SlideShare a Scribd company logo

Network Security & Assured Networks: TechNet Augusta 2015

Download as PPTX, PDF
AFCEA International, profile picture
AFCEA International

The document provides details on controls for network security assessments. It discusses the differences between certification and accreditation, and how risk tolerance must balance threats against protection costs. It also lists various access, identification and authentication, configuration management, and system integrity controls, and references how each control is assessed. The controls are evaluated to ensure the system or network is properly monitored, authenticated, updated, and protected from unauthorized access and malware.

Technology
1 of 32
Downloaded 41 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Copyright © Ciena Corporation 2015. All rights reserved. Confidential & Proprietary. Network Security Assessments Robert Kimball CTO – Ciena Government Solutions Inc.
Network Security & Assured Networks: TechNet Augusta 2015
   
The key difference between certification and accreditation is that accreditation looks at the entire enterprise (people, equipment, and procedures) while certification only focuses on equipment
Since the answers to these questions are not static and change as events occur, the risk tolerance of the organization has to balance expected threats against costs of protection
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015
Control Type Controls Access Control AC1, AC2(1,2,3,4), AC3, AC4, AC6(1,2,5,9,10), AC7, AC8, AC11,AC14, AC17(1,2,3,4) Awareness and Training N/A Audit and Accountability AU2(3,4), AU3(1),AU4 Security Assessment and Authorization N/A Configuration management CM2(1,3), CM3(2), CM5, CM6 Contingency Planning CP9(1), CP10(2,3) Identification and Authentication IA2(1,2,3,8), IA3, IA4, IA5(1,2,3), IA6 Incidence Response N/A Maintenance N/A Media Protection N/A Physical and Environmental Protection N/A Planning N/A Personnel Security N/A Risk assessment N/A System and services Acquisition N/A Systems and communications Protection SC1, SC2, SC4, SC5, SC7(1,3,4,5,7), SC8(1), SC10, SC12, SC13, SC17, SC23, SC28, SC32, SC41 System and Information Integrity SI3(1,2,3), SI4(2,4,5,8), SI7(1,8), SC11 Program Management N/A
         
       
 Ref: AC-8 System Use Notification The system must provide for the display of a notification message or banner prior to logon, that remains in place until the user takes a specific action such as logging on. Best practice banners include the following elements: Information system usage may be monitored, recorded and subject to audit Unauthorized use is prohibited and Use of the system implies consent to monitoring and recording may be subject to civil and criminal penalties Ref: AC-11 Session lock The system must prevent access to the system after a predetermined period of inactivity or upon user request, conceal previously visible information behind a publically viewable image, and require user to reestablish identification and authorization prior to regaining access. Assessment is performed by monitoring the session timeout behavior.
         
      
Ref: AU-2 Auditable Events The enterprise must define the relevant events that are auditable. Best practice focus is on security related information and the ability to forensically analyze a security incident. The assessment will validate that all of the relevant auditable events are captured by the system. Best practice include: A requirement to periodically review and update the available auditable events The inclusion of privileged functions in auditable events Ref: AU-3 Content of audit records Audit records contain information that at a minimum establishes what event happened, when and where, the source, and user account associated with the incident. Best practices include: User defined audit records specific to the enterprise Ref: AU-4 Audit Storage Capacity The assessment will validate that the system has the determined amount of audit record storage capacity. The determined amount may be a fixed level, user defined capacity, or ability to connect external storage devices.
Ref: CM-2 Baseline Configuration The system must produce a baseline configuration under configuration control. Best practices include: Baselines are recomputed at a defined frequencies and as a part of upgrades and installations System retains a predefined number of previous versions Ref: CM-3 Configuration Change Control System deployments are under a change control process. The assessment requires the system to produce records of configuration control changes and audits activities associated with configuration control events. Best practice includes: The system must support test and validation of configuration control changes. This should be done externally to the system.
Ref: CM-5 Access Restrictions for Change System must impose access restrictions to enforce physical and logical access restrictions of users allowed to make configurations changes to hardware and software. This can take the form of access control lists or privileged account types. Assessment will document access control and validate that only authorized users are able to make configuration changes.
Ref: CP-9 Information System Backup The assessment will review historical backups of user, system, and security information at the defined intervals. The system must protect the confidentiality, integrity, and availability of backed up information. The assessment will evaluate back-up protections to ensure viability. Best practices include: The backed up data is tested for reliability and information integrity Ref: CP-10 Information system recovery and Reconstitution Assessment will validate recovery and reconstitution of the system to a known state after a disruption, compromise, or failure. This is likely to be preformed via validation that the capability exists rather than the introduction of an actual failure. Best practices includes: If transaction based systems are involved, system implements transaction recovery including transaction rollback and transaction journaling. This is relevant to database management systems. Identify compensating security controls for circumstances that may inhibit recovery and reconstitution to a known state. This includes relaxation of security controls if required during recovery operations and return to trusted status and restoral of security controls during reconstitution to a known state.
Ref: IA-2 Identification and Authentication (organizational users) The system uniquely identifies and authenticates users, and processes acting on behalf of users. Best practices includes: System employs multi-factor authentication for network access to non-privileged accounts System employs multi-factor authentication for local access to privileged accounts. System employs replay resistant authentication mechanisms such as Transport Layer security Protocol (TLS) and time synchronous or one time authenticators for network access to privileged accounts Note that the DOD prefers hard certs for authentication Ref: IA-3 Device to Device Identification and Authentication Information system uniquely identifies specific or types of devices before establishing a connection (remote, network, or local). Typically MAC or IP addresses are used as device identifiers for authentication solutions (e.g. IEE.802.1x and Extensible Authentications protocol (EAP), radius server with EAP-TLS authentications, or Kerberos). Assessment will monitor the connection process for a number of devices and validate that each device and device type are uniquely identified.
Ref: IA-4 Identifier Management The system facilitates management of information system identifiers by preventing the reuse of assigned identifiers for a defined period and disabling identifiers after a defined period of inactivity. The assessment will review the connection identification of all connected devices and verify that no duplicate identifiers are present. The assessment will attempt to connect using a previously allocated identifier and confirm that the system prevents reuse of identifiers. Finally the assessment will confirm the timeout behavior of inactive identifiers. Ref: IA-5 Authenticator Management The system shall ensure the authentications mechanism has sufficient strength for it’s intended use, change default content of authenticators upon system installation, establishing min and max lifetime and reuse of authenticators, periodic change of authenticator, protecting authenticator information from modifications or disclosure, and forcing an authenticator change upon role change. Authenticators generally include passwords, tokens, biometrics, PKI certificates, and key cards. All forms do not have to be supported. In this case the enterprise identifies the required strength of its authentication mechanisms. The assessment evaluates actual performance to ensure the requested strength is available. Best practices include: Password authentications enforces a minimum complexity, a minimum delta after change, enforces min and max lifetime restrictions, prevents reuse for a defined number of generations. Passwords are stored and transmitted only with encrypted representations. Minimums and maximums are user defined. PKI authenticators map a certifications path to an accepted trusted anchor, enforces authorized access to the corresponding private key, and maps the authenticated identity to an individual account. In person registration is N/A
Ref: SC-1 System and Communication Procedures The enterprise establishes formal policy and procedures for effective implementation of security controls related to system and communication protection. The assessment action is to review the document. Procedures required to implement security controls must appear in system documentation if user configuration is required to implement security controls. Ref: SC-2 Application Partitioning System management information must be kept separate from user data on the system. Separation can be physical or logical. Assessment examines NMS and control plane communication channels to ensure adequate separation. The level of separation required is based on the enterprise risk profile.
Ref: SC-4 Information in shared resources The information system prevents unauthorized and unintended information transfer via shared system resources. This includes access to shared resources (registers, main memory, or hard disks) after those resources are released back to a shared resource pool. The assessment activity for this area will consist of memory scans and disk audits to ensure unintended information transfer is prevented. Ref: SC-5 Denial of Service Protection This control requires identification of the types of denial of service attacks that are mitigated by the system and a list of the security controls used. This requirement consists of an analysis activity once a set of security controls are defined. The assessment activity includes a review of the mitigated DOS attacks and an audit to ensure the planned security controls are correctly implemented. A deeper aspect of the assessment would also evaluate the list of DOS mitigations against the current threat environment and the enterprise risk profile.
Ref: SC-7 Boundary Protection The system monitors and controls communications at the external boundary of the system and at key internal boundaries and connects to external systems only through managed interfaces. Assessment examines each external interface and identifies key internal boundaries. Assessment validates that these connections are achieved through managed interfaces. Best practices include: Physically allocates publically accessible system components to subnetworks that are separate from internal networks Limited number of access points to external connections Managed interfaces include a traffic flow policy, a method for protecting confidentiality and integrity, and management of exceptions of the traffic flow policy Deny external network traffic by default and allow by exception Prevents remote devices that have established a non-remote connection (such as the craft interface) from communicating with resources in an external network. This control specifically prohibits split tunneling between a network VPN and an external resource such as a printer or file server.
Ref: SC-8 Transmission Integrity System protects the integrity of transmitted information. Assessment evaluates enterprise requirements to protect information integrity, and ensures identified protection are adequate to meet requirements. Best practices includes: Cryptography should be used to detect changes in information during transmission. Cryptographic mechanisms should meet FIPS requirements. Ref; SC-9 Transmission Confidentiality System protects the confidentiality of transmitted information Assessment evaluates enterprise requirements to protect information confidentiality, and ensures identified protection are adequate to meet requirements. Best practices includes: Cryptography should be used to detect changes in information during transmission. Cryptographic mechanisms should meet FIPS requirements.
Ref: SC-10 Network Disconnect System terminates network connections after the end of a session or after a defined period of inactivity. Inactivity period may be a set parameter or a user input. Assessment validates that connections are terminated after a session. Assessment also validates that connections are terminated after the defined period of inactivity. Ref: SC-12 Cryptographic Key management System manages cryptographic keys via a FIPS approved procedure. Key management may be automated or manual. If FIPS certification was achieved, he assessment only needs to note the presence of the certificate. If FIPS certification was not achieved, and cryptography is used, then the key management process must be evaluated against FIPS criteria.
Ref: SC-13 Cryptographic Protection All cryptographic protection used by the system conforms to FIPS requirements. If FIPS certification was achieved, he assessment only needs to note the presence of the certificate. If FIPS certification was not achieved, and cryptography is used, then the key cryptographic system must be evaluated against FIPS criteria. Ref: SC-17 PKI certificates If PKI certificates are used they are obtained via an approved source. The assessment will document the PKI certificate issuing authority.
Ref: SC-23 Session Authenticity The system protects the authenticity of communications at the session level not the packet level. The assessment will examine the session level protections. Ref: SC-28 Protection of Information at Rest The system will protect confidentiality and authenticity of information at rest. Required data is a user defined parameter but should generally include all security related data. Cryptography may be used to implement this control. Assessment will validate that any data identified by the enterprise that requires protection is identified in the system security document. The assessment will also examine the protection mechanism used to protect data at rest if required.
Ref: SC-32 System Partitioning System partitions information system into separate domains. This requirement could be satisfied by an analysis that shows that there is no requirement for physical separation between system components. Assessment will determine enterprise requirements for separate domains. If the requirement exists, assessment will validate that the intended separation is achieved. Ref: SC-39 Out of Band Channels System assigns specific data and functions to out of band channels. Assessment will determine enterprise requirements for out of band. If the requirement exists, assessment will validate that data intended for out of band channels is correctly routed .
Ref: SC-41 Process isolation The system maintains a separate execution domain for each executing process. This may be accomplished by assigning each process their own address space. Care should be taken to ensure that no process can alter the execution of any other process. This is an area that may be fairly difficult to assess in 3rd party equipment. Penetration testing may be used to look for weaknesses in this area.
SI-3 Malicious Code Protection This requirement is generally written to cover the need for anti-virus software in information systems. In the case of communication systems the requirement applies to the introduction of malicious code during software upgrades or through system vulnerabilities. The requirement is for periodic scans and regular updates to the malicious code protection. The assessment will consist of an examination of the software upgrade process, both in terms of documentation and actual execution. Best practices includes: Malicious code protection is centrally managed Automatic updates are performed to the malicious code prevention mechanisms Non-privileged users are prohibited from circumventing the malicious code protection capability. Ref: SI-4 Information System Monitoring The system is monitored to detect attacks and indicators of potential attacks and identifies unauthorized use. Assessment evaluates system monitoring capabilities, particularly of system administrator actions and configuration control activities. Authorized use is defined in the system security document and unauthorized use criteria are defined and controls implemented. Best practices includes The system employs automated tools The system monitors inbound and outbound communications for unusual or unauthorized activities The system provides alarms The system prevents non-privileged users from circumventing intrusion detection and prevention capabilities
Ref: SI -7 Software, Firmware, and Information Integrity Integrity verification tools are used to detect unauthorized changes to software or firmware. Integrity checking mechanisms include parity checks, cyclical redundancy checks, and cryptographic hashes. Assessment documents integrity verification tools used by the enterprise. Assessment evaluates all software and firmware upgrade elements and validates complete integrity coverage of all elements. Best practices include: Scans are performed at security relevant times such as system start-up or software upgrade Detection of unauthorized changes are tracked as part of an incident response system. Ref: SI-11 Error Handling The system identifies security relevant error conditions and generates error messages that are only disclosed to authorized personnel. Assessment validates that security relevant error conditions identified by the enterprise generate error messages. Assessment also validates that only those personnel identified in the system security document have access to those error messages.
Network Security & Assured Networks: TechNet Augusta 2015

More Related Content

PDF
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
James W. De Rienzo
 
PDF
IRJET- Detection of Intrinsic Intrusion and Auspice System by Utilizing Data ...
IRJET Journal
 
PPS
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
PPTX
Privileged Account Management - Keep your logins safe
Jens Albrecht
 
PDF
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
James W. De Rienzo
 
PPT
Fisma FedRAMP Drupal
Mike Lemire
 
PDF
Update to PCI DSS v3.2
Nasos Panagiotidis
 
PDF
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
CoreTrace Corporation
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
James W. De Rienzo
 
IRJET- Detection of Intrinsic Intrusion and Auspice System by Utilizing Data ...
IRJET Journal
 
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Privileged Account Management - Keep your logins safe
Jens Albrecht
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
James W. De Rienzo
 
Fisma FedRAMP Drupal
Mike Lemire
 
Update to PCI DSS v3.2
Nasos Panagiotidis
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
CoreTrace Corporation
 

What's hot (19)

PDF
TrustedAgent FedRAMP Security Authorization
Tuan Phan
 
PPTX
Database Security - IK
Ilgın Kavaklıoğulları
 
PPT
Chapter006
Jeanie Delos Arcos
 
PPTX
Ch11-Software Engineering 9
Ian Sommerville
 
PPTX
Ch14 resilience engineering
software-engineering-book
 
PPTX
Critical Controls Of Cyber Defense
Rishu Mehra
 
PPTX
Ch18-Software Engineering 9
Ian Sommerville
 
PDF
RAINBOW BOOK - Orange book
Felipe Prado
 
PDF
Gpc case study_eng_0221
SALIH AHMED ISLAM
 
PDF
Engineering Software Products: 7. security and privacy
software-engineering-book
 
PPTX
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
PDF
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
Boise State University - College of Engineering
 
PPTX
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
PPTX
Ch13-Software Engineering 9
Ian Sommerville
 
PDF
IRJET- Insider Interruption Identification and Protection by using Forens...
IRJET Journal
 
PDF
Quadrant MSSP Doc
Amy Lynn Pennington
 
PDF
internet securityand cyber law Unit3 1
Royalzig Luxury Furniture
 
PPTX
Ch13 security engineering
software-engineering-book
 
PPTX
Security engineering
OWASP Indonesia Chapter
 
TrustedAgent FedRAMP Security Authorization
Tuan Phan
 
Database Security - IK
Ilgın Kavaklıoğulları
 
Chapter006
Jeanie Delos Arcos
 
Ch11-Software Engineering 9
Ian Sommerville
 
Ch14 resilience engineering
software-engineering-book
 
Critical Controls Of Cyber Defense
Rishu Mehra
 
Ch18-Software Engineering 9
Ian Sommerville
 
RAINBOW BOOK - Orange book
Felipe Prado
 
Gpc case study_eng_0221
SALIH AHMED ISLAM
 
Engineering Software Products: 7. security and privacy
software-engineering-book
 
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
Boise State University - College of Engineering
 
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
Ch13-Software Engineering 9
Ian Sommerville
 
IRJET- Insider Interruption Identification and Protection by using Forens...
IRJET Journal
 
Quadrant MSSP Doc
Amy Lynn Pennington
 
internet securityand cyber law Unit3 1
Royalzig Luxury Furniture
 
Ch13 security engineering
software-engineering-book
 
Security engineering
OWASP Indonesia Chapter
 
Ad

Similar to Network Security & Assured Networks: TechNet Augusta 2015 (20)

PPT
Ch10 Conducting Audits
Information Technology
 
PDF
Ch06 Policy
phanleson
 
PDF
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
csandit
 
PDF
Update to PCI DSS v3.2
Kyte Consultants Ltd.
 
PDF
Pazu Netflix Video Downloader Download
blouch53kp
 
PDF
Internet Download Manager (IDM) Free key
alihamzakpa039
 
PDF
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
PDF
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
PDF
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
DOCX
M05-Protect Application or System software.docx
endeshman
 
PDF
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
PDF
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
PPTX
ARE YOU READY FOR A CYBER EVENT - ASK YOURSELF THESE QUESTIONS.pptx
Fred Gordy
 
DOCX
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
PDF
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
czgdpyllq566
 
PPTX
L3 RMF Phase 2 Categorize.pptx
StevenTharp2
 
PPT
Eidws 107 information assurance
IT2Alcorn
 
PDF
The Multifaceted Applications of Houston Access Control Systems.pdf
Avenger Security Houston
 
PDF
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
cawkeugrai
 
PDF
55994241 cissp-cram
bsnl007
 
Ch10 Conducting Audits
Information Technology
 
Ch06 Policy
phanleson
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
csandit
 
Update to PCI DSS v3.2
Kyte Consultants Ltd.
 
Pazu Netflix Video Downloader Download
blouch53kp
 
Internet Download Manager (IDM) Free key
alihamzakpa039
 
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
M05-Protect Application or System software.docx
endeshman
 
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
ARE YOU READY FOR A CYBER EVENT - ASK YOURSELF THESE QUESTIONS.pptx
Fred Gordy
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
czgdpyllq566
 
L3 RMF Phase 2 Categorize.pptx
StevenTharp2
 
Eidws 107 information assurance
IT2Alcorn
 
The Multifaceted Applications of Houston Access Control Systems.pdf
Avenger Security Houston
 
Computer Security Principles And Practice 2nd Edition Stallings Solutions Manual
cawkeugrai
 
55994241 cissp-cram
bsnl007
 
Ad

More from AFCEA International (20)

PDF
William Halal
AFCEA International
 
PDF
Steve Rieber
AFCEA International
 
PDF
Stephen Wallo
AFCEA International
 
PDF
Bob Gourley
AFCEA International
 
PDF
Ben Gibson
AFCEA International
 
PDF
Joseph Witt
AFCEA International
 
PDF
Lin Wells
AFCEA International
 
PDF
Tod Levitt
AFCEA International
 
PDF
Major Steven Nielson
AFCEA International
 
PDF
Lt Gen Arnold W. Bunch, Jr
AFCEA International
 
PDF
AFCEA Defense Health Agency (DHA) Brainstorming Session Notes
AFCEA International
 
PPTX
Secure Optical LAN: TechNet Augusta 2015
AFCEA International
 
PPTX
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015
AFCEA International
 
PPTX
Cyber Ethics: TechNet Augusta 2015
AFCEA International
 
PPTX
Network Convergence: TechNet Augusta 2015
AFCEA International
 
PDF
The Capabilities and Innovations of Joint Communications Support Element (JCS...
AFCEA International
 
PPTX
Expeditionary Network Communications (Engagement Theater Session 3): TechNet ...
AFCEA International
 
PPTX
Office Chief of Signal Personnel Presentation: TechNet Augusta 2015
AFCEA International
 
PPTX
Cyber Commandant Presentation: TechNet Augusta 2015
AFCEA International
 
PPTX
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015
AFCEA International
 
William Halal
AFCEA International
 
Steve Rieber
AFCEA International
 
Stephen Wallo
AFCEA International
 
Bob Gourley
AFCEA International
 
Ben Gibson
AFCEA International
 
Joseph Witt
AFCEA International
 
Lin Wells
AFCEA International
 
Tod Levitt
AFCEA International
 
Major Steven Nielson
AFCEA International
 
Lt Gen Arnold W. Bunch, Jr
AFCEA International
 
AFCEA Defense Health Agency (DHA) Brainstorming Session Notes
AFCEA International
 
Secure Optical LAN: TechNet Augusta 2015
AFCEA International
 
Office Chief of Cyber Personnel Presentation: TechNet Augusta 2015
AFCEA International
 
Cyber Ethics: TechNet Augusta 2015
AFCEA International
 
Network Convergence: TechNet Augusta 2015
AFCEA International
 
The Capabilities and Innovations of Joint Communications Support Element (JCS...
AFCEA International
 
Expeditionary Network Communications (Engagement Theater Session 3): TechNet ...
AFCEA International
 
Office Chief of Signal Personnel Presentation: TechNet Augusta 2015
AFCEA International
 
Cyber Commandant Presentation: TechNet Augusta 2015
AFCEA International
 
Cyber CoE Doctrine Plan for 2025: TechNet Augusta 2015
AFCEA International
 

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 

Network Security & Assured Networks: TechNet Augusta 2015

  • 1. Copyright © Ciena Corporation 2015. All rights reserved. Confidential & Proprietary. Network Security Assessments Robert Kimball CTO – Ciena Government Solutions Inc.
  • 4. The key difference between certification and accreditation is that accreditation looks at the entire enterprise (people, equipment, and procedures) while certification only focuses on equipment
  • 5. Since the answers to these questions are not static and change as events occur, the risk tolerance of the organization has to balance expected threats against costs of protection
  • 9. Control Type Controls Access Control AC1, AC2(1,2,3,4), AC3, AC4, AC6(1,2,5,9,10), AC7, AC8, AC11,AC14, AC17(1,2,3,4) Awareness and Training N/A Audit and Accountability AU2(3,4), AU3(1),AU4 Security Assessment and Authorization N/A Configuration management CM2(1,3), CM3(2), CM5, CM6 Contingency Planning CP9(1), CP10(2,3) Identification and Authentication IA2(1,2,3,8), IA3, IA4, IA5(1,2,3), IA6 Incidence Response N/A Maintenance N/A Media Protection N/A Physical and Environmental Protection N/A Planning N/A Personnel Security N/A Risk assessment N/A System and services Acquisition N/A Systems and communications Protection SC1, SC2, SC4, SC5, SC7(1,3,4,5,7), SC8(1), SC10, SC12, SC13, SC17, SC23, SC28, SC32, SC41 System and Information Integrity SI3(1,2,3), SI4(2,4,5,8), SI7(1,8), SC11 Program Management N/A
  • 12.  Ref: AC-8 System Use Notification The system must provide for the display of a notification message or banner prior to logon, that remains in place until the user takes a specific action such as logging on. Best practice banners include the following elements: Information system usage may be monitored, recorded and subject to audit Unauthorized use is prohibited and Use of the system implies consent to monitoring and recording may be subject to civil and criminal penalties Ref: AC-11 Session lock The system must prevent access to the system after a predetermined period of inactivity or upon user request, conceal previously visible information behind a publically viewable image, and require user to reestablish identification and authorization prior to regaining access. Assessment is performed by monitoring the session timeout behavior.
  • 15. Ref: AU-2 Auditable Events The enterprise must define the relevant events that are auditable. Best practice focus is on security related information and the ability to forensically analyze a security incident. The assessment will validate that all of the relevant auditable events are captured by the system. Best practice include: A requirement to periodically review and update the available auditable events The inclusion of privileged functions in auditable events Ref: AU-3 Content of audit records Audit records contain information that at a minimum establishes what event happened, when and where, the source, and user account associated with the incident. Best practices include: User defined audit records specific to the enterprise Ref: AU-4 Audit Storage Capacity The assessment will validate that the system has the determined amount of audit record storage capacity. The determined amount may be a fixed level, user defined capacity, or ability to connect external storage devices.
  • 16. Ref: CM-2 Baseline Configuration The system must produce a baseline configuration under configuration control. Best practices include: Baselines are recomputed at a defined frequencies and as a part of upgrades and installations System retains a predefined number of previous versions Ref: CM-3 Configuration Change Control System deployments are under a change control process. The assessment requires the system to produce records of configuration control changes and audits activities associated with configuration control events. Best practice includes: The system must support test and validation of configuration control changes. This should be done externally to the system.
  • 17. Ref: CM-5 Access Restrictions for Change System must impose access restrictions to enforce physical and logical access restrictions of users allowed to make configurations changes to hardware and software. This can take the form of access control lists or privileged account types. Assessment will document access control and validate that only authorized users are able to make configuration changes.
  • 18. Ref: CP-9 Information System Backup The assessment will review historical backups of user, system, and security information at the defined intervals. The system must protect the confidentiality, integrity, and availability of backed up information. The assessment will evaluate back-up protections to ensure viability. Best practices include: The backed up data is tested for reliability and information integrity Ref: CP-10 Information system recovery and Reconstitution Assessment will validate recovery and reconstitution of the system to a known state after a disruption, compromise, or failure. This is likely to be preformed via validation that the capability exists rather than the introduction of an actual failure. Best practices includes: If transaction based systems are involved, system implements transaction recovery including transaction rollback and transaction journaling. This is relevant to database management systems. Identify compensating security controls for circumstances that may inhibit recovery and reconstitution to a known state. This includes relaxation of security controls if required during recovery operations and return to trusted status and restoral of security controls during reconstitution to a known state.
  • 19. Ref: IA-2 Identification and Authentication (organizational users) The system uniquely identifies and authenticates users, and processes acting on behalf of users. Best practices includes: System employs multi-factor authentication for network access to non-privileged accounts System employs multi-factor authentication for local access to privileged accounts. System employs replay resistant authentication mechanisms such as Transport Layer security Protocol (TLS) and time synchronous or one time authenticators for network access to privileged accounts Note that the DOD prefers hard certs for authentication Ref: IA-3 Device to Device Identification and Authentication Information system uniquely identifies specific or types of devices before establishing a connection (remote, network, or local). Typically MAC or IP addresses are used as device identifiers for authentication solutions (e.g. IEE.802.1x and Extensible Authentications protocol (EAP), radius server with EAP-TLS authentications, or Kerberos). Assessment will monitor the connection process for a number of devices and validate that each device and device type are uniquely identified.
  • 20. Ref: IA-4 Identifier Management The system facilitates management of information system identifiers by preventing the reuse of assigned identifiers for a defined period and disabling identifiers after a defined period of inactivity. The assessment will review the connection identification of all connected devices and verify that no duplicate identifiers are present. The assessment will attempt to connect using a previously allocated identifier and confirm that the system prevents reuse of identifiers. Finally the assessment will confirm the timeout behavior of inactive identifiers. Ref: IA-5 Authenticator Management The system shall ensure the authentications mechanism has sufficient strength for it’s intended use, change default content of authenticators upon system installation, establishing min and max lifetime and reuse of authenticators, periodic change of authenticator, protecting authenticator information from modifications or disclosure, and forcing an authenticator change upon role change. Authenticators generally include passwords, tokens, biometrics, PKI certificates, and key cards. All forms do not have to be supported. In this case the enterprise identifies the required strength of its authentication mechanisms. The assessment evaluates actual performance to ensure the requested strength is available. Best practices include: Password authentications enforces a minimum complexity, a minimum delta after change, enforces min and max lifetime restrictions, prevents reuse for a defined number of generations. Passwords are stored and transmitted only with encrypted representations. Minimums and maximums are user defined. PKI authenticators map a certifications path to an accepted trusted anchor, enforces authorized access to the corresponding private key, and maps the authenticated identity to an individual account. In person registration is N/A
  • 21. Ref: SC-1 System and Communication Procedures The enterprise establishes formal policy and procedures for effective implementation of security controls related to system and communication protection. The assessment action is to review the document. Procedures required to implement security controls must appear in system documentation if user configuration is required to implement security controls. Ref: SC-2 Application Partitioning System management information must be kept separate from user data on the system. Separation can be physical or logical. Assessment examines NMS and control plane communication channels to ensure adequate separation. The level of separation required is based on the enterprise risk profile.
  • 22. Ref: SC-4 Information in shared resources The information system prevents unauthorized and unintended information transfer via shared system resources. This includes access to shared resources (registers, main memory, or hard disks) after those resources are released back to a shared resource pool. The assessment activity for this area will consist of memory scans and disk audits to ensure unintended information transfer is prevented. Ref: SC-5 Denial of Service Protection This control requires identification of the types of denial of service attacks that are mitigated by the system and a list of the security controls used. This requirement consists of an analysis activity once a set of security controls are defined. The assessment activity includes a review of the mitigated DOS attacks and an audit to ensure the planned security controls are correctly implemented. A deeper aspect of the assessment would also evaluate the list of DOS mitigations against the current threat environment and the enterprise risk profile.
  • 23. Ref: SC-7 Boundary Protection The system monitors and controls communications at the external boundary of the system and at key internal boundaries and connects to external systems only through managed interfaces. Assessment examines each external interface and identifies key internal boundaries. Assessment validates that these connections are achieved through managed interfaces. Best practices include: Physically allocates publically accessible system components to subnetworks that are separate from internal networks Limited number of access points to external connections Managed interfaces include a traffic flow policy, a method for protecting confidentiality and integrity, and management of exceptions of the traffic flow policy Deny external network traffic by default and allow by exception Prevents remote devices that have established a non-remote connection (such as the craft interface) from communicating with resources in an external network. This control specifically prohibits split tunneling between a network VPN and an external resource such as a printer or file server.
  • 24. Ref: SC-8 Transmission Integrity System protects the integrity of transmitted information. Assessment evaluates enterprise requirements to protect information integrity, and ensures identified protection are adequate to meet requirements. Best practices includes: Cryptography should be used to detect changes in information during transmission. Cryptographic mechanisms should meet FIPS requirements. Ref; SC-9 Transmission Confidentiality System protects the confidentiality of transmitted information Assessment evaluates enterprise requirements to protect information confidentiality, and ensures identified protection are adequate to meet requirements. Best practices includes: Cryptography should be used to detect changes in information during transmission. Cryptographic mechanisms should meet FIPS requirements.
  • 25. Ref: SC-10 Network Disconnect System terminates network connections after the end of a session or after a defined period of inactivity. Inactivity period may be a set parameter or a user input. Assessment validates that connections are terminated after a session. Assessment also validates that connections are terminated after the defined period of inactivity. Ref: SC-12 Cryptographic Key management System manages cryptographic keys via a FIPS approved procedure. Key management may be automated or manual. If FIPS certification was achieved, he assessment only needs to note the presence of the certificate. If FIPS certification was not achieved, and cryptography is used, then the key management process must be evaluated against FIPS criteria.
  • 26. Ref: SC-13 Cryptographic Protection All cryptographic protection used by the system conforms to FIPS requirements. If FIPS certification was achieved, he assessment only needs to note the presence of the certificate. If FIPS certification was not achieved, and cryptography is used, then the key cryptographic system must be evaluated against FIPS criteria. Ref: SC-17 PKI certificates If PKI certificates are used they are obtained via an approved source. The assessment will document the PKI certificate issuing authority.
  • 27. Ref: SC-23 Session Authenticity The system protects the authenticity of communications at the session level not the packet level. The assessment will examine the session level protections. Ref: SC-28 Protection of Information at Rest The system will protect confidentiality and authenticity of information at rest. Required data is a user defined parameter but should generally include all security related data. Cryptography may be used to implement this control. Assessment will validate that any data identified by the enterprise that requires protection is identified in the system security document. The assessment will also examine the protection mechanism used to protect data at rest if required.
  • 28. Ref: SC-32 System Partitioning System partitions information system into separate domains. This requirement could be satisfied by an analysis that shows that there is no requirement for physical separation between system components. Assessment will determine enterprise requirements for separate domains. If the requirement exists, assessment will validate that the intended separation is achieved. Ref: SC-39 Out of Band Channels System assigns specific data and functions to out of band channels. Assessment will determine enterprise requirements for out of band. If the requirement exists, assessment will validate that data intended for out of band channels is correctly routed .
  • 29. Ref: SC-41 Process isolation The system maintains a separate execution domain for each executing process. This may be accomplished by assigning each process their own address space. Care should be taken to ensure that no process can alter the execution of any other process. This is an area that may be fairly difficult to assess in 3rd party equipment. Penetration testing may be used to look for weaknesses in this area.
  • 30. SI-3 Malicious Code Protection This requirement is generally written to cover the need for anti-virus software in information systems. In the case of communication systems the requirement applies to the introduction of malicious code during software upgrades or through system vulnerabilities. The requirement is for periodic scans and regular updates to the malicious code protection. The assessment will consist of an examination of the software upgrade process, both in terms of documentation and actual execution. Best practices includes: Malicious code protection is centrally managed Automatic updates are performed to the malicious code prevention mechanisms Non-privileged users are prohibited from circumventing the malicious code protection capability. Ref: SI-4 Information System Monitoring The system is monitored to detect attacks and indicators of potential attacks and identifies unauthorized use. Assessment evaluates system monitoring capabilities, particularly of system administrator actions and configuration control activities. Authorized use is defined in the system security document and unauthorized use criteria are defined and controls implemented. Best practices includes The system employs automated tools The system monitors inbound and outbound communications for unusual or unauthorized activities The system provides alarms The system prevents non-privileged users from circumventing intrusion detection and prevention capabilities
  • 31. Ref: SI -7 Software, Firmware, and Information Integrity Integrity verification tools are used to detect unauthorized changes to software or firmware. Integrity checking mechanisms include parity checks, cyclical redundancy checks, and cryptographic hashes. Assessment documents integrity verification tools used by the enterprise. Assessment evaluates all software and firmware upgrade elements and validates complete integrity coverage of all elements. Best practices include: Scans are performed at security relevant times such as system start-up or software upgrade Detection of unauthorized changes are tracked as part of an incident response system. Ref: SI-11 Error Handling The system identifies security relevant error conditions and generates error messages that are only disclosed to authorized personnel. Assessment validates that security relevant error conditions identified by the enterprise generate error messages. Assessment also validates that only those personnel identified in the system security document have access to those error messages.