Assignment: organization-defined security safeguards

advertisement
SECURITY AWARENESS TRAINING
NETWORK SECURITY AND IR
Team Blue
Michael Haney, Xinchi He, Jeyasingam Nivethan
Amazing Company Background



Cloud Service Provider
Destined to be the best in the business
Current Employees: 15
 Future

Growth Plans: 150,000 employees
Current Customers: 0
 Future
Growth Plans: 1 customer
What is Cloud Service?






Via Internet from a cloud computing provider’s
server.
Provide easy, scalable access to applications,
resources and services.
Fully managed by a cloud services provider.
Dynamically scale to meet the needs of users.
Online data storage, backup solutions, Web-based
email services, and etc.
Need for network security for clients.
FedRAMP Regulations
What we need to know to be compliant
FedRAMP Background




Federal Risk and Authorization Management
Program
Government-wide program that provides a
standardized approach to security assessment,
authorization, and continuous monitoring for cloud
products and services.
Use “do once, use many times” framework
Source from NIST SP 800-53 Revison3 for low and
moderate impact systems
NIST RMF Certification & Accreditation
Process
CATEGORIZE
Information
System
MONITOR
Security
Controls
SELECT
Security
Controls
AUTHORIZE
Information
System
IMPLEMENT
Security
Controls
ACCESS
Security
Controls
Control Families








Access Control (AC)
Audit and Accountability (AU)
Assessment and Authorization (CA)
Configuration and Management (CM)
Contingency Plan (CP)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Control Families (Cont’d)








Media Protection (MP)
Physical and Environmental Protection (PE)
Planning (PL)
Personnel Security (PS)
Risk Assessment (RA)
System and Services Acquisition (SA)
System and Communication Protection (SC)
System and Information Integrity (SI)
What is JAB?



Joint Authorization Board
Primary governance and decision-making body for
FedRAMP program.
Reviews and provides joint provisional security
authorizations of cloud solutions using a
standardized baseline approach.
Sample of Controls
Highlights of the FedRAMP Controls that we will
focus on today.
PE-3 Physical Access Control
Control: The organization:
 a. Enforces physical access authorizations at [Assignment: organization-defined
entry/exit points to the facility where the information system resides] by;








1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment:
organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined
entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to
areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined
circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every
[Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency]
and/or when keys are lost, combinations are compromised, or individuals are
transferred or terminated.
MA-6 Timely Maintenance
Control: The organization obtains maintenance support and/or spare parts for
[Assignment: organization-defined information system components] within
[Assignment: organization-defined time period] of failure.

Control Enhancements:

(1) TIMELY MAINTENANCE | PREVENTIVE MAINTENANCE
The organization performs preventive maintenance on [Assignment: organizationdefined information system components] at [Assignment: organization-defined time
intervals].

(2) TIMELY MAINTENANCE | PREDICTIVE MAINTENANCE
The organization performs predictive maintenance on [Assignment: organizationdefined information system components] at [Assignment: organization-defined time
intervals].

(3) TIMELY MAINTENANCE | AUTOMATED SUPPORT FOR PREDICTIVE
MAINTENANCE
The organization employs automated mechanisms to transfer predictive
maintenance data to a computerized maintenance management system.
CM-2 Baseline Configuration
Control: The organization develops, documents, and maintains under configuration
control, a current baseline configuration of the information system.
 Control Enhancements:
 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES
 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY /
CURRENCY
 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS
 (4) BASELINE CONFIGURATION | UNAUTHORIZED SOFTWARE [Withdrawn:
Incorporated into CM-7].
 (5) BASELINE CONFIGURATION | AUTHORIZED SOFTWARE [Withdrawn:
Incorporated into CM-7].
 (6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR
DEVICES FOR HIGH-RISK AREAS
CP-7 Alternate Processing Site
Control: The organization:
Establishes an alternate processing site including necessary
agreements to permit the transfer and resumption of
[Assignment: organization-defined information system
operations] for essential missions/business functions within
[Assignment: organization-defined time period
 Ensures that equipment and supplies required to transfer
and resume operations are available at the alternate
processing site or contracts are in place to support delivery
to the site within the organization-defined time period for
transfer/resumption; and
 Ensures that the alternate processing site provides
information security safeguards equivalent to that of the
primary site.

IR-8 Incidence Response Plan
Control: The organization:






Develops an incident response plan
Distributes copies of the incident response plan to [Assignment:
organization-defined incident response personnel (identified by name
and/or by role) and organizational elements];
Reviews the incident response plan [Assignment: organization-defined
frequency];
Updates the incident response plan to address system/organizational
changes or problems encountered during plan implementation,
execution, or testing;
Communicates incident response plan changes to [Assignment:
organization-defined incident response personnel (identified by name
and/or by role) and organizational elements]; and
Protects the incident response plan from unauthorized disclosure and
modification.
AU-8 Time Stamps
Control: The
 Uses
information system:
internal system clocks to generate time stamps
for audit records; and
 Records time stamps for audit records that can be
mapped to Coordinated Universal Time (UTC) or
Greenwich Mean Time (GMT) and meets
[Assignment: organization-defined granularity of
time measurement].
SC-7 Boundary Protection
Control: The
 a.
information system:
Monitors and controls communications at the external
boundary of the system and at key internal boundaries
within the system;
 b. Implements subnetworks for publicly accessible
system components that are [Selection: physically;
logically] separated from internal organizational
networks; and
 c. Connects to external networks or information systems
only through managed interfaces consisting of
boundary protection devices arranged in accordance
with an organizational security architecture.
SC-8&9 Transmission Integrity &
Transmission Confidentiality
Control: The information system protects the[Selection(one
or more):confidentiality; integrity]of transmitted
information.
 Control Enhancements:
(1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION
 (2) TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
PRE / POST TRANSMISSION HANDLING
 (3) TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS
 (4) TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
CONCEAL / RANDOMIZE COMMUNICATIONS

SC-30 Virtualization Techniques
Control: The organization employs virtualization
techniques to present information system components as
other types of components, or components with differing
configurations.
 Control Enhancements:
The organization employs virtualization techniques to
support the deployment of a diversity of operating systems
and applications that are changed [Assignment:
organization-defined frequency].
 The organization employs randomness in the implementation
of the virtualization techniques.

SC-32 Information System Partitioning
Control: The organization partitions the information
system into[Assignment: organization-defined
information system components] residing in separate
physical domains or environments based on
[Assignment: organization-defined circumstances for
physical separation of components].
Amazing Network Security
7 Best Practices to Help Meet Compliance
Best Practice 1: Inventory

Inventory of networked devices should be kept
up-to-date
 Change
control procedures must be followed to
synchronize the inventory with what is actually
installed and deployed on our network.
 Scanning for rogue devices and network services
will take place periodically to validate the
inventory.
Best Practice 2: Firewalls

Firewalls must be installed and maintained in
multiple locations on our network.
 Ingress
filtering will limit the network traffic coming into
our network.
 Egress filtering will limit the data that is allowed to
leave our network.
 Internal firewalls will be used for network segmentation,
zoning, and client isolation.
 Proxies for web browsing and file transfer for users will
be used to monitor and limit dangerous network activity
(e.g. malware downloads or inappropriate activity)
Best Practice 3: IDS

Intrusion Detection Systems (IDS) will be utilized to
monitor the network.
 IDS
must be installed and configured most securely as
they offer high-value, high-risk targets for attackers.
 Signatures for IDS detection must be kept up to date.
 IDS alerts must be monitored and follow-up will include
incident response practices.
 Full packet capture will be utilized as storage limits and
costs permit to support investigations.
 Network Flow/Session Monitoring will be stored for
longer-term to support operations as well as incident
investigation.
Best Practice 4: Encryption

Network encryption will be managed
appropriately.
 SSH
and scp are required in place of telnet and
ftp everywhere.
 SSL for web-based connections and applications is
strongly encouraged.
 SSL certificate management for our systems and
websites will be managed through the CISO.
Best Practice 5: Network Protocols

The following network protocols will be
restricted or managed by the security group.
 telnet
/ rsh / rlogin
 ftp / anonymous ftp / tftp
 IRC and other instant messaging protocols
 SMTP
 Peer-to-peer networking or file sharing
 Tor browsing and Tor peer routing
Best Practice 6: Wireless Security

Wireless security
 Only
company wireless should be used. Only
WPA2 encryption should be used. Only approved
devices will be permitted to connect wirelessly.
 No rogue wireless connections or BYOD are
allowed at Amazing.
 Periodic spectrum scans for wireless devices will be
conducted by the security group.
 The use of Bluetooth should be managed.
Best Practice 7: VPN

Virtual Private Network Usage
 Remote
Access connections must be approved and
secured.
 Extranet / Business Partner connections are
approved and secured, periodically reviewed, and
have a designated point of contact
Questions?
Don’t forget to review the Online Manual:
•
•
•
•
Best Practices
Network Security Policy
Guidelines
Incident Response Policy
And take the QUIZ!
Group Activity







Pair up
Brainstorm
Place Ideas into the Hat
Draw from the Hat
Prepare Your Response
Present Your Response
Vote for your Favorite!
Download