Information systems is inspection trends
1 / 21

Information Systems (IS) Inspection Trends - PowerPoint PPT Presentation

  • Uploaded on

Information Systems (IS) Inspection Trends. April 17 – 18, 2013. Stan Sterns, CISSP Lockheed Martin Aeronautics . Agenda. Cognizant Security Agency Common Security Plans Deficiencies Common System Validation Vulnerabilities DSS Inspection Overview General Comments Interview Questions

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Information Systems (IS) Inspection Trends' - samson

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Information systems is inspection trends

Information Systems (IS) Inspection Trends

April 17 – 18, 2013

Stan Sterns, CISSP

Lockheed Martin Aeronautics


  • Cognizant Security Agency

  • Common Security Plans Deficiencies

  • Common System Validation Vulnerabilities

  • DSS Inspection Overview

    • General Comments

    • Interview Questions

    • Recommendations

    • Observations

    • Vulnerabilities

    • Enhancements

  • Partnership/Sharing and Collaboration

  • Closing

Cognizant security agency csa
Cognizant Security Agency (CSA)

  • Defense Security Service (DSS) is the primary government entity responsible for approving cleared contractor information systems to process classified data.

  • Works with industry partners to ensure information system security controls are in place to limit the risk of compromising national security information.

  • Ensures adherence to national industrial security standards.

    • National Industrial Security Program Operating Manual (NISPOM), Feb 2006)

    • Industrial Security Field Operations (ISFO) Process Manual, Jun 2011

    • Standardization of Baseline Technical Security Configurations, Mar 2009

    • Industrial Security Letters (ISLs)

    • Others, as applicable

Top 10 deficiencies security plans
Top 10 Deficiencies – Security Plans

  • SSP Incomplete or missing attachments

  • Inaccurate or incomplete configuration diagram or system description

  • SSP not tailored to the system

  • Sections in general procedures contradict protection profile

  • Missing certifications from the ISSM

  • Missing variance, waiver, risk acknowledgement letter

  • Incorrect or missing ODAA UID in plan submission

  • Integrity & Availability not addressed completely

  • Inadequate anti-virus procedures

  • Inadequate trusted download procedures

    (Riley, 2013)

Top 10 vulnerabilities system validations
Top 10 Vulnerabilities – System Validations

  • Security relevant objects (SROs) not protected

  • Inadequate auditing controls

  • Improper session controls: Failure to have proper user activity/inactivity, logon, system attempts enabled.

  • SSP does not reflect how the system is configured

  • BIOS not protected

  • Topology not correctly reflected in (M)SSP

  • Identification & Authentication controls

  • Integrity & Availability not addressed completely

  • Physical security controls

  • Inadequate anti-virus procedures

    (Riley, 2013)

General comments dss inspection
General Comments (DSS Inspection)

  • Rack mounted systems (all components must be marked)

  • Interview ISSOs (education, certifications, system knowledge)

  • Removed CPU casing to view serial numbers on hard drive

  • Wanted to see a year’s worth of audit logs (Sys, Sec, App)

  • Power Users

  • Access permissions on Security Relevant Objects (SROs)

    • Anti-virus folder

    • Regedit

    • Windows/repair .dll files

    • Audit log folder

General comments dss inspection1
General Comments (DSS Inspection)

  • Reviewed DD 147, Closed Area approval documentation

  • ISSO created a test account

  • Deploying tools to aid in management of system

  • General user demo/explained Trusted Download procedure

  • Self-Inspections

  • Weekly Audit Analysis

  • Protected Distribution Systems (NSTI 7003)

  • Simplified Network Security Plan (NSP)

  • Group Accounts

  • ISSO duties and responsibilities

  • End-of-day Out-brief

  • After Hours Check

Interview questions isso user
Interview Questions (ISSO/User)

  • What is your clearance level?

  • How often do you access classified information?

  • What is your background in regards to information systems security?

  • What would you do if a stranger asked you about your job?

  • What would you do if you received an unusual email?

  • What is the definition of adverse information?

  • What are the three levels of classified information?

  • Have you had any foreign travel?

Interview questions isso
Interview Questions (ISSO)

  • How are new systems certified?

  • How are the weekly user audits performed?

  • When is the last time service patches were installed?

  • What is the process for issuing a temporary password?

  • What is the process for issuing a new hard drive?

  • Does the ISSM recertify each new hard drive?

  • Do you use a Seal Log?

  • Do you courier classified material off the facility?


  • Two-person integrity for all Trusted Downloads

  • “Deny” access group for expired user accounts

  • Sysadmin account disabled when not needed

  • Identify each room/closed area on hardware baseline

  • Should be keeping originally signed user briefing forms

  • LED monitors vs CRT monitors

  • Request audit variance for hard drives with limited use

  • Separate maintenance log for security relevant actions

  • Recording password changes in maintenance log (NR)


  • ATO/Self-Cert letters must reflect caveats

  • Must have justification for “power users”

  • Non-SCI should reflect NOFORN

  • Systems with configuration variations should be “SSP”

  • ISSOs/AISSOs cannot verify their own clearances

  • Single system with WAN connection (MUSA or P2P?)

  • Privileged accounts should not be obvious

  • BIOS resets to default when removed from system

  • If users must be “administrators” – identify limitations


  • Restricted area processing – mark current level

  • Security seals over screws

  • Mark unclassified equipment with a 5-foot radius

    Possible Enhancements/Best Practices:

  • Automated user briefing statements

  • Formal system shutdown procedures

  • Trusted download warning banner pops up whenever a user logs in

  • Background banners – must be accurate to include caveats

Common vulnerabilities
Common Vulnerabilities

  • Security relevant software not on software baseline

  • Privilege account box not checked on briefing statement

  • Incorrect audit settings on SROs

    • McAfee, ORACLE Desktop Client

  • SRO not secured from unauthorized access

    • Users had “read” permissions to “SecEvent”

  • Configuration management

    • Incorrect serial numbers on hardware baseline

      • (ex: 56719B1 and should be 5671981)

  • Patch management – systems not patched to SP3

Common vulnerabilities1
Common Vulnerabilities

  • Local accounts on client/server configuration

  • Restricted area procedures not being followed

  • Built-in administrator password set to never expire

  • DoD banner not displayed when connecting to remote system

  • Certification Process- HDDs incorrectly marked while the external chassis was marked correctly

  • Test account still active

Enhancements 2013
Enhancements (2013)

  • Category 1 Company Sponsored Events

  • Category 2 Internal Education Brochures and Products

  • Category 3 Security Staff Professionalism

  • Category 4 Information Product Sharing within the Community

  • Category 5 Active Membership in the Security Community

  • Category 6 Contractor Self Review

  • Category 7 Counterintelligence Integration

  • Category 8 Cyber Security

  • Category 9 FOCI/International

  • Category 10 Classified Material Controls/Physical Security

  • Category 11 Information Systems

Sharing and collaboration
Sharing and Collaboration

  • Partnership

  • Information Security Working Groups

    • National Classification Management Society

    • Information Systems Special Interest Group

      • Sharing of tools, resources, and general information

    • Joint Security Awareness Council

  • Luncheons

    • Enhancement Ideas

    • Best Practice Considerations

    • System Configurations


  • Cognizant Security Agency

  • Security Plan Deficiencies

  • System Validation Vulnerabilities

  • DSS Inspection Overview

    • General Comments

    • Interview Questions

    • Recommendations

    • Observations

    • Vulnerabilities

    • 2013 Enhancements

  • Partnership/Sharing and Collaboration

Information systems is inspection trends


Riley, R. (2013, February). NISPPAC C&A Working Group Update for the Committee.

Defense Security Service, Office of Designated Approval Authority