Effective Best Practices

1
EffectiveBest Practices

• SAICs Enterprise Security Solutions Group

A Search For Solutions That Work
Hart Rossman May 30, 2003
2
Agenda

• Derived Authority
• Introduction to a few methodologies that work
• Conclusions

3
Derived AuthorityList extracted from U.S. DOT
Information Technology Security Program. May 1,
2001(u) Is addition by Author

•  
• A-1 Federal Laws
• 5 U.S.C. 552a, 552a Note, The Privacy Act of
  1974 Establishes standards and safeguards for
  the collection, maintenance, or disclosure of an
  individual's personal information by Federal
  agencies and grants an individual access to the
  records that require confidential treatment.
• 5 U.S.C. 552, 552 Notes, Freedom of Information
  Act of 1974 Establishes procedures under which
  an individual can obtain records in the
  possession of the Federal government while
  enabling the government to protect records that
  require confidential treatment.
• 44 U.S.C. 2101 et. seq., 2501 et. seq., 2701 et.
  seq., 2901 et. seq., 3101 et. seq., 44 U.S.C.
  2103, 2108, 2111, 2112, 2901, 2902, 2904, 2906,
  2907, 3102, 3103, 3107, 3301, 3302, Federal
  Records Management Acts Require establishment of
  standards and procedures to ensure effective
  records creation, use, maintenance, and disposal.
• 31 U.S.C. 1105, 1113, 3512, Federal Managers
  Financial Integrity Act of 1982 Requires that
  agency internal control systems be periodically
  evaluated and that the heads of executive
  agencies report annually on their systems'
  status.
• 18 U.S.C. 1030, 1001 Note, The Computer Fraud and
  Abuse Act of 1986 Establishes specific
  protection for fraud and related activities in
  connection with Federal computers. Such offenses
  include intentionally accessing a Federal
  Interest Computer without authorization and (1)
  obtaining anything of value (including data), (2)
  preventing authorized use, or (3) altering
  information.
• 15 U.S.C. 271 Note, 272, 278 g-3, 278 g-4, 278 h,
  40 U.S.C. 759, 759 Notes, 40 U.S.C. 1441 Note,
  The Computer Security Act of 1987 Creates a
  means for establishing minimum acceptable
  security practices for federally owned/operated
  computer systems.
• 40 U.S.C. 1401, The Clinger-Cohen Act of 1996
  Establishes the Chief Information Officer, and
  assigns responsibilities related to Information
  Technologies (IT) system management including
  development and monitoring of IT programs.
• 44 U.S.C. Chapter 35, The Paperwork Reduction Act
  of 1995 Establishes the requirement to minimize
  the paperwork burden for individuals, small
  businesses, educational and nonprofit
  institutions, Federal contractors, State, local
  and tribal governments, and other persons
  resulting from the collection of information by
  or for the Federal Government.

4
Derived Authority

• 18 U.S.C. 1367, 2232, 2510, 2510 Notes, 2511 to
  2521, 2701, 2701 Note, 2702 to 2711, 3117, 3121
  Note, 3122 to 3127, Electronic Communications
  Privacy Act of 1986 Defines the circumstances
  and conditions under which the interception of
  wire and oral communications may be authorized,
  prohibits any unauthorized interception of such
  communications, and defines the use of the
  contents thereof in evidence in courts and
  administrative proceedings.
• 44 U.S.C. 1061-1065, Government Information
  Security Reform Act. Amends the Paperwork
  Reduction Act (PRA) of 1995 by enacting a new
  subchapter on Information Security. The Act
  primarily addresses the program management and
  evaluation aspects of security. It covers
  unclassified and national security systems and
  creates the same management framework for each.
•  
• A-2 Executive Orders
• Executive Order 10450, Security Requirements for
  Government Employment, December 28, 1978
  Directs the establishment and maintenance, within
  Government departments and agencies, an effective
  program to insure that the employment and
  retention in employment of any civilian officer
  or employee within that department or agency is
  clearly consistent with the interests of the
  national security.
• Executive Order 12958, Classified National
  Security Information, April 17, 1995 Prescribes
  a uniform system for classifying, safeguarding,
  and declassifying national security information.
• Executive Order 12968, Access to Classified
  Information, August 4, 1995 Establishes a
  uniform Federal personnel security program for
  employees who will be considered for initial or
  continued access to classified information.
• Executive Order 13011, Federal Information
  Technology, July 17, 1996 Establish clear
  accountability for information resources
  management activities by creating agency Chief
  Information Officers (CIOs) with the visibility
  and management responsibilities necessary to
  advise the agency head on the design,
  development, and implementation of those
  information systems.
• The Clinton Administrations Policy on Critical
  Infrastructure Protection Presidential Decision
  Directive 63 (PDD 63), May 1998 Establishes
  policy relating to assignment of responsibilities
  for the protection of critical infrastructure,
  including planning and management of assets,
  especially IT resources.
•  

5
Derived Authority

• A-3 Regulatory Requirements
• OMB Circular No. A-11, Preparation and Submission
  of Budget Estimates.
• OMB Circular A-123, Management Accountability and
  Control, June 21, 1995 Prescribes the policies
  and standards to be followed by executive
  agencies in establishing and maintaining internal
  controls in their programs and administrative
  activities.
• OMB Circular A-127, Financial Management Systems,
  July 23, 1993 Prescribes policies and standards
  for executive agencies to follow in developing,
  operating, evaluating, and reporting on financial
  ma1nagement systems.
• OMB Circular A-130 (including all Appendices),
  Management of Federal Information Resources,
  revised February 8, 1996 Establishes policy for
  the management of Federal information resources,
  as well as procedures for information system
  security.
• OPM, 5 CFR, Part 930.302 OPM Training
  Requirements Specifies the content of computer
  security awareness training for Executives,
  Program Functional Managers, IRM, Security
  Audit personnel, ADP Management Operations
  personnel and End Users.
• OMB Memorandum for the Heads of Departments and
  Agencies, Incorporating and Funding Security in
  Information System Investments, February 2000.
• OMB Memorandum M-00-07, Incorporating and Funding
  Security in Information Systems Investments,
  Reminds agencies of the OMB principles for
  incorporating and funding security as part of
  agency information technology systems and
  architectures and of the decision criteria that
  will be used to evaluate security for information
  systems investments, February 28, 2000.
•  

6
Derived Authority

• A-4 National Institute of Science and Technology
  (NIST).
• National Institute of Standards and Technology
  (NIST) Special Publication (SP) 800-2, Public Key
  Cryptography, April 1991 Provides a
  state-of-the-art survey of public-key
  cryptography.
• NIST SP 800-3, Establishing a Computer Security
  Incident Response Capability, November 1991
  Defines a centralized and cost-effective approach
  to handling computer security incidents.
• NIST SP 800-4, Computer Security Considerations
  in Federal Procurements A Guide for Procurement
  Initiators, Contracting Officers, and Computer
  Security Officials, March 1992 Provides guidance
  for federal procurement initiators, contracting
  officers, and computer security officials on
  including computer security in acquisitions.
• NIST SP 800-5, Guide to Selection of Anti-Virus
  Tools and Techniques, December 1992 Provides
  criteria for judging the functionality,
  practicality, and convenience of anti-virus
  tools.
• NIST SP 800-6, Automated Tools for Testing
  Computer System Vulnerability, December 1992
  Provides guidance on the implementation,
  selection, utilization, and distribution of
  vulnerability testing tools.
• NIST SP 800-7, Security in Open Systems, July
  1994 Provides information for the practicing
  programmer involved in the development of
  telecommunications application software,
  regarding methodologies for building security
  into software based on open system platforms.
• NIST SP 800-8, Security Issues in the Database
  Language SQL, August 1993 Examines the security
  functionality that might be required of
  relational DBMSs, and compares them with the
  requirements and options of the SQL
  specifications.
• NIST SP 800-10, Keeping Your Site Comfortably
  Secure An Introduction to Internet Firewalls,
  December 1994 Provides a basis of understanding
  of how firewalls work and the steps necessary for
  implementing firewalls. Users can then use this
  document to assist in planning or purchasing a
  firewall.
• NIST SP 800-11, The Impact of the FCC's Open
  Network Architecture on NS/EP Telecommunications
  Security, February 1995 Provides an overview of
  Open Network Architecture (ONA), describes
  National Security and Emergency Preparedness
  (NS/EP) telecommunications security concerns, and
  describes NS/EP telecommunications security
  concerns that the FCCs ONA requirement
  introduces into the Public Switched Network
  (PSN).

7
Derived Authority

• NIST SP 800-12, An Introduction to Computer
  Security The NIST Handbook, October 1995
  Provides assistance in securing computer-based
  resources (including hardware, software, and
  information) by explaining important concepts,
  cost considerations, and interrelationships of
  security controls. It illustrates the benefits
  of security controls, the major techniques or
  approaches for each control, and important
  related considerations.
• NIST SP 800-13, Telecommunications Security
  Guidelines for Telecommunications Management
  Network, October 1995 Provides baseline
  protection measures that government agencies or
  commercial organizations can use to safeguard
  Telecommunication Management Networks (TMN)
  resources and counter security threats.
• NIST SP 800-14, General Acceptable Principles and
  Practices for Securing Information Technology,
  June 1996 Provides a baseline that organizations
  can use to establish and review their IT security
  programs, and gain an understanding of the basic
  security requirements most IT systems should
  contain.
• NIST SP 800-15, Minimum Interoperability
  Specification for PKI Components (MISPC),
  Version 1, January 1998 Provides a basis for
  interoperation between public key infrastructure
  (PKI) components from different vendors.
• NIST SP 800-16, Information Technology Training
  Requirements, March 1998 Establishes current
  training requirements for information technology
  systems.
• NIST SP 800-17, Modes of Operation Validation
  System (MOVS) Requirements and Procedures,
  February 1998 Provides a brief overview of the
  Data Encryption Standard (DES) and Skipjack
  algorithms, and introduces the basic design and
  configuration of the MOVS.
• NIST SP 800-18, Guide to Developing Security
  Plans for Information Technology Systems,
  December 1998 Provides guidance for the
  development of IT systems security plans in
  compliance with Federal regulations.
• NIST SP 800-23, Guideline to Federal
  Organizations on Security Assurance and
  Acquisition/Use of Tested/Evaluated Products,
  August 2000 Provides a basis for understanding
  and use of products products evaluated through
  the National Information Assurance Partnership
  (NIAP)s Common Criteria Evaluation and
  Validation Program (ISO/IEC 15408) and the the
  Cryptographic Module Validation Program (CMVP).
  (u)
• NIST SP 800-26, Security Self-Assessment Guide
  for Information Techology Systems, November 2001
  Builds upon the Federal IT Security Assessment
  Framework to provide a questionnaire to evaluate
  entire agencies. Will assist in fulfilling
  requirements for OMB Circular A-11, Preparing
  and Submitting Budget Estimates . (u)

8
Derived Authority

• NIST SP 800-28, Guidelines on Active Content and
  Mobile Code, October 2001 Provides for the
  understanding and development of policy for
  active content and mobile code. (u)
• NIST SP 800-30, Risk Management Guide for
  Information Technology Systems, January 2002 A
  9-step risk management framework for managing and
  organizations assets. (u)
• NIST SP 800-31, Intrusion Detection Systems
  (IDS), November 2001 Selecting and implementing
  IDS. (u)
• NIST SP 800-34, Contingency Planning Guide for
  Information Technology Systems, June 2002
  Provides a framework of considerations for IT
  asset contingency planning. (u)
• NIST SP 800-41, Guidelines on Firewalls and
  Firewall Policy, January 2002 Selecting and
  implementing firewalls. (u)
• NIST Federal Information Processing Standards
• NIST FIPS 31, Guidelines for Automatic Data
  Processing Physical Security and Risk Management,
  June 1974. (u)
• NIST FIPS 73, Guidelines for Security of Computer
  Applications, June 1980. (u)
• NIST FIPS 102, Guidelines for Computer Security
  Certification and Accreditation, September 1983.
  (u)
• A-5 Government Accounting Office (GAO)

9
Summary of Derived Authority

• A viable security program requires
• Clear lines of authority
• Designation of responsibility
• An understanding of the business process which IT
  supports
• An understanding of the management of risk
• The evaluation and testing of products and
  practice
• The implementation of products and practice
• The documentation of practice and procedure
• Regular training, education, and review
• Continuing re-evaluation and modernization of the
  program
• Cooperation throughout the organization on a
  continuing basis

10
External Vulnerability Scanning

• Goal
• Measure and Reduce Internet Risk to a large
  Federal Department

• Benchmark
• Top Twenty Vulnerabilities co-identified and
  published by SANS and FBI

• Process
• Inform community Allow them to prepare
• Release exact scanning configuration and
  procedures
• Execute scans routinely at known times and from
  known places
• Establish decision points where clear
  deliberate action is taken for Department
  sub-organizations that fail to achieve the
  benchmark

• Tools
• Common Open Source and publicly available to all
• NMap
• Nessus

11
Findings ObservationsExternal SANS/FBI Top
20 Vulnerability Scanning

• Challenge
• A Federal Department has a large, public presence
  on the internet that must be protected. Scope of
  presence unknown.
• Response
• Identify Department resources that are visible
  and potentially vulnerable to internet community
• Remove where possible
• Secure where necessary
• Results after 5 scanning periods
• Established measurable benchmark, and open
  repeatable scanning process using open source
  tools.
• Quantified and then significantly reduced the
  Internet footprint
• Significantly reduced the number of potentially
  vulnerable hosts department wide.

• Results
• 55 Reduction of Visible Hosts to date.
• 89 Reduction in potentially vulnerable hosts to
  date.

12
Why Red Team?
(Source Critical Foundations Protecting
America's Infrastructures, the President's
Commission on Critical Infrastructure Protection)

Info Warrior
Reduce U.S. Decision Space, Strategic Advantage,
Chaos, Target Damage
National Security Threats
National Intelligence
Information for Political, Military, Economic
Advantage
Terrorist
Visibility, Publicity, Chaos, Political Change
Shared Threats
Industrial Espionage
Competitive Advantage Intimidation
Revenge, Retribution, Financial Gain,
Institutional Change
Organized Crime
Monetary Gain Thrill, Challenge, Prestige
Institutional Hacker
Local Threats
Thrill, Challenge
Recreational Hacker
13
Security Strategy Meshing Prevention, Proactive
Detection and Containment
Proactive Detection
Prevention
System Recovery
Attacks
IDS/IPS
Target

• Prevent What You Can
• Perimeter Security
• Access Control
• Process Technology

• Detect Intruders Holes
• Intrusion detection
• Forensic Analysis
• Proactive Discovery Of Exposure

• Incident Response Recovery
• System Recovery
• Adjust Countermeasures
• Continued Vigilance

Concept Lunt, SecureComm98 Keynote
14
Knowing Your Infrastructure

• Do your suffer from the Pink Elephant syndrome?
• What are your actual network boundaries?
• What devices operate on your network?
• What protocols and services are running?
• What ports are open?
• Is your security audit system tuned correctly?
• Are there any surprises??

• Red Teaming is an effective way to
• Detect vulnerabilities misconfigurations
  before hackers find them
• Raise security awareness
• Provide a feedback mechanism for security
  personnel
• Proactively engage security challenges
• Verify and reduce false positives false
  negatives
• Reduce overall risk profile

15
Conclusion

• Over a period of approx. 30 years, the
  computer-based information assurance field has
  grown, matured, and expanded its role in the way
  we do business and protect the Homeland.
• During that time, Governments and International
  Standards Bodies have sought to provide iterative
  guidance.
• Quantitative evidence exists that allows these
  organizations to propose best practices.
• We, as an Industry, have a responsibility to
  educate our customers and peers on the most
  current methodologies to foster the best
  practices that will allow for pervasive security
  of our critical data and infrastructure.