1 / 21

Information Systems (IS) Inspection Trends

Information Systems (IS) Inspection Trends. April 17 – 18, 2013. Stan Sterns, CISSP Lockheed Martin Aeronautics . Agenda. Cognizant Security Agency Common Security Plans Deficiencies Common System Validation Vulnerabilities DSS Inspection Overview General Comments Interview Questions

samson
Download Presentation

Information Systems (IS) Inspection Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Systems (IS) Inspection Trends April 17 – 18, 2013 Stan Sterns, CISSP Lockheed Martin Aeronautics

  2. Agenda • Cognizant Security Agency • Common Security Plans Deficiencies • Common System Validation Vulnerabilities • DSS Inspection Overview • General Comments • Interview Questions • Recommendations • Observations • Vulnerabilities • Enhancements • Partnership/Sharing and Collaboration • Closing

  3. Cognizant Security Agency (CSA) • Defense Security Service (DSS) is the primary government entity responsible for approving cleared contractor information systems to process classified data. • Works with industry partners to ensure information system security controls are in place to limit the risk of compromising national security information. • Ensures adherence to national industrial security standards. • National Industrial Security Program Operating Manual (NISPOM), Feb 2006) • Industrial Security Field Operations (ISFO) Process Manual, Jun 2011 • Standardization of Baseline Technical Security Configurations, Mar 2009 • Industrial Security Letters (ISLs) • Others, as applicable

  4. Top 10 Deficiencies – Security Plans • SSP Incomplete or missing attachments • Inaccurate or incomplete configuration diagram or system description • SSP not tailored to the system • Sections in general procedures contradict protection profile • Missing certifications from the ISSM • Missing variance, waiver, risk acknowledgement letter • Incorrect or missing ODAA UID in plan submission • Integrity & Availability not addressed completely • Inadequate anti-virus procedures • Inadequate trusted download procedures (Riley, 2013)

  5. Security Plan Deficiencies

  6. Top 10 Vulnerabilities – System Validations • Security relevant objects (SROs) not protected • Inadequate auditing controls • Improper session controls: Failure to have proper user activity/inactivity, logon, system attempts enabled. • SSP does not reflect how the system is configured • BIOS not protected • Topology not correctly reflected in (M)SSP • Identification & Authentication controls • Integrity & Availability not addressed completely • Physical security controls • Inadequate anti-virus procedures (Riley, 2013)

  7. On-site Validation Vulnerabilities

  8. General Comments (DSS Inspection) • Rack mounted systems (all components must be marked) • Interview ISSOs (education, certifications, system knowledge) • Removed CPU casing to view serial numbers on hard drive • Wanted to see a year’s worth of audit logs (Sys, Sec, App) • Power Users • Access permissions on Security Relevant Objects (SROs) • Anti-virus folder • Regedit • Windows/repair .dll files • Audit log folder

  9. General Comments (DSS Inspection) • Reviewed DD 147, Closed Area approval documentation • ISSO created a test account • Deploying tools to aid in management of system • General user demo/explained Trusted Download procedure • Self-Inspections • Weekly Audit Analysis • Protected Distribution Systems (NSTI 7003) • Simplified Network Security Plan (NSP) • Group Accounts • ISSO duties and responsibilities • End-of-day Out-brief • After Hours Check

  10. Interview Questions (ISSO/User) • What is your clearance level? • How often do you access classified information? • What is your background in regards to information systems security? • What would you do if a stranger asked you about your job? • What would you do if you received an unusual email? • What is the definition of adverse information? • What are the three levels of classified information? • Have you had any foreign travel?

  11. Interview Questions (ISSO) • How are new systems certified? • How are the weekly user audits performed? • When is the last time service patches were installed? • What is the process for issuing a temporary password? • What is the process for issuing a new hard drive? • Does the ISSM recertify each new hard drive? • Do you use a Seal Log? • Do you courier classified material off the facility?

  12. Recommendations • Two-person integrity for all Trusted Downloads • “Deny” access group for expired user accounts • Sysadmin account disabled when not needed • Identify each room/closed area on hardware baseline • Should be keeping originally signed user briefing forms • LED monitors vs CRT monitors • Request audit variance for hard drives with limited use • Separate maintenance log for security relevant actions • Recording password changes in maintenance log (NR)

  13. Observations • ATO/Self-Cert letters must reflect caveats • Must have justification for “power users” • Non-SCI should reflect NOFORN • Systems with configuration variations should be “SSP” • ISSOs/AISSOs cannot verify their own clearances • Single system with WAN connection (MUSA or P2P?) • Privileged accounts should not be obvious • BIOS resets to default when removed from system • If users must be “administrators” – identify limitations

  14. Observations • Restricted area processing – mark current level • Security seals over screws • Mark unclassified equipment with a 5-foot radius Possible Enhancements/Best Practices: • Automated user briefing statements • Formal system shutdown procedures • Trusted download warning banner pops up whenever a user logs in • Background banners – must be accurate to include caveats

  15. Common Vulnerabilities • Security relevant software not on software baseline • Privilege account box not checked on briefing statement • Incorrect audit settings on SROs • McAfee, ORACLE Desktop Client • SRO not secured from unauthorized access • Users had “read” permissions to “SecEvent” • Configuration management • Incorrect serial numbers on hardware baseline • (ex: 56719B1 and should be 5671981) • Patch management – systems not patched to SP3

  16. Common Vulnerabilities • Local accounts on client/server configuration • Restricted area procedures not being followed • Built-in administrator password set to never expire • DoD banner not displayed when connecting to remote system • Certification Process- HDDs incorrectly marked while the external chassis was marked correctly • Test account still active

  17. Enhancements (2013) • Category 1 Company Sponsored Events • Category 2 Internal Education Brochures and Products • Category 3 Security Staff Professionalism • Category 4 Information Product Sharing within the Community • Category 5 Active Membership in the Security Community • Category 6 Contractor Self Review • Category 7 Counterintelligence Integration • Category 8 Cyber Security • Category 9 FOCI/International • Category 10 Classified Material Controls/Physical Security • Category 11 Information Systems

  18. Sharing and Collaboration • Partnership • Information Security Working Groups • National Classification Management Society • Information Systems Special Interest Group • Sharing of tools, resources, and general information • Joint Security Awareness Council • Luncheons • Enhancement Ideas • Best Practice Considerations • System Configurations

  19. Closing • Cognizant Security Agency • Security Plan Deficiencies • System Validation Vulnerabilities • DSS Inspection Overview • General Comments • Interview Questions • Recommendations • Observations • Vulnerabilities • 2013 Enhancements • Partnership/Sharing and Collaboration

  20. Any Questions

  21. References: Riley, R. (2013, February). NISPPAC C&A Working Group Update for the Committee. Defense Security Service, Office of Designated Approval Authority

More Related