Cyber Security Advisory Council - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Cyber Security Advisory Council

Description:

Brookhaven Science Associates. U.S. Department of Energy ... Screen Savers. Require password protected screen savers document in PUA. System Registration ... – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 10
Provided by: maria3
Category:

less

Transcript and Presenter's Notes

Title: Cyber Security Advisory Council


1
  • Cyber Security Advisory Council

Information Technology Division February 4, 2004
2
Agenda
  • Working Group Results
  • Wireless
  • Computer Access
  • Configuration Management

3
Wireless Working Group Recommendations
  • All access points registered with CSMIS per
    Wireless Policy
  • Access Points will reside on a network external
    to the Campus Zone
  • Access points residing on the internal network
    due to operational need handled on a case-by-case
    basis through CSMIS review by Cyber Security
  • Must define criteria
  • Access points on internal network must have
    encryption enabled
  • Highest available rather than mandate 64 bit, 128
    bit
  • NAT disabled direct knowledge of devices on the
    networks
  • Move wireless access points residing on the
    internal network to wireless zone
  • Except those that received a waiver
  • Security review of each access point (Legacy and
    new)
  • Rogue access points when detected will be
    disconnected from the network per policy
  • Notify users of new policy
  • Monday Morning Memo
  • BNL Broadcast
  • Cyber Security Training
  • Wireless Policy on ITD website
  • Update SBMS

4
Corrective Action Plan for September 2003 Audit
Wireless Working Group
  • Rewrite policy to address accepted
    recommendations (2/04)
  • All access points registered with CSMIS per
    Wireless Policy (5/04)
  • Access Points will reside on external network
  • Access points residing on the internal network
    due to operational need handled on a case-by-case
    basis through CSMIS review by Cyber Security
  • Access points on internal network must have
    encryption enabled
  • Highest available rather than mandate 64 bit, 128
    bit and NAT disabled
  • Security review of each access point (Legacy and
    new) on internal network (7/04)
  • Move wireless access points residing on the
    internal network to extranet (7/04)
  • Except those that received a waiver
  • Rogue access points when detected will be
    disconnected from internal network per policy
  • Deploy AirDefense pilot program to detect rogue
    access points (4/04)
  • Fully deploy AirDefense (contingent upon funding)
  • End war driving

5
Computer Access Working Group Recommendations
  • Onsite Access
  • Non-sensitive systems
  • Active employees, users/contractors granted
    access to systems at time of appointment
  • System administrators (SA) delegated authority by
    department/division manager to create accounts on
    the systems that they administer
  • SAs will verify users status via LDAP before
    creating account, records must be kept
  • Web forms, scripts, databases for SAs to verify
    users status is in LDAP record account creation
  • Use of account system recommended, not mandatory
  • SAs who choose to keep their own records are
    subject to audit by Cyber Security
  • Sensitive Systems
  • Export Controlled Information
  • US Citizens need approval by Principal
    Investigator
  • Foreign nationals need approval by BNL
    Counterintelligence, Export Control Officers,
    Technology Transfer, and Local Approval Authority
  • CRADA/Proprietary Research Agreement Information
  • Approval by Principal Investigator.
  • Web form will be created to route account
    requests for approval and to record approvals in
    a database

6
Computer Access Working Group Recommendations
  • Remote-only Access
  • Develop application form for FNs requesting
    remote access
  • Designated officials to examine the application
  • For justification
  • Specified period of time
  • All users, remote and local, must have life or
    guest numbers to get accounts
  • PeopleSoft forms will be created to apply for an
    appointment as a remote user
  • Applications will be reviewed following the same
    procedures that are now used for on-site access
  • IA-473 for foreign nationals (irrelevant fields
    such as passport and visa information not
    required)
  • Create temporary accounts while IA-473 approval
    pending? The committee could not decide.
  • Account Auditing
  • Fraction of systems will by audited annually by
    cyber security to ensure all of the accounts on
    the system are assigned to valid users
  • Automated audit procedures
  • Available for Windows and UNIX
  • Already used on 90 of critical and sensitive
    systems
  • Will be used on other major systems
  • SAs can also keep their own records but they must
    be available for inspection

7
Configuration Management Recommendations
  • Utilize features of RHEN for Linux CFG MGT
  • System state and installed package reporting
  • Standard builds - BNL child channels for security
    packages
  • Use RH Satellite server to assist other
    distributions if possible
  • Integrate Satellite server db info with
    registration data for reporting
  • Utilize SMS for Windows CFG MGT
  • Asset management tool made for the windows
    platform
  • Complete Hardware/software inventory
  • Security/patch analysis and deployment
  • Extend functionality of SUS
  • Implement methods to get direct knowledge of
    Other Unix systems
  • Non-privileged account via ssh from single system
    most plausible
  • Manual data entry/upload option with auditing for
    compliance
  • Provide better vulnerability reports to
    admins/owners/management
  • Report card to management to show progress of
    closing vulnerabilities
  • Use Windows accounts from single source (Active
    Directory)
  • Better tracking of who is using what account
  • Windows systems to be members of domain
  • Leverages automated tools for remediation and
    support

8
CFG MGT Recommendations (cont.)
  • Revisit issue of building new machines with
    preconfigured images prior to delivery to desktop
    was suggested in DOE CH 2003 audit
  • Password Cracking
  • Automate collection of password files (https
    upload or ssh)
  • Link BNL Windows domain accounts with life number
    in Active Directory for more accurate
    email/deptcode information
  • Screen Savers
  • Require password protected screen savers
    document in PUA
  • System Registration
  • Unregistered machines - Either enforce the CSPP
    policy as written or update the policy
    Documentation should match what is being done
  • Clean up registration data update from other
    sources
  • Banners
  • Routinely scan for missing banners on services
    (ex FTP)
  • Develop method to check motd on Unix systems (via
    direct knowledge item above)
  • Automate scan for banner registry entry on
    Windows systems
  • Central Logging
  • Require for Systems with conduits, Servers,
    Critical/Sensitive systems

9
CFG MGT Recommendations (cont.)
  • Modem Registration
  • Implement routine war dialing process (quarterly
    perhaps) instead of one time effort in prep for
    an audit
  • Personal Firewalls
  • Recommend a product and provide configuration
    information on its use
  • DOE may purchase Black Ice
  • Clock Servers
  • Provide better docs on configuring servers to use
    local clock servers
  • Important for Cyber to correlate events across
    multiple machines
  • Continue to improve integration of data from CFG
    MGT sources to provide better quality information
    to owners, admins, and management
Write a Comment
User Comments (0)
About PowerShow.com