1 / 49

Security Control Families

Operational Class. Security Control Families. Awareness & Training. 800-16 800-50 800-84 – Plan Testing, Training and Exercise. TT&E. Test Training Exercises Tabletop Functional. CP TT&E. CP TT&E. Configuration Management. 800-70 800-128 CM OMB 07-11 OMB 07-18 OMB 08-22

howell
Download Presentation

Security Control Families

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Operational Class Security Control Families

  2. Awareness & Training • 800-16 • 800-50 • 800-84 – Plan Testing, Training and Exercise

  3. TT&E • Test • Training • Exercises • Tabletop • Functional

  4. CP TT&E

  5. CP TT&E

  6. Configuration Management • 800-70 • 800-128 CM • OMB 07-11 • OMB 07-18 • OMB 08-22 • SCAP/NVD FDCC

  7. The Phases of Security-focused Configuration Management

  8. SCAP v1.2 Components

  9. Additional SCAP Terminology

  10. Knowledge Check • Which SCAP specifications provide a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names? • What is defined as an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes? • Which special pub provides guidelines on designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events?

  11. Contingency Planning • 800-34 • FCD 1

  12. Type of Plans

  13. Contingency Planning Process

  14. Business Impact Analysis

  15. System/Process Downtime • Maximum Tolerable Downtime (MTD) • Recovery Time Objective (RTO) • Recovery Point Objective (RPO)

  16. Recovery Strategies

  17. Incident Response • 800-61Incident Response • 800-83 (SI)Malware

  18. Handling an Incident • Preparation • Detection and Analysis • Containment, Eradication, and Recovery • Post-Incident Activity

  19. Incident Reporting Organizations • US-CERT [IR 6,7] • Information Analysis Infrastructure Protection (IAIP) • CERT® Coordination Center (CERT®/CC) • Information Sharing and Analysis Centers (ISAC) Each agency must designate a primary and secondary POC with US-CERT, report all incidents, and internally document corrective actions and their impact. [IR-7]

  20. Federal Agency Incident Reporting Categories • CAT 0 - Exercise/Network Defense Testing • CAT 1 - *Unauthorized Access • CAT 2 - *Denial of Service (DoS) • CAT 3 - *Malicious Code • CAT 4 - *Inappropriate Usage • CAT 5 - Scans/Probes/ Attempted Access • CAT 6 - Investigation • Any incident that involves compromised PII must be reported to US-CERT within 1 hour of detection regardless of the incident category reporting timeframe.

  21. Knowledge Check • Name the contingency planning variable that defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business functions, and the MTD? • What is created to correlate the information system with critical mission/business processes, which is further used to characterize the consequences of a disruption? • Which Federal mandate requires agencies to report incidents to US-CERT? • What is the US-CERT incident category name and reporting timeframe for a CAT-2 incident?

  22. System Maintenance • 800-63 - E-Auth (IA) • 800-88 – Sanitization (MP) • FIPS 140-2 - Crypto • FIPS 197 - AES • FIPS 201 – PIV (IA)

  23. Encryption Standards • FIPS 140-2 • Level 1 – Basic (at least one Approved algorithm or Approved security function shall be used) • Level (EAL) 2 - Tamper-evidence, requires role-based authentication • Level (EAL) 3 – Intrusion detection and prevention, requires identity-based authentication mechanisms • Level (EAL) 4 – Zeroization, environmental protection • Advanced Encryption Standard (FIPS 197)

  24. Media Protection • 800-56 • 800-57 • 800-60 • 800-88 - Sanitization • 800-111 – Storage Encryption Key Management

  25. Storage Encryption Technologies

  26. Media Sanitization • Disposal - discarding media with no other sanitization considerations • Cleaning - must not allow information to be retrieved by data, disk, or file recovery utilities. • Purging - protects the confidentiality of information against a laboratory attack. • Destroying - ultimate form of sanitization: disintegration, incineration, pulverizing, shredding, and melting.

  27. Sanitization and Disposition Decision Flow

  28. Physical & Environmental Protection • 800-46 – Telework/ Remote Access • 800-73 • 800-76 • 800-78 • FIPS 201 PIV (IA)

  29. Physical Access Controls • Badges • Memory Cards • Guards • Keys • True-floor-to-true-ceiling Wall Construction • Fences • Locks

  30. Fire Safety • Ignition Sources • Fuel Sources • Building Operation • Building Occupancy • Fire Detection • Fire Extinguishment

  31. Supporting Utilities • Air-conditioning System • Electric Power Distribution • Heating Plants • Water • Sewage • Planning for Failure • Mean-Time-Between-Failures (MTBF) • Mean-Time-To-Repair (MTTR)

  32. Personnel Security • 800-73 • 800-76 • 800-78 • 5 CFR 731.106 Designation of public trust positions and investigative requirements. • ICD 704 Personnel Security Standards (SCI) PIV (IA)

  33. Staffing

  34. User Administration • User Account Management • Audit and Management Reviews • Detecting Unauthorized/Illegal Activities • Temporary Assignments and In-house Transfers • Termination

  35. Termination • Friendly Termination • Unfriendly Termination

  36. Knowledge Check • Which FIPS 140-2 encryption level requires identity based authentication? • What is the FIPS publication specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits? • What is the recommended disposal method, from the sanitization guidelines of NIST SPO 800-88, for paper-based medical records containing sensitive PII? • What is the supporting guideline for PS-9 Alternate Work Site?

  37. Systems Integrity • 800-40 – Patching (RA) • 800-45 - Email • 800-61 – Incidents (IR) • 800-83 - Malware • 800-92 – Logs (AU) • 800-94 - IDPS • NVD/CWE

  38. Malware Incident Prevention & Handling • Malware Categories • Malware Incident Prevention • Policy • Awareness • Vulnerability Mitigation • Threat Mitigation • Malware Incident Response • Preparation • Detection • Containment • Eradication • Recovery • Lessons Learned

  39. Malware Categories • Viruses • Compiled Viruses • Interpreted Viruses • Virus Obfuscation Techniques • Worms • Trojan Horses • Malicious Mobile Code • Blended Attacks • Tracking Cookies • Attacker Tools • Backdoors • Keystroke Loggers • Rootkits • Web Browser Plug-Ins • E-Mail Generators • Attacker Toolkits • Non-Malware Threats • Phishing • Virus Hoaxes

  40. Uses of IDPS Technologies • Identifying Possible Incidents • Identify Reconnaissance Activity • Identifying Security Policy Problems • Documenting Existing Threat to an Organization • Deterring Individuals from Violating Security Policies

  41. Key Functions of IDPS Technologies • Recording information related to observed events • Notifying security administrators of important observed events • Producing reports • Response Techniques • Stops Attack • Changes Security Environment • Changes Attack’s Content • False Positive • False Negative • Tuning • Evasion

  42. Common Detection Methodologies • Signature-Based Detection • Anomaly-Based Detection • Stateful Protocol Analysis

  43. Types of IDPS Technologies • Network-Based • Wireless • Network Behavior Analysis • Host Based

  44. Email Security - Spam • Ensure that spam cannot be sent from the mail servers they control • Implement spam filtering for inbound messages • Block messages from known spam-sending servers

  45. Operational Security Controls Key Concepts & Vocabulary • Awareness and Training • Configuration Management • Contingency Planning • Incident Response • Maintenance • Media Protection • Physical and Environmental Protection • Personnel Security • System and Information Integrity

More Related