bSecurityControlsOPS
advertisement
Operational Class Security Control Families ID CA PL PM RA SA AT CM CP IR MA MP PE PS SI AC AU IA SC Class Management Management Management Management Management Operational Operational Operational Operational Operational Operational Operational Operational Operational Technical Technical Technical Technical Family Security Assessment and Authorization Planning Program Management Risk Assessment System and Services Acquisition Awareness and Training Configuration Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environmental Protection Personnel Security System and Information Integrity Access Control Audit and Accountability Identification and Authentication System and Communications Protection # of 6 5 11 4 14/40 5 9 10 8 6 6 19 8 13/84 19 14 8 34/75 Awareness & Training AT-2 Security Awareness AT-3 Security Training AT-4 Security Training Records CP-3 IR-2 CP-4 IR-3 Contingency Training Incident Response Training Contingency Plan Testing and Exercises Incident Response Testing and Exercises 800-16 800-50 800-84 – Plan Testing, Training and Exercise TT&E Test Training Exercises – Tabletop – Functional CP-3 Contingency Training IR-2 Incident Response Training CP-4 Contingency Plan Testing and Exercises IR-3 Incident Response Testing and Exercises CP TT&E CP TT&E Configuration Management CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change Configuration Settings Least Functionality Information System Component CM-8 Inventory CM-9 Configuration Management Plan 800-70 800-128 CM OMB 07-11 OMB 07-18 OMB 08-22 SCAP/NVD FDCC The Phases of Security-focused Configuration Management SCAP v1.2 Components Additional SCAP Terminology Knowledge Check Which SCAP specifications provide a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names? What is defined as an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes? Which special pub provides guidelines on designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events? Contingency Planning CP-6 CP-7 CP-8 CP-9 CP10 Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Information System Recovery and Reconstitution 800-34 FCD 1 Type of Plans Contingency Planning Process Business Impact Analysis System/Process Downtime Maximum Tolerable Downtime (MTD) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Recovery Strategies Incident Response IR-4 IR-5 IR-6 IR-7 IR-8 Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan 800-61 Incident Response 800-83 (SI) Malware Handling an Incident Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity Incident Reporting Organizations US-CERT [IR 6,7] Each agency must designate a primary and secondary POC with US-CERT, report all incidents, and internally document corrective actions and their impact. [IR-7] Information Analysis Infrastructure Protection (IAIP) CERT® Coordination Center (CERT®/CC) Information Sharing and Analysis Centers (ISAC) Federal Agency Incident Reporting Categories CAT 0 - Exercise/Network Defense Testing CAT 1 - *Unauthorized Access CAT 2 - *Denial of Service (DoS) CAT 3 - *Malicious Code CAT 4 - *Inappropriate Usage CAT 5 - Scans/Probes/ Attempted Access CAT 6 - Investigation * Any incident that involves compromised PII must be reported to US-CERT within 1 hour of detection regardless of the incident category reporting timeframe. Knowledge Check Name the contingency planning variable that defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business functions, and the MTD? What is created to correlate the information system with critical mission/business processes, which is further used to characterize the consequences of a disruption? Which Federal mandate requires agencies to report incidents to US-CERT? What is the US-CERT incident category name and reporting timeframe for a CAT-2 incident? System Maintenance MA-2 MA-3 MA-4 MA-5 MA-6 Controlled Maintenance Maintenance Tools Non-Local Maintenance Maintenance Personnel Timely Maintenance 800-63 - E-Auth (IA) 800-88 – Sanitization (MP) FIPS 140-2 - Crypto FIPS 197 - AES FIPS 201 – PIV (IA) Encryption Standards FIPS 140-2 – Level 1 – Basic (at least one Approved algorithm or Approved security function shall be used) – Level (EAL) 2 - Tamper-evidence, requires role-based authentication – Level (EAL) 3 – Intrusion detection and prevention, requires identity-based authentication mechanisms – Level (EAL) 4 – Zeroization, environmental protection Advanced Encryption Standard (FIPS 197) 27 Media Protection MP-2 MP-3 MP-4 MP-5 MP-6 Media Access Media Marking Media Storage Media Transport Media Sanitization 800-56 Key Management 800-57 800-60 800-88 - Sanitization 800-111 – Storage Encryption Storage Encryption Technologies Media Sanitization Disposal - discarding media with no other sanitization considerations Cleaning - must not allow information to be retrieved by data, disk, or file recovery utilities. Purging - protects the confidentiality of information against a laboratory attack. Destroying - ultimate form of sanitization: disintegration, incineration, pulverizing, shredding, and melting. 30 Sanitization and Disposition Decision Flow PE-2 PE-3 PE-4 PE-5 PE-6 PE-7 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 Physical & Environmental Emergency Shutoff Protection Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Visitor Control Access Records Power Equipment and Power Cabling 800-46 – Telework/ Remote Access 800-73 800-76 800-78 FIPS 201 PIV (IA) Physical Access Controls Badges Memory Cards Guards Keys True-floor-to-true-ceiling Wall Construction Fences Locks Fire Safety Ignition Sources Fuel Sources Building Operation Building Occupancy Fire Detection Fire Extinguishment Supporting Utilities Air-conditioning System Electric Power Distribution Heating Plants Water Sewage Planning for Failure – Mean-Time-Between-Failures (MTBF) – Mean-Time-To-Repair (MTTR) Personnel Security PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 Position Categorization Personnel Screening Personnel Termination Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions 800-73 800-76 800-78 PIV (IA) 5 CFR 731.106 Designation of public trust positions and investigative requirements. ICD 704 Personnel Security Standards (SCI) Staffing User Administration User Account Management Audit and Management Reviews Detecting Unauthorized/Illegal Activities Temporary Assignments and In-house Transfers Termination Termination Friendly Termination Unfriendly Termination Knowledge Check Which FIPS 140-2 encryption level requires identity based authentication? What is the FIPS publication specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits? What is the recommended disposal method, from the sanitization guidelines of NIST SPO 800-88, for paperbased medical records containing sensitive PII? What is the supporting guideline for PS-9 Alternate Work Site? Systems Integrity SI-2 Flaw Remediation SI-3 Malicious Code Protection SI-4 Information System Monitoring Security Alerts, Advisories, and SI-5 Directives SI-6 Security Functionality Verification Software and Information SI-7 Integrity SI-8 Spam Protection SI-9 Information Input Restrictions SI-10 Information Input Validation SI-11 Error Handling Information Output Handling and SI-12 Retention 800-40 – Patching (RA) 800-45 - Email 800-61 – Incidents (IR) 800-83 - Malware 800-92 – Logs (AU) 800-94 - IDPS NVD/CWE Malware Incident Prevention & Handling Malware Categories Malware Incident Prevention – – – – Policy Awareness Vulnerability Mitigation Threat Mitigation Malware Incident Response – – – – – – Preparation Detection Containment Eradication Recovery Lessons Learned Malware Categories Viruses – – – Worms Trojan Horses Malicious Mobile Code Blended Attacks Tracking Cookies Attacker Tools – – – – – – Compiled Viruses Interpreted Viruses Virus Obfuscation Techniques Backdoors Keystroke Loggers Rootkits Web Browser Plug-Ins E-Mail Generators Attacker Toolkits Non-Malware Threats – – Phishing Virus Hoaxes Uses of IDPS Technologies Identifying Possible Incidents Identify Reconnaissance Activity Identifying Security Policy Problems Documenting Existing Threat to an Organization Deterring Individuals from Violating Security Policies Key Functions of IDPS Technologies Recording information related to observed events Notifying security administrators of important observed events Producing reports Response Techniques – Stops Attack – Changes Security Environment – Changes Attack’s Content False Positive False Negative Tuning Evasion Common Detection Methodologies Signature-Based Detection Anomaly-Based Detection Stateful Protocol Analysis Types of IDPS Technologies Network-Based Wireless Network Behavior Analysis Host Based Email Security - Spam Ensure that spam cannot be sent from the mail servers they control Implement spam filtering for inbound messages Block messages from known spam-sending servers Operational Security Controls Key Concepts & Vocabulary Awareness and Training Configuration Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environmental Protection Personnel Security System and Information Integrity
