Embed Size (px)
Citation preview
Security Control Families
Operational Class
ID Class Family # ofCA Management Security Assessment and Authorization 6PL Management Planning 5PM Management Program Management 11RA Management Risk Assessment 4SA Management System and Services Acquisition 14/40AT Operational Awareness and Training 5CM Operational Configuration Management 9CP Operational Contingency Planning 10IR Operational Incident Response 8MA Operational Maintenance 6MP Operational Media Protection 6PE Operational Physical and Environmental Protection 19PS Operational Personnel Security 8SI Operational System and Information Integrity 13/84AC Technical Access Control 19AU Technical Audit and Accountability 14IA Technical Identification and Authentication 8SC Technical System and Communications Protection 34/75
Awareness & Training
AT-2 Security AwarenessAT-3 Security TrainingAT-4 Security Training Records
800-16 800-50
800-84 – Plan Testing, Training and Exercise
CP-3 Contingency TrainingIR-2 Incident Response TrainingCP-4 Contingency Plan Testing and ExercisesIR-3 Incident Response Testing and Exercises
TT&E
Test Training Exercises
– Tabletop– Functional
CP-3 Contingency TrainingIR-2 Incident Response TrainingCP-4 Contingency Plan Testing and ExercisesIR-3 Incident Response Testing and Exercises
CP TT&E
CP TT&E
Configuration Management
CM-2 Baseline ConfigurationCM-3 Configuration Change ControlCM-4 Security Impact AnalysisCM-5 Access Restrictions for ChangeCM-6 Configuration SettingsCM-7 Least Functionality
CM-8Information System Component Inventory
CM-9 Configuration Management Plan
800-70 800-128 CM
OMB 07-11 OMB 07-18 OMB 08-22
SCAP/NVD
FDCC
The Phases of Security-focused Configuration Management
SCAP v1.2 Components
Additional SCAP Terminology
Knowledge Check
Which SCAP specifications provide a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names?
What is defined as an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes?
Which special pub provides guidelines on designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events?
Contingency Planning
CP-6 Alternate Storage SiteCP-7 Alternate Processing SiteCP-8 Telecommunications ServicesCP-9 Information System BackupCP-10
Information System Recovery and Reconstitution
800-34
FCD 1
Type of Plans
Contingency Planning Process
Business Impact Analysis
System/Process Downtime
Maximum Tolerable Downtime (MTD) Recovery Time Objective (RTO) Recovery Point Objective (RPO)
Recovery Strategies
Incident Response
IR-4 Incident HandlingIR-5 Incident MonitoringIR-6 Incident ReportingIR-7 Incident Response AssistanceIR-8 Incident Response Plan
800-61Incident Response
800-83 (SI)Malware
Handling an Incident
Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity
Incident Reporting Organizations
US-CERT [IR 6,7]
Information Analysis Infrastructure Protection (IAIP) CERT® Coordination Center (CERT®/CC) Information Sharing and Analysis Centers (ISAC)
Each agency must designate a primary and secondary POC with US-CERT, report all incidents, and internally document corrective actions and their impact. [IR-7]
Federal Agency Incident Reporting Categories
CAT 0 - Exercise/Network Defense Testing CAT 1 - *Unauthorized Access CAT 2 - *Denial of Service (DoS) CAT 3 - *Malicious Code CAT 4 - *Inappropriate Usage CAT 5 - Scans/Probes/ Attempted Access CAT 6 - Investigation
* Any incident that involves compromised PII must be reported to US-CERT within 1 hour of detection regardless of the incident category reporting timeframe.
Knowledge Check
Name the contingency planning variable that defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business functions, and the MTD?
What is created to correlate the information system with critical mission/business processes, which is further used to characterize the consequences of a disruption?
Which Federal mandate requires agencies to report incidents to US-CERT?
What is the US-CERT incident category name and reporting timeframe for a CAT-2 incident?
System Maintenance
MA-2 Controlled MaintenanceMA-3 Maintenance ToolsMA-4 Non-Local MaintenanceMA-5 Maintenance PersonnelMA-6 Timely Maintenance
800-63 - E-Auth (IA) 800-88 – Sanitization (MP)
FIPS 140-2 - Crypto FIPS 197 - AES FIPS 201 – PIV (IA)
Encryption Standards
FIPS 140-2– Level 1 – Basic (at least one Approved algorithm or Approved
security function shall be used)– Level (EAL) 2 - Tamper-evidence, requires role-based
authentication– Level (EAL) 3 – Intrusion detection and prevention, requires
identity-based authentication mechanisms – Level (EAL) 4 – Zeroization, environmental protection
Advanced Encryption Standard (FIPS 197)
27
Media Protection
MP-2 Media AccessMP-3 Media MarkingMP-4 Media StorageMP-5 Media TransportMP-6 Media Sanitization
800-56 800-57 800-60 800-88 - Sanitization 800-111 – Storage
Encryption
Key Management
Storage Encryption Technologies
Media Sanitization
Disposal - discarding media with no other sanitization considerations
Cleaning - must not allow information to be retrieved by data, disk, or file recovery utilities.
Purging - protects the confidentiality of information against a laboratory attack.
Destroying - ultimate form of sanitization: disintegration, incineration, pulverizing, shredding, and melting.
30
Sanitization and Disposition Decision Flow
Physical & Environmental ProtectionPE-2 Emergency ShutoffPE-3 Emergency PowerPE-4 Emergency LightingPE-5 Fire ProtectionPE-6 Temperature and Humidity ControlsPE-7 Water Damage ProtectionPE-8 Delivery and RemovalPE-9 Alternate Work Site
PE-10Location of Information System Components
PE-11 Physical Access AuthorizationsPE-12 Physical Access ControlPE-13 Access Control for Transmission MediumPE-14 Access Control for Output DevicesPE-15 Monitoring Physical AccessPE-16 Visitor ControlPE-17 Access RecordsPE-18 Power Equipment and Power Cabling
800-46 – Telework/ Remote Access
800-73 800-76 800-78 FIPS 201
PIV (IA)
Physical Access Controls
Badges Memory Cards Guards Keys True-floor-to-true-ceiling
Wall Construction Fences Locks
Fire Safety
Ignition Sources Fuel Sources Building Operation Building Occupancy Fire Detection Fire Extinguishment
Supporting Utilities
Air-conditioning System Electric Power Distribution Heating Plants Water Sewage Planning for Failure
– Mean-Time-Between-Failures (MTBF) – Mean-Time-To-Repair (MTTR)
Personnel Security
PS-2 Position CategorizationPS-3 Personnel ScreeningPS-4 Personnel TerminationPS-5 Personnel TransferPS-6 Access AgreementsPS-7 Third-Party Personnel SecurityPS-8 Personnel Sanctions
800-73 800-76 800-78
5 CFR 731.106 Designation of public trust positions and investigative requirements.
ICD 704 Personnel Security Standards (SCI)
PIV (IA)
Staffing
User Administration
User Account Management Audit and Management Reviews Detecting Unauthorized/Illegal Activities Temporary Assignments and In-house Transfers Termination
Termination
Friendly Termination Unfriendly Termination
Knowledge Check
Which FIPS 140-2 encryption level requires identity based authentication?
What is the FIPS publication specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits?
What is the recommended disposal method, from the sanitization guidelines of NIST SPO 800-88, for paper-based medical records containing sensitive PII?
What is the supporting guideline for PS-9 Alternate Work Site?
Systems Integrity
SI-2 Flaw RemediationSI-3 Malicious Code ProtectionSI-4 Information System Monitoring
SI-5Security Alerts, Advisories, and Directives
SI-6 Security Functionality Verification
SI-7Software and Information Integrity
SI-8 Spam ProtectionSI-9 Information Input RestrictionsSI-10 Information Input ValidationSI-11 Error Handling
SI-12Information Output Handling and Retention
800-40 – Patching (RA) 800-45 - Email 800-61 – Incidents (IR) 800-83 - Malware 800-92 – Logs (AU) 800-94 - IDPS
NVD/CWE
Malware Incident Prevention & Handling
Malware Categories Malware Incident Prevention
– Policy– Awareness– Vulnerability Mitigation– Threat Mitigation
Malware Incident Response– Preparation – Detection– Containment– Eradication– Recovery– Lessons Learned
Malware Categories
Viruses– Compiled Viruses– Interpreted Viruses– Virus Obfuscation Techniques
Worms Trojan Horses Malicious Mobile Code Blended Attacks Tracking Cookies Attacker Tools
– Backdoors– Keystroke Loggers– Rootkits– Web Browser Plug-Ins– E-Mail Generators– Attacker Toolkits
Non-Malware Threats– Phishing– Virus Hoaxes
Uses of IDPS Technologies
Identifying Possible Incidents Identify Reconnaissance Activity Identifying Security Policy Problems Documenting Existing Threat to an Organization Deterring Individuals from Violating Security Policies
Key Functions of IDPS Technologies
Recording information related to observed events Notifying security administrators of important observed
events Producing reports Response Techniques
– Stops Attack– Changes Security Environment– Changes Attack’s Content
False Positive False Negative Tuning Evasion
Common Detection Methodologies
Signature-Based Detection Anomaly-Based Detection Stateful Protocol Analysis
Types of IDPS Technologies
Network-Based Wireless Network Behavior Analysis Host Based
Email Security - Spam
Ensure that spam cannot be sent from the mail servers they control
Implement spam filtering for inbound messages Block messages from known spam-sending servers
Operational Security Controls Key Concepts & Vocabulary
Awareness and Training Configuration Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environmental Protection Personnel Security System and Information Integrity
