Xem mẫu
- solutions@syngress.com
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and
Cisco study guides in print, we continue to look for ways we can better
serve the information needs of our readers. One way we do that is by
listening.
Readers like yourself have been telling us they want an Internet-based
service that would extend and enhance the value of our books. Based
on reader feedback and our own strategic plan, we have created a
Web site that we hope will exceed your expectations.
Solutions@syngress.com is an interactive treasure trove of useful
information focusing on our book topics and related technologies.
The site offers the following features:
I One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any
affected chapters.
I “Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
I Exclusive monthly mailings in which our experts provide answers
to reader queries and clear explanations of complex material.
I Regularly updated links to sites specially selected by our editors
for readers desiring additional reliable information on key
topics.
Best of all, the book you’re now holding is your key to this amazing
site. Just go to www.syngress.com/solutions, and keep this book
handy when you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be
sure to let us know if there’s anything else we can do to help you get
the maximum value from your investment. We’re listening.
www.syngress.com/solutions
- Security
Assessment
Case Studies for
Implementing
the NSA IAM
Russ Rogers
Greg Miles
Ed Fuller
Ted Dykstra
Matthew Hoagberg
- Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 FGH73IP1LM
002 59MVZC6H9Q
003 4XFQIP4MCX
004 GLEQ71P9NC
005 7JHJ8FWEX2
006 VBP9EFC6K9
007 TYN8MF3TYH
008 64YTFXSQ9P
009 H8K3BN4GTV
010 IYGTE37V6N
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Security Assessment: Case Studies for Implementing the NSA IAM
Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro-
duced or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher, with the exception that the program listings may be entered,
stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-932266-96-8
Acquisitions Editor: Catherine B. Nolan Cover Designer: Michael Kavish
Page Layout and Art: Patricia Lupien Copy Editor: Darlene Bordwell
Indexer: Nara Wood
Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada.
- Acknowledgments
We would like to acknowledge the following people for their kindness and support in
making this book possible.
Syngress books are now distributed in the United States by O’Reilly & Associates, Inc.
The enthusiasm and work ethic at ORA is incredible and we would like to thank
everyone there for their time and efforts to bring Syngress books to market:Tim
O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie
Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve
Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle
Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina
Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier,
Sue Willing, Mark Jacobsen and to all the others who work with us, but whose names
we do not know (yet)!
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell,
AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert
Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our
vision remains worldwide in scope.
David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which
they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for
all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar
Book Group for their help with distribution of Syngress books in Canada.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis,
Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout
Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook
Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress
books in the Philippines.
A special thanks to all the folks at Malloy who have made things easy for us and espe-
cially to Beth Drake and Joe Upton.
v
- Contributors
Greg Miles (CISSP, CISM, IAM) is a Co-Founder, President, and
Principle Security Consultant for Security Horizon, Inc., a
Colorado-based professional security services and training provider.
Greg is a key contributor not only to Security Horizon’s manage-
ment, but also in the assessment, information security policy, and
incident response areas. Greg is a United States Air Force Veteran
and has served in military and contract support for the National
Security Agency, Defense Information Systems Agency, Air Force
Space Command, and NASA supporting worldwide security efforts.
Greg has been a featured speaker at the Black Hat Briefings series of
security conferences and APCO conferences and is a frequent con-
tributor to “The Security Journal.” Greg holds a bachelor’s degree in
electrical engineering from the University of Cincinnati, a master’s
degree in management from Central Michigan University in
Management, and a Ph.D. in engineering management from
Kennedy-Western University. Greg is a member of the Information
System Security Association (ISSA) and the Information System
Audit and Control Association (ISACA).
Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, Chief
Executive Officer, Chief Technology Officer, and Principle Security
Consultant for Security Horizon, Inc., a Colorado-based profes-
sional security services and training provider. Russ is a key contrib-
utor to Security Horizon’s technology efforts and leads the technical
security practice and the services business development efforts. Russ
is a United States Air Force Veteran and has served in military and
contract support for the National Security Agency and the Defense
Information Systems Agency. Russ is also the editor-in-chief of
“The Security Journal” and a staff member for the Black Hat
Briefings series of security conferences. Russ holds a bachelor’s
degree in computer science from the University of Maryland and a
master’s degree in computer systems management also from the
vii
- University of Maryland. Russ is a member of the Information
System Security Association (ISSA), the Information System Audit
and Control Association (ISACA), and the Association of Certified
Fraud Examiners. Russ was recently awarded The National
Republican Congressional Committee’s National Leadership Award
for 2003.
Ed Fuller (CISSP, GSEC, IAM) is Senior Vice President and
Principle Security Consultant for Security Horizon, Inc., a
Colorado-based professional security services and training provider.
Ed is the lead for Security Training and Assessments for Security
Horizon’s offerings. Ed is a retired United States Navy Veteran and
was a key participant on the development of Systems Security
Engineering Capability Maturity Model (SSE-CMM). Ed has also
been involved in the development of the Information Assurance
Capability Maturity Model (IA-CMM). Ed serves as a Lead
Instructor for the National Security Agency (NSA) Information
Assurance Methodology (IAM) and has served in military and con-
tract support for the National Security Agency and the Defense
Information Systems Agency. Ed is a frequent contributor to “The
Security Journal.” Ed holds a bachelor’s degree from the University
of Maryland in information systems management and is a member
of the Center for Information Security and the Information Systems
Security Engineering Association.
Matthew Paul Hoagberg is a Security Consultant for Security
Horizon, Inc., a Colorado-based professional security services and
training provider. Matt contributes to the security training, assess-
ments, and evaluations that Security Horizon offers. Matt’s experi-
ence includes personnel management, business development,
analysis, recruiting, and corporate training. He has been responsible
for implementing a pilot 3-factor authentication effort for Security
viii
- Horizon and managing the technical input for the project back to
the vendor. Matt holds a bachelor’s degree in psychology from
Northwestern College and is a member of the Information System
Security Association (ISSA).
Ted Dykstra (CISSP, CCNP, MCSE, IAM) is a Security
Consultant for Security Horizon, Inc., a Colorado-based profes-
sional security services and training provider.Ted is a key contrib-
utor in the technical security efforts and service offerings for
Security Horizon, and an instructor for the National Security
Agency (NSA) Information Assurance Methodology (IAM).Ted’s
background is in both commercial and government support efforts,
focusing on secure architecture development and deployment,
INFOSEC assessments and audits, as well as attack and penetration
testing. His areas of specialty are Cisco networking products, Check
Point and Symantec Enterprise Security Products, Sun Solaris,
Microsoft, and Linux systems.Ted is a regular contributor to “The
Security Journal,” as well as a member of the Information System
Security Association (ISSA) and a leading supporter of the Colorado
Springs, Colorado technical security group: dc719.
ix
- Contents
Introduction xxv
Chapter 1 Laying the Foundation for Your Assessment 1
Introduction 2
Determining Contract Requirements 3
What Does the Customer Expect? 4
Customer Definition of an Assessment 4
Sources for Assessment Work 7
Contract Composition 7
What Does the Work Call For? 11
What Are the Timelines? 16
Understand the Pricing Options 18
Understanding Scoping Pitfalls 20
Common Areas of Concern 21
Customer Concerns 21
Customer Constraints 21
“Scope Creep” and Timelines 22
Uneducated Salespeople 23
Bad Assumptions 24
Poorly Written Contracts 25
Staffing Your Project 27
Job Requirements 27
Networking and Operating Systems 27
Hardware Knowledge 28
Picking the Right People 28
Adequately Understanding Customer Expectations 30
The Power of Expectations 30
What Does the Customer Expect for Delivery? 30
Adjusting Customer Expectations 30
xi
- xii Contents
Educating the Customer 31
Helping the Customer Understand the Level
of Effort 31
Explaining Timeline Requirements 31
Understand the Commitment 32
Project Leadership 32
Constant Communication with the Customer 32
Constant Communication with Team Members 33
Timeliness of the Effort 34
Long Nights, Impossible Odds 35
Initial Resistance Fades to Cooperation 35
Case Study: Scoping Effort for the Organization
for Optimal Power Supply 36
Summary 39
Best Practices Checklist 40
Frequently Asked Questions 42
Chapter 2 The Pre-Assessment Visit 45
Introduction 46
Preparing for the Pre-Assessment Visit 47
Questions You Should Ask 48
Determining the Network Environment of the
Assessment Site 48
Determining the Security Controls of the
Assessment Site 50
Understanding Industry Concerns for the
Assessment Site 50
Scheduling 52
Understanding Special Considerations 53
Managing Customer Expectations 53
Defining the Differences Between Assessment
and Audit 54
Results, Solutions, and Reporting 56
Interference on Ops 57
Impact on Organization Security 58
Defining Roles and Responsibilities 60
Who Is the Decision Maker? 61
- Contents xiii
Who Is the Main Customer POC? 61
Who Is the Assessment Team Leader? 62
Suggestions for the Assessment Team 63
Possible Members of the Customer Team 63
Planning for the Assessment Activities 65
Developing Mission Identification 66
Understanding Industry Differences 67
Relating the Mission to Pre-Assessment Site
Visit Products 68
Defining Goals and Objectives 69
Understanding the Effort: Setting the Scope 69
Information Request 69
Coordinate 70
Establish Team Needs for Remaining Assessment 70
Industry and Technical Considerations 70
Case Study:The Bureau of Overt Redundancy 71
The Organization 71
Summary 75
Best Practices Checklist 76
Frequently Asked Questions 77
Chapter 3 Determining the Organization’s
Information Criticality 81
Introduction 82
Identifying Critical Information Topics 86
Associating Information Types with the Mission 90
Common Issues in Defining Types 91
Common Mistakes in Defining Types 92
Identifying Impact Attributes 93
Common Impact Attributes 95
Confidentiality 96
Integrity 96
Availability 96
Additional Impact Attributes 97
Based on Regulatory or Legal Requirements 97
Personal Preference 98
Recommendation of a Colleague 99
- xiv Contents
Creating Impact Attribute Definitions 99
Understanding the Impact to the Organization 99
Can We Live Without This Information? 100
Example Impact Definitions 100
High, Medium, and Low 100
Numbered Scales 103
Creating the Organizational Information
Criticality Matrix 104
Prioritizing Impact Based on Your Definitions 105
The Customer Perception of the Matrix 107
Case Study: Organizational Criticality at TOOT 108
TOOT Information Criticality Topics 109
Identifying Impact Attributes 110
Creating Impact Definitions 110
Creating the Matrix 111
Summary 113
Best Practices Checklist 115
Frequently Asked Questions 116
Chapter 4 System Information Criticality 119
Introduction 120
Stepping into System Criticality 121
Defining High-Level Security Goals 123
Locating Additional Sources of Requirements 126
Determining System Boundaries 128
Physical Boundaries 128
Logical Boundaries 128
Defining the Systems 130
What Makes a System Critical? 132
Breaking the Network into Systems 133
What Makes Sense? 134
Creating the System Criticality Matrix 134
The Relationship Between OICM and SCM 135
Refining Impact Definitions 136
A Matrix for Each System 137
Unexpected Changes 138
Case Study: Creating the SCM for TOOT 140
- Contents xv
Locating System Boundaries 140
Completing the System Criticality Matrix 141
Summary 145
Best Practices Checklist 147
Frequently Asked Questions 149
Chapter 5 The System Security Environment 151
Introduction 152
Understanding the Cultural and Security Environment 154
The Importance of Organizational Culture 154
Adequately Identifying the Security Environment 156
Defining the Boundaries 159
Physical Boundaries 160
Logical Boundaries 161
Never the Twain Shall Meet—Or Should They? 162
Identifying the Customer Constraints and Concerns 162
Defining Customer Constraints 163
Types of Operational Constraints 163
Types of Resource Constraints 164
Environmental Constraints 164
Architectural Constraints 165
Determining Customer Concerns 166
Why Are You There in the First Place? 166
Specific Criteria to Assess 166
Handling the Documentation Identification and Collection 167
What Documentation Is Necessary? 169
Policy 169
Guidelines/Requirements 169
Plans 170
Standard Operating Procedures 170
User Documentation 170
Obtaining the Documentation 171
Use the Customer Team Member 171
Tracking the Documents 171
Determining Documentation Location 172
What If No Documentation Exists? 172
Ad Hoc Security 173
- xvi Contents
Case Study: Higher Education 174
Summary 179
Best Practices Checklist 179
Frequently Asked Questions 181
Chapter 6 Understanding the Technical
Assessment Plan 183
Introduction 184
Understanding the Purpose of the Technical
Assessment Plan 184
The TAP: A Plan of Action 187
The TAP: A Controlled and Living Document 187
Linking the Plan to Contract Controls 188
Understanding the Format of the TAP 190
Point of Contact 191
Mission 192
Organizational Information Criticality 193
System Information Criticality 194
Customer Concerns and Constraints 195
System Configuration 196
Interviews 197
Documents 198
Timeline of Events 200
Customizing and Modifying the TAP to Suit the
Job at Hand 200
Modifying the Nine NSA-Defined Areas 201
Level of Detail 201
Format 202
Case Study:The Bureau of Overt Redundancy 202
The BOR TAP 202
Contact Information 203
Mission 204
Organization Information Criticality 206
System Information Criticality 208
Concerns and Constraints 209
System Configuration 209
The Interview List 210
- Contents xvii
Documentation 211
Events Timeline 213
Summary 215
Best Practices Checklist 216
Frequently Asked Questions 217
Chapter 7 Customer Activities 219
Introduction 220
Preparing for the Onsite Phase 220
Assessment Team Preparation 221
Administrative Planning 222
Technical Planning 223
Customer Preparation 224
Scheduling 225
Communication 225
Setting the Onsite Tone 226
Understanding the Opening Meeting (The Inbriefing) 227
Conducting the Opening Meeting 228
Meeting Format 228
Information to Take Away 228
Establishing and Maintaining the Onsite Expectations 229
Understanding the Process 229
Understanding the Results 230
Keeping the Customer Involved 230
Continued Customer Education 230
Information Exchange 231
NSA IAM Baseline INFOSEC Classes and Categories 232
Management Aspects 233
INFOSEC Documentation 234
INFOSEC Roles and Responsibilities 234
Contingency Planning 235
Configuration Management 236
Technical Aspects 236
Identification and Authentication 237
Account Management 238
Session Controls 239
Auditing 240
- xviii Contents
Malicious Code Protection 240
Maintenance 241
System Assurance 241
Networking/Connectivity 242
Communications Security 243
Operational Aspects 243
Media Controls 243
Labeling 244
Physical Environment 244
Personnel Security 245
Education Training and Awareness 245
The Fine Art of the Interview 246
Interview Characteristics 246
Whom Do I Interview? 247
Interview Scheduling 248
Interview Environment 248
Attributes of a Successful Interviewer 249
Breaking the Barriers 249
Gaining Needed Information 252
Case Study: Interviews With University Staff 254
The Management Interview 258
The Technical Interview 260
Group Interview with Computer Science
Systems Administrators 260
Individual Interview with Marcia 262
Summary 264
Best Practices Checklist 265
Frequently Asked Questions 266
Chapter 8 Managing the Findings 269
Introduction 270
Demonstration Versus Evaluation 271
What Are System Demonstrations? 271
The Good and the Bad 272
What Are System Evaluations? 273
Manual Checks 274
Tailored Scripts 274
- Contents xix
Tools 274
Findings and Dependencies 276
When Is a Finding Considered Dependent? 277
Is It Good or Bad? Does It Matter? 278
Mapping Findings to Requirements and Constraints 278
Justification 279
Mapping Requirements 280
Creating Recommendation Road Maps 281
Cost Effectiveness 281
Applicability 281
Importance 282
Users 282
Options for Increasing the Security Posture 282
The Yugo Implementation 283
The Ford Solution 284
The Cadillac Solution 284
Case Study: Medical Management 284
System Description 286
Information Criticality 286
Summary of Findings 287
Excerpt of Findings 288
Recommendation Road Map 298
Summary 305
Best Practices Checklist 305
Frequently Asked Questions 307
Chapter 9 Leaving No Surprises 309
Introduction 310
Determining the Audience for the Closeout Meeting 310
Who Is Your Audience? 311
Who Should Attend? 311
Organizing the Closeout Meeting 312
Determining Time and Location 312
Time of Meeting 313
Day of Week 313
Meeting Room 313
Determining Supply List for the Closeout Meeting 313
nguon tai.lieu . vn
