/crashplan 11 Georgia Tech Dropbox see: https://ai.oit.gatech.edu/dropbox 12 OneDrive is part of the GT Office 365 portfolio see: www.oit.gatech.edu/services/communication-and-collaboration/office-365-productivity-suite-support 13 For more regarding OneDrive clients, see: https://onedrive.live.com/about/en-us/download/ 14 Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. Source: NIST Special Publication 800-171 Revision 1 15 Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). Source: NIST Special Publication 800-171 Revision 1 16 https://fw.noc.gatech.edu/main.php 17 https://faq.oit.gatech.edu/content/what-can-i-use-ntp-time-server
Instruction 11 - Publicly Facing Services 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Work with the GT Network Team to configure a DMZ if any publicly-accessible services are in use (web servers, etc.). A DMZ configuration entails having a firewall in front of web servers (or other such public servers) as well as another firewall between these public servers and backend non-public servers (such as file servers and databases).
Mobile endpoints (such as laptops and tablets) Instructions 1-8 above apply here as well, and in addition, the ones that follow. These additional Instructions also address controls in the sections mentioned at the top of the Non-Mobile Endpoint section.
Instruction 12 – Encryption Use whole-disk encryption to encrypt the laptop with one of the following:
• BitLocker18 • FileVault19 • VeraCrypt20 Can be used to encrypt individual Files.
Instruction 13 – Wireless Networks When in the lab/environment only use the GT wireless network for wireless access. Typically, this should be eduroam21 or GTwifi22. When accessing the lab environment systems from remote locations use the GT VPN service23 with DUO two factor authentication.
Instruction 14 - GT 2FA VPN When accessing the lab environment or other campus systems from remote locations, use the GT VPN service24 with DUO two factor authentication.
18 Bitlocker is the native encryption in Windows and can be managed using GPO for GTAD systems. 19 FileVault is the native encryption in MacOS. When enabling in existing systems care should be taken to make sure all users can login from a reboot. 20 VeraCrypt meets the encryption requirements. For more information see: https://www.veracrypt.fr/en/Home.html 21 http://lawn.gatech.edu/help/eduroam/ 22 http://lawn.gatech.edu/help/gtwifi/ 23 http://www.oit.gatech.edu/services/end-point-computing/virtual-private-network-vpn 24 http://www.oit.gatech.edu/services/end-point-computing/virtual-private-network-vpn
Consumer mobile devices (such as smartphones) Best practice would be to avoid working with CUI on a device in this category, to include individual files and email.
• Install AirWatch endpoint management agent. • Ensure that mobile devices are patched to current patch level • Enable a device logon or PIN • Use whole-disk encryption to encrypt the device.
o iOS - all devices are encrypted by default o Android25 o Windows Mobile 1026
25 https://source.android.com/security/encryption/ 26 https://www.windowscentral.com/how-enable-device-encryption-windows-10-mobile
•
•
Office of Information Technology http://oit.gatech.edu
Georgia Tech’s NIST Compliance Initiative http://cui.gatech.edu
Document Updated: November 3, 2017
