1 / 40

Beyond Standards

Beyond Standards. Beyond Standards. Standards ISFO Manual Threats Case Study Future. Baseline Standards. Audit Policy Event Logs Configuration User rights S ecurity options Network, Firewall, Port protocol Others. Baseline Standards. Audit Policy

amandla
Télécharger la présentation

Beyond Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BeyondStandards

  2. BeyondStandards • Standards • ISFO Manual • Threats • Case Study • Future

  3. Baseline Standards • Audit Policy Event Logs Configuration • User rights Security options • Network, Firewall, Port protocol • Others

  4. Baseline Standards Audit Policy • Basic Audit versus Advanced Audit Policy Event Logs • Retain old events and Automatically backup log when full

  5. Baseline Standards • User Rights • Add workstations to domain • Synchronize directory service data • Bypass traverse checking

  6. Baseline Standards • User Rights • Impersonate a client after authentication • Devices: Allow undock without having to log on

  7. Baseline Standards • Security Options • Domain controller: Refuse machine account password changes • Domain controller: Allow server operators to schedule tasks

  8. Baseline Standards • Networking • Internet Communication • Events.asp Links • Turn Off Handwriting Personalization Data Sharing • Power Options • Require a Password When a Computer Wakes • Network Connections • Route all traffic through internal network

  9. Baseline Standards • Networking • NTP server : Configure Windows NTP client • localtimeserver Type • Set to NT5D5. ( Setto NT5DS if the system is not PDC) • TCPIP Settings\IPv6 Transition Technologies • IPHTTPS Url • Firewall • Display Notification ( Set to Yes) • Firewall log file ( currently set to %windir%.log) • Set to

  10. Baseline Standards • Networking • Firewall • IPv6 Block of UDP 3544 • Remote Desktop Services • Do not use temporary folders per session should be associated with Remote Desktop Session Host\Temporary folders. • Search Setting • Search-Allow indexing of encrypted files • Search-Enable indexing uncached Exchange folders

  11. Baseline Standards • Services • Remote Desk Services Crashes on refresh of GPO • Remote Desktop Help Session Manager ( ignored on windows 7 and windows 2008) • SNMP Trap Service is SNMP Trap • Simple Service Discovery Protocol Discovery Service is SSDP Discovery ( needed for plug and play) • World Wide Web Publishing Services is World Wide Web Publishing Service

  12. Baseline Standards • Virtualization • Allow log on through Remote Desktop Services • Deny log on through Remote Desktop Services • Set to Everyone ( should be Guests) • Virtual OS

  13. Baseline Standards • Security Relevant Objects • SROs for NT5 (XP, 2003) but not used by NT6 (7,2008) • c:\windows\system32\kdcsvc.dll • c:\windows\system32\msgina.dll • c:\windows\system32\ntbackup.exe • c:\windows\system32\ntdsa.dll • c:\windows\system32\ntdsatq.dll • c:\windows\system32\regedit.exe • c:\windows\system32\rshx32.exe • c:\windows\syswow64\rshx32.exe • c:\windows\syswow64\spool\printers

  14. Baseline Standards Others Difference in baseline between NT5 and NT6 • NT5 Audit: Shut down system immediately is. Enabled. • NT6Audit: Shut down system immediately is Undefined. • NT5 Restrict CD-ROM access to locally logged-on user only is Enabled. • NT6 Restrict CD-ROM access to locally logged-on user only is Disabled.

  15. Baseline Standards • Others • Difference in baseline between NT5 and NT6 • NT5 Interactive logon: Number of previous logons to cache is 0 • NT6 Interactive logon: Number of previous logons to cache is 2 logons or less • NT5 Shutdown: Clear virtual memory page file is Enabled • NT6 Shutdown: Clear virtual memory page file is Disabled • NT6 Every Administrative actions required authentication

  16. ODAA Process Manual ODAA Process Manual v3.2, November 15, 2013 Summary of Changes

  17. ODAA Process Manual Aligned under National Institute of Standards and Technology (NIST) 800-53 Controls

  18. ODAA Process Manual C&A Documentation Process Divided into Three Categories • Management Controls, 3.0 • Operational Controls, 4.0 • Technical Controls, 6.0

  19. ODAA Process Manual NIST 800-53 Control Mapping 10.0 (page 86)

  20. ODAA Process Manual Publication date: November 15, 2013 Effective date: May 15, 2014

  21. ODAA Process Manual Removable Media Restrictions 4.7.2 (p. 51) • Write ability will be restricted to people designated and briefed by ISSM. • The default will be to disable write ability for all forms of removable media.

  22. ODAA Process Manual • SIPRNet Section 9.0 (pp. 81-84) • Command Cyber Readiness Inspections (CCRI) • NISP SIPRNet Circuit Acquisition Process

  23. ODAA Process Manual Defense Industrial Base Cyber Security Accreditation Process (DIBNet) 9.2 Use to report cyber security incidents

  24. ODAA Process Manual Self-Certification Requirements (p.32) • Introduction to NISP C&A Process • NISP C&A Process: A Walk-Through • Technical Implementation of C&A

  25. ODAA Process Manual Logon Banner (pp 68-70) • NISPOM compliant systems (p. 69) • DoD Warning Banner for SIPRNet (p. 70)

  26. ODAA Process Manual Other Items: But nothing really new

  27. ODAA Process Manual Examples of reasons to deny an IATO: • Missing or incomplete UID • ISSM did not sign the IS Security Package Statement • Missing H/W List – S/W List – Configuration Diagram • Physical security not adequately explained

  28. ODAA Process Manual Examples of reasons to deny an IATO: • No signed DSS Form 147 – for Closed Area • No Certification Test Guide Results provided • Missing letter from GCA if variances are needed • Identification and authentication not fully addressed

  29. ODAA Process Manual Periods Processing 3.2.10.2 (p. 19) Clearing can be used to overwrite HD for reuse at same or higher level. Not for TS

  30. ODAA Process Manual Sanitizing 4.4.2 (pp 41-43) • Spills can be cleaned up by overwriting • Get GCA approval prior to or after incident • If GCA does not respond after 30 days assume approved • GCA may require destruction

  31. ODAA Process Manual Incident Response Plan 4.5.2 • The contractor shall develop an incident response plan. • Distribute copies of the incident response plan to appropriate incident response personnel. • The incident response plan shall be reviewed and revised when appropriate to ensure accuracy.

  32. ODAA Process Manual Classified Spill Cleanup Procedures 4.5.3 • Coordination with sender / receiver / data owner • Wiping Utility Instructions 4.5.4 (p. 45) • Reporting (NISPOM 1-303)

  33. ODAA Process Manual Trusted Download 4.7.4 Alternate Trusted Download procedures need letterhead memo signed by data owner or GCA. (p. 53)

  34. ODAA Process Manual • Weekly Audits 6.7.1 (p.71-72) • Audits need to be done at least weekly • “At least weekly” means once per calendar week

  35. Threat • Cyber Threat • Insider Threat

  36. Threat Insider Any person with authorized access to any United States Government resource to include personnel, facilities, information, equipment, networks, or systems. Insider Threat: The threat that an insider will use his/her authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of resources or capabilities.

  37. UNCLASSIFIED//FOUO Insider Threat mitigation has become anurgent requirement for DoD agencies • Presidential Memorandum and Executive Order (EO) 13587 • Created steering committee • Executive Agent for Safeguarding Classified Info on Networks • National Insider Threat Task Force • Produce national policy, standards • Provide assistance and assessments to departments/agencies • EO 10450, Security Requirements for Government Employment • Authority to investigate any information that comes to its attention that indicates retaining any officer or employee of the agency may not be consistent with national security interests • Provides authority to conduct inquires both prior to an actual hiring and after an individual has been hired by the agency “In the wake of an unprecedented document dump that is straining U.S. diplomatic relations in some corners of the world, the administration ordered agencies last month to ensure that unauthorized employees do not get access to sensitive or classified information.” UNCLASSIFIED//FOUO

  38. Threat (not all-inclusive) • Excessive and abnormal intranet browsing, beyond the individual's duties and responsibilities, of internal file servers or other networked system contents • Attempts to obtain classified or sensitive information by an individual not authorized to receive such information • Unauthorized copying, printing, faxing, e-mailing, or transmitting classified material • Contact with an individual who is known or suspected of being associated with a foreign intelligence or security organization • Hacking or cracking activities, social engineering, electronic elicitation, e-mail spoofing or spear phishing

  39. Case Study What would you do?

  40. Questions ? • Contact DSS….

More Related