session t- 2
DESCRIPTION
Session T- 2. Ensuring Information Security Bob Ingwalson & Tom Peters U.S. Department of Education. Secure Your Information. 2. Systems are Vulnerable!. We Implement Security Based on Cost vs. Risk . 5. Protect Sensitive Information. 07 RECAP In the Office On the System - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/1.jpg)
Session T- 2
Ensuring Information Security
Bob Ingwalson&
Tom PetersU.S. Department of Education
![Page 2: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/2.jpg)
22
Secure Your Information
![Page 3: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/3.jpg)
3
![Page 4: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/4.jpg)
4
0
5000
10000
15000
20000
25000
30000
35000
1995 1997 1999 2001 2003 2005
AccumulativeVulnerabilities from1995 - 2006 (source: CERT,www.cert.org/ stat
Systems are Vulnerable!
![Page 5: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/5.jpg)
55
We Implement Security Based on Cost vs. Risk
![Page 6: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/6.jpg)
6
• 07 RECAP
– In the Office
– On the System
=============
• Ensuring Security
• Incident Detection and
Reporting
Protect Sensitive Information
![Page 7: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/7.jpg)
77
Office Security• Handling and storage
• Phones
• Faxes
• Shipping and deliveries
• CDs/DVDs
• Printers
• USB/Flash/Thumb drives
• Physical Security
• Personnel Security
• Policy and Procedures
![Page 8: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/8.jpg)
8
• Policy
• Personnel Security
• Physical Security
• Network Security
• Host based Security
• Application Security
System Security (Defense in Depth)
www.macroview.com/solutions/infosecurity/
![Page 9: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/9.jpg)
9
Ensure Security
• Federal law requires Federal Agencies to comply with NIST standards
• Federal Student Aid security is based on NIST standards and guides
• Federal Student Aid uses US-CERT’s reporting guidance for security incidents
![Page 10: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/10.jpg)
10
Ensuring Security Using the NIST System Security Lifecycle
![Page 11: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/11.jpg)
11
Security Categorization
Security Categorization begins by identifying the system
• Boundaries
• Organizational Importance/Criticality
• Information Sensitivities o CIA - HMLo FIPS 199, SP 800-60
![Page 12: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/12.jpg)
12
Information Sensitivities
SECURITY OBJECTIVE LOW MODERATE HIGH
ConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.[44 U.S.C., SEC. 3542]
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals
IntegrityGuarding against improperinformation modificationor destruction, and includes ensuring information non-repudiation and authenticity.[44 U.S.C., SEC. 3542]
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
AvailabilityEnsuring timely and reliable access to and use of information.[44 U.S.C., SEC. 3542]
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
POTENTIAL IMPACT
![Page 13: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/13.jpg)
13
Security Control Selection Select controls based on data sensitivity and system criticality
NIST SP 800-53, Recommended Security Controls for Federal Information Systems
“In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical infrastructure of the United States, are encouraged to use these guidelines, as appropriate.”
17 Control Families
171 Controls each providing high, moderate, and low baselines
![Page 14: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/14.jpg)
14
Security Control Selection IDENTIFIER FAMILY CLASS # CONTROLS
AC Access Control Technical 20AT Awareness and Training Operational 5AU Audit and Accountability Technical 11CA Certification, Accreditation, and Security Assessments Management 7CM Configuration Management Operational 8CP Contingency Planning Operational 10IA Identification and Authentication Technical 7IR Incident Response Operational 7
MA Maintenance Operational 6MP Media Protection Operational 6PE Physical and Environmental Protection Operational 19PL Planning Management 6PS Personnel Security Operational 8RA Risk Assessment Management 5SA System and Services Acquisition Management 11SC System and Communications Protection Technical 23SI System and Information Integrity Operational 12
![Page 15: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/15.jpg)
15
Security Control Selection PE-8 ACCESS RECORDS
Control: The organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) that includes: (i) name and organization of the person visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time of entry and departure; (vi) purpose of visit; and (vii) name and organization of person visited. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: None.
Control Enhancements:
(1) The organization employs automated mechanisms to facilitate the maintenance and review of access records.
(2) The organization maintains a record of all physical access, both visitor and authorized individuals.
LOW PE-8 MOD PE-8 HIGH PE-8 (1) (2)
![Page 16: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/16.jpg)
16
Security Control Refinement(assess the risk – SP 800-30)
![Page 17: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/17.jpg)
17
High If an observation or finding is evaluated as high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.
Moderate If an observation is rated as moderate risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
Low If an observation is described as low risk, the system’s authorizing official must determine whether corrective actions are still required or decide to accept the risk.
Security Control Refinement
![Page 18: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/18.jpg)
18
Security Control Refinement
![Page 19: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/19.jpg)
19
Security Control Documentation
• Plans of Actions and Milestones (SP 800-37)o Security Control Weaknesseso Plan of remediation
• System Security Plan (SP 800-18, SP 800-53)o System Description o Rules of Behavioro Security Controls (in-place and planned)
• Contingency Plan (SP 800-34)o Business Impact Analysis (BIA)o System Descriptiono Notification / Activation Recovery Deactivation
![Page 20: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/20.jpg)
20
Security Control Implementation
• Implement Plans of Actions and Milestones (POAMs)
• Update system controls based on security plan
• Use security configuration guides (SP 800-70)
• Update System Security Plan
![Page 21: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/21.jpg)
21
Security Control Assessment (SP 800-53A, SP 800-37)
• Independent reviewer (Certification Agent)
• Reviews controls identified in System Security Plan
• Determines control effectiveness
• Use to update POAMs
• Provides input to system authorization official
![Page 22: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/22.jpg)
22
Security Authorization (SP 800-37)
Determines Risk to agency, agency assets, or individuals
![Page 23: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/23.jpg)
23
Security Control Monitoring (SP 800-37, SP 800-53A)
• Continuously track changes and new vulnerabilities to system
• Vulnerability scans and penetration testing
• Audit and Log monitoring
• Security configuration and compliance
• Assessments and reviews
• Intrusion detection and prevention systems (IDPSs) for effective incident response
![Page 24: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/24.jpg)
24
Security Incident Response and Reporting
What’s a Security Incident?
An incident can be unintentional or malicious. SP 800-61 states: “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are as follows:”
• Denial of Service • Malicious Code • Unauthorized Access • Inappropriate Usage
![Page 25: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/25.jpg)
25
Security Incident Response and ReportingUS-CERT’s Classification of Incidents
Category Name Description
CAT 0Exercise/Network Defense Testing
This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.
CAT 1Unauthorized Access
In this category an individual or agent gains access without permission to a federal agency facility, network, system, (PII), in both soft copy (electronic) and hard copy (paper application, or data, including Personally Identifiable Information document)
CAT 2 Denial of Service
An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.
CAT 3 Malicious Code
Successful installation of malicious software (e.g., virus, worm, Trojan horse) that infects an operating system or application. Users are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.
CAT 4 Improper Usage A person violates acceptable computing or facility use policies, with or without malicious intent.
CAT 5Scans / Probes / Attempted Access
This category includes activities that seek to access or identify any Federal Student Aid computer or network component for exploit. In addition, any unauthorized attempts to physically access Federal Student Aid facilities are included in this category.
CAT 6 Investigation
Unconfirmed incidents that are anomalous—potentially malicious— activities, involving either electronic or printed information, deemed by the reporting entity to warrant further review.
![Page 26: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/26.jpg)
26
Security Incident Response and Reporting
![Page 27: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/27.jpg)
27
Preparation• Creating an incident response policy
– Statement of management commitment – Purpose and objectives of the policy – Scope of the policy (to whom, what it applies to, and
under what circumstances) – Definition of computer security incidents and their
consequences within the context of the organization – Organizational structure and delineation of roles,
responsibilities, and levels of authority
– Prioritization or severity ratings of incidents – Performance measure – Reporting and contact forms
![Page 28: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/28.jpg)
28
Preparation (con’t)• Developing procedures for performing incident handling and
reporting, based on the incident response policy
• Setting guidelines for communicating with outside parties regarding incidents
• Selecting a team structure and staffing model • Establishing relationships between the incident response
team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
• Determining what services the incident response team should provide
• Staffing and training the incident response team.
![Page 29: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/29.jpg)
29
Detection and Analysis
• Incident Categories • Signs of an Incident
• Sources of Precursors and Indications
• Incident Analysis
• Incident Documentation
• Incident Prioritization
• Incident Notification
![Page 30: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/30.jpg)
30
Contain, Eradicate, Recover• Enact your containment strategy
– Isolate affected systems
• Evidence Gathering and Evidence Handling– Chain of Custody
• Remove the risks to the systems
• Recover the systems– Restore from clean backups– Rebuild systems– Replace compromise files and applications– Install patches– Change passwords
![Page 31: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/31.jpg)
31
Post Incident Activities
• Lessons Learn (Hotwash)– Be critical– Use collected data– Review security settings (what allowed incident to occur)– Review what went right and what needs improvement
• Evidence Retention– Prosecution– Data Retention – Costs
![Page 32: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/32.jpg)
3232
Resources
Vulnerabilities:– OWASP (http://www.owasp.org)– SANS Top 20 (www.sans.org/top20) – National Vulnerability Database (http://nvd.nist.gov)– cgisecurity (http//www.cgisecurity.com)
Guidance:– National Institute of Standards and Technology (NIST)
Computer Security Resource Center (http://csrc.nist.gov/publications/nistpubs/)
– Center for Internet Security (CIS) (http://www.cisecurity.org/)– Educause
(http://connect.educause.edu/term_view/Cybersecurity)
![Page 33: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/33.jpg)
Questions?
![Page 34: Session T- 2](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56813518550346895d9c6e36/html5/thumbnails/34.jpg)
3434
Contact InformationWe appreciate your feedback and comments. We can be reached at:
Bob Ingwalson
• Phone: 202.377.3563 • Email: [email protected]• Fax: 202.275.0907
Tom Peters
• Phone: 202.377.3938 • Email: [email protected]• Fax: 202.275.0907