information systems is inspection trends
Skip this Video
Download Presentation
Information Systems (IS) Inspection Trends

Loading in 2 Seconds...

play fullscreen
1 / 21

Information Systems (IS) Inspection Trends - PowerPoint PPT Presentation

  • Uploaded on

Information Systems (IS) Inspection Trends. April 17 – 18, 2013. Stan Sterns, CISSP Lockheed Martin Aeronautics . Agenda. Cognizant Security Agency Common Security Plans Deficiencies Common System Validation Vulnerabilities DSS Inspection Overview General Comments Interview Questions

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Information Systems (IS) Inspection Trends' - samson

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information systems is inspection trends

Information Systems (IS) Inspection Trends

April 17 – 18, 2013

Stan Sterns, CISSP

Lockheed Martin Aeronautics

  • Cognizant Security Agency
  • Common Security Plans Deficiencies
  • Common System Validation Vulnerabilities
  • DSS Inspection Overview
    • General Comments
    • Interview Questions
    • Recommendations
    • Observations
    • Vulnerabilities
    • Enhancements
  • Partnership/Sharing and Collaboration
  • Closing
cognizant security agency csa
Cognizant Security Agency (CSA)
  • Defense Security Service (DSS) is the primary government entity responsible for approving cleared contractor information systems to process classified data.
  • Works with industry partners to ensure information system security controls are in place to limit the risk of compromising national security information.
  • Ensures adherence to national industrial security standards.
    • National Industrial Security Program Operating Manual (NISPOM), Feb 2006)
    • Industrial Security Field Operations (ISFO) Process Manual, Jun 2011
    • Standardization of Baseline Technical Security Configurations, Mar 2009
    • Industrial Security Letters (ISLs)
    • Others, as applicable
top 10 deficiencies security plans
Top 10 Deficiencies – Security Plans
  • SSP Incomplete or missing attachments
  • Inaccurate or incomplete configuration diagram or system description
  • SSP not tailored to the system
  • Sections in general procedures contradict protection profile
  • Missing certifications from the ISSM
  • Missing variance, waiver, risk acknowledgement letter
  • Incorrect or missing ODAA UID in plan submission
  • Integrity & Availability not addressed completely
  • Inadequate anti-virus procedures
  • Inadequate trusted download procedures

(Riley, 2013)

top 10 vulnerabilities system validations
Top 10 Vulnerabilities – System Validations
  • Security relevant objects (SROs) not protected
  • Inadequate auditing controls
  • Improper session controls: Failure to have proper user activity/inactivity, logon, system attempts enabled.
  • SSP does not reflect how the system is configured
  • BIOS not protected
  • Topology not correctly reflected in (M)SSP
  • Identification & Authentication controls
  • Integrity & Availability not addressed completely
  • Physical security controls
  • Inadequate anti-virus procedures

(Riley, 2013)

general comments dss inspection
General Comments (DSS Inspection)
  • Rack mounted systems (all components must be marked)
  • Interview ISSOs (education, certifications, system knowledge)
  • Removed CPU casing to view serial numbers on hard drive
  • Wanted to see a year’s worth of audit logs (Sys, Sec, App)
  • Power Users
  • Access permissions on Security Relevant Objects (SROs)
    • Anti-virus folder
    • Regedit
    • Windows/repair .dll files
    • Audit log folder
general comments dss inspection1
General Comments (DSS Inspection)
  • Reviewed DD 147, Closed Area approval documentation
  • ISSO created a test account
  • Deploying tools to aid in management of system
  • General user demo/explained Trusted Download procedure
  • Self-Inspections
  • Weekly Audit Analysis
  • Protected Distribution Systems (NSTI 7003)
  • Simplified Network Security Plan (NSP)
  • Group Accounts
  • ISSO duties and responsibilities
  • End-of-day Out-brief
  • After Hours Check
interview questions isso user
Interview Questions (ISSO/User)
  • What is your clearance level?
  • How often do you access classified information?
  • What is your background in regards to information systems security?
  • What would you do if a stranger asked you about your job?
  • What would you do if you received an unusual email?
  • What is the definition of adverse information?
  • What are the three levels of classified information?
  • Have you had any foreign travel?
interview questions isso
Interview Questions (ISSO)
  • How are new systems certified?
  • How are the weekly user audits performed?
  • When is the last time service patches were installed?
  • What is the process for issuing a temporary password?
  • What is the process for issuing a new hard drive?
  • Does the ISSM recertify each new hard drive?
  • Do you use a Seal Log?
  • Do you courier classified material off the facility?
  • Two-person integrity for all Trusted Downloads
  • “Deny” access group for expired user accounts
  • Sysadmin account disabled when not needed
  • Identify each room/closed area on hardware baseline
  • Should be keeping originally signed user briefing forms
  • LED monitors vs CRT monitors
  • Request audit variance for hard drives with limited use
  • Separate maintenance log for security relevant actions
  • Recording password changes in maintenance log (NR)
  • ATO/Self-Cert letters must reflect caveats
  • Must have justification for “power users”
  • Non-SCI should reflect NOFORN
  • Systems with configuration variations should be “SSP”
  • ISSOs/AISSOs cannot verify their own clearances
  • Single system with WAN connection (MUSA or P2P?)
  • Privileged accounts should not be obvious
  • BIOS resets to default when removed from system
  • If users must be “administrators” – identify limitations
  • Restricted area processing – mark current level
  • Security seals over screws
  • Mark unclassified equipment with a 5-foot radius

Possible Enhancements/Best Practices:

  • Automated user briefing statements
  • Formal system shutdown procedures
  • Trusted download warning banner pops up whenever a user logs in
  • Background banners – must be accurate to include caveats
common vulnerabilities
Common Vulnerabilities
  • Security relevant software not on software baseline
  • Privilege account box not checked on briefing statement
  • Incorrect audit settings on SROs
    • McAfee, ORACLE Desktop Client
  • SRO not secured from unauthorized access
    • Users had “read” permissions to “SecEvent”
  • Configuration management
    • Incorrect serial numbers on hardware baseline
      • (ex: 56719B1 and should be 5671981)
  • Patch management – systems not patched to SP3
common vulnerabilities1
Common Vulnerabilities
  • Local accounts on client/server configuration
  • Restricted area procedures not being followed
  • Built-in administrator password set to never expire
  • DoD banner not displayed when connecting to remote system
  • Certification Process- HDDs incorrectly marked while the external chassis was marked correctly
  • Test account still active
enhancements 2013
Enhancements (2013)
  • Category 1 Company Sponsored Events
  • Category 2 Internal Education Brochures and Products
  • Category 3 Security Staff Professionalism
  • Category 4 Information Product Sharing within the Community
  • Category 5 Active Membership in the Security Community
  • Category 6 Contractor Self Review
  • Category 7 Counterintelligence Integration
  • Category 8 Cyber Security
  • Category 9 FOCI/International
  • Category 10 Classified Material Controls/Physical Security
  • Category 11 Information Systems
sharing and collaboration
Sharing and Collaboration
  • Partnership
  • Information Security Working Groups
    • National Classification Management Society
    • Information Systems Special Interest Group
      • Sharing of tools, resources, and general information
    • Joint Security Awareness Council
  • Luncheons
    • Enhancement Ideas
    • Best Practice Considerations
    • System Configurations
  • Cognizant Security Agency
  • Security Plan Deficiencies
  • System Validation Vulnerabilities
  • DSS Inspection Overview
    • General Comments
    • Interview Questions
    • Recommendations
    • Observations
    • Vulnerabilities
    • 2013 Enhancements
  • Partnership/Sharing and Collaboration


Riley, R. (2013, February). NISPPAC C&A Working Group Update for the Committee.

Defense Security Service, Office of Designated Approval Authority