510 likes | 801 Views
Operational Class. Security Control Families. Awareness & Training. 800-16 800-50 800-84 – Plan Testing, Training and Exercise. TT&E. Test Training Exercises Tabletop Functional. CP TT&E. CP TT&E. Configuration Management. 800-70 800-128 CM OMB 07-11 OMB 07-18 OMB 08-22
E N D
Operational Class Security Control Families
Awareness & Training • 800-16 • 800-50 • 800-84 – Plan Testing, Training and Exercise
TT&E • Test • Training • Exercises • Tabletop • Functional
Configuration Management • 800-70 • 800-128 CM • OMB 07-11 • OMB 07-18 • OMB 08-22 • SCAP/NVD FDCC
Knowledge Check • Which SCAP specifications provide a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names? • What is defined as an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes? • Which special pub provides guidelines on designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events?
Contingency Planning • 800-34 • FCD 1
System/Process Downtime • Maximum Tolerable Downtime (MTD) • Recovery Time Objective (RTO) • Recovery Point Objective (RPO)
Incident Response • 800-61Incident Response • 800-83 (SI)Malware
Handling an Incident • Preparation • Detection and Analysis • Containment, Eradication, and Recovery • Post-Incident Activity
Incident Reporting Organizations • US-CERT [IR 6,7] • Information Analysis Infrastructure Protection (IAIP) • CERT® Coordination Center (CERT®/CC) • Information Sharing and Analysis Centers (ISAC) Each agency must designate a primary and secondary POC with US-CERT, report all incidents, and internally document corrective actions and their impact. [IR-7]
Federal Agency Incident Reporting Categories • CAT 0 - Exercise/Network Defense Testing • CAT 1 - *Unauthorized Access • CAT 2 - *Denial of Service (DoS) • CAT 3 - *Malicious Code • CAT 4 - *Inappropriate Usage • CAT 5 - Scans/Probes/ Attempted Access • CAT 6 - Investigation • Any incident that involves compromised PII must be reported to US-CERT within 1 hour of detection regardless of the incident category reporting timeframe.
Knowledge Check • Name the contingency planning variable that defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business functions, and the MTD? • What is created to correlate the information system with critical mission/business processes, which is further used to characterize the consequences of a disruption? • Which Federal mandate requires agencies to report incidents to US-CERT? • What is the US-CERT incident category name and reporting timeframe for a CAT-2 incident?
System Maintenance • 800-63 - E-Auth (IA) • 800-88 – Sanitization (MP) • FIPS 140-2 - Crypto • FIPS 197 - AES • FIPS 201 – PIV (IA)
Encryption Standards • FIPS 140-2 • Level 1 – Basic (at least one Approved algorithm or Approved security function shall be used) • Level (EAL) 2 - Tamper-evidence, requires role-based authentication • Level (EAL) 3 – Intrusion detection and prevention, requires identity-based authentication mechanisms • Level (EAL) 4 – Zeroization, environmental protection • Advanced Encryption Standard (FIPS 197)
Media Protection • 800-56 • 800-57 • 800-60 • 800-88 - Sanitization • 800-111 – Storage Encryption Key Management
Media Sanitization • Disposal - discarding media with no other sanitization considerations • Cleaning - must not allow information to be retrieved by data, disk, or file recovery utilities. • Purging - protects the confidentiality of information against a laboratory attack. • Destroying - ultimate form of sanitization: disintegration, incineration, pulverizing, shredding, and melting.
Physical & Environmental Protection • 800-46 – Telework/ Remote Access • 800-73 • 800-76 • 800-78 • FIPS 201 PIV (IA)
Physical Access Controls • Badges • Memory Cards • Guards • Keys • True-floor-to-true-ceiling Wall Construction • Fences • Locks
Fire Safety • Ignition Sources • Fuel Sources • Building Operation • Building Occupancy • Fire Detection • Fire Extinguishment
Supporting Utilities • Air-conditioning System • Electric Power Distribution • Heating Plants • Water • Sewage • Planning for Failure • Mean-Time-Between-Failures (MTBF) • Mean-Time-To-Repair (MTTR)
Personnel Security • 800-73 • 800-76 • 800-78 • 5 CFR 731.106 Designation of public trust positions and investigative requirements. • ICD 704 Personnel Security Standards (SCI) PIV (IA)
User Administration • User Account Management • Audit and Management Reviews • Detecting Unauthorized/Illegal Activities • Temporary Assignments and In-house Transfers • Termination
Termination • Friendly Termination • Unfriendly Termination
Knowledge Check • Which FIPS 140-2 encryption level requires identity based authentication? • What is the FIPS publication specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits? • What is the recommended disposal method, from the sanitization guidelines of NIST SPO 800-88, for paper-based medical records containing sensitive PII? • What is the supporting guideline for PS-9 Alternate Work Site?
Systems Integrity • 800-40 – Patching (RA) • 800-45 - Email • 800-61 – Incidents (IR) • 800-83 - Malware • 800-92 – Logs (AU) • 800-94 - IDPS • NVD/CWE
Malware Incident Prevention & Handling • Malware Categories • Malware Incident Prevention • Policy • Awareness • Vulnerability Mitigation • Threat Mitigation • Malware Incident Response • Preparation • Detection • Containment • Eradication • Recovery • Lessons Learned
Malware Categories • Viruses • Compiled Viruses • Interpreted Viruses • Virus Obfuscation Techniques • Worms • Trojan Horses • Malicious Mobile Code • Blended Attacks • Tracking Cookies • Attacker Tools • Backdoors • Keystroke Loggers • Rootkits • Web Browser Plug-Ins • E-Mail Generators • Attacker Toolkits • Non-Malware Threats • Phishing • Virus Hoaxes
Uses of IDPS Technologies • Identifying Possible Incidents • Identify Reconnaissance Activity • Identifying Security Policy Problems • Documenting Existing Threat to an Organization • Deterring Individuals from Violating Security Policies
Key Functions of IDPS Technologies • Recording information related to observed events • Notifying security administrators of important observed events • Producing reports • Response Techniques • Stops Attack • Changes Security Environment • Changes Attack’s Content • False Positive • False Negative • Tuning • Evasion
Common Detection Methodologies • Signature-Based Detection • Anomaly-Based Detection • Stateful Protocol Analysis
Types of IDPS Technologies • Network-Based • Wireless • Network Behavior Analysis • Host Based
Email Security - Spam • Ensure that spam cannot be sent from the mail servers they control • Implement spam filtering for inbound messages • Block messages from known spam-sending servers
Operational Security Controls Key Concepts & Vocabulary • Awareness and Training • Configuration Management • Contingency Planning • Incident Response • Maintenance • Media Protection • Physical and Environmental Protection • Personnel Security • System and Information Integrity