340 likes | 566 Views
Security Awareness Training Network Security and IR. Team Blue Michael Haney, Xinchi He, Jeyasingam Nivethan. Amazing Company Background. Cloud Service Provider Destined to be the best in the business Current Employees: 15 Future Growth Plans: 150,000 employees Current Customers: 0
E N D
Security Awareness TrainingNetwork Security and IR Team Blue Michael Haney, Xinchi He, JeyasingamNivethan
Amazing Company Background • Cloud Service Provider • Destined to be the best in the business • Current Employees: 15 • Future Growth Plans: 150,000 employees • Current Customers: 0 • Future Growth Plans: 1 customer
What is Cloud Service? • Via Internet from a cloud computing provider’s server. • Provide easy, scalable access to applications, resources and services. • Fully managed by a cloud services provider. • Dynamically scale to meet the needs of users. • Online data storage, backup solutions, Web-based email services, and etc. • Need for network security for clients.
FedRAMP Regulations What we need to know to be compliant
FedRAMP Background • Federal Risk and Authorization Management Program • Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. • Use “do once, use many times” framework • Source from NIST SP 800-53 Revison3 for low and moderate impact systems
Control Families • Access Control (AC) • Audit and Accountability (AU) • Assessment and Authorization (CA) • Configuration and Management (CM) • Contingency Plan (CP) • Identification and Authentication (IA) • Incident Response (IR) • Maintenance (MA)
Control Families (Cont’d) • Media Protection (MP) • Physical and Environmental Protection (PE) • Planning (PL) • Personnel Security (PS) • Risk Assessment (RA) • System and Services Acquisition (SA) • System and Communication Protection (SC) • System and Information Integrity (SI)
What is JAB? • Joint Authorization Board • Primary governance and decision-making body for FedRAMP program. • Reviews and provides joint provisional security authorizations of cloud solutions using a standardized baseline approach.
Sample of Controls Highlights of the FedRAMP Controls that we will focus on today.
PE-3 Physical Access Control Control: The organization: • a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; • 1. Verifying individual access authorizations before granting access to the facility; and • 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; • b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; • c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; • d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; • e. Secures keys, combinations, and other physical access devices; • f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and • g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
MA-6 Timely Maintenance Control: The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure. • Control Enhancements: • (1) TIMELY MAINTENANCE | PREVENTIVE MAINTENANCE The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. • (2) TIMELY MAINTENANCE | PREDICTIVE MAINTENANCE The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. • (3) TIMELY MAINTENANCE | AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.
CM-2 Baseline Configuration Control: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. • Control Enhancements: • (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES • (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY • (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS • (4) BASELINE CONFIGURATION | UNAUTHORIZED SOFTWARE [Withdrawn: Incorporated into CM-7]. • (5) BASELINE CONFIGURATION | AUTHORIZED SOFTWARE [Withdrawn: Incorporated into CM-7]. • (6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS • (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS
CP-7 Alternate Processing Site Control: The organization: • Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period • Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and • Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
IR-8 Incidence Response Plan Control: The organization: • Develops an incident response plan • Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; • Reviews the incident response plan [Assignment: organization-defined frequency]; • Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; • Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and • Protects the incident response plan from unauthorized disclosure and modification.
AU-8 Time Stamps Control: The information system: • Uses internal system clocks to generate time stamps for audit records; and • Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
SC-7 Boundary Protection Control: The information system: • a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; • b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and • c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SC-8&9 Transmission Integrity & Transmission Confidentiality Control: The information system protects the[Selection(one or more):confidentiality; integrity]of transmitted information. • Control Enhancements: • (1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION • (2) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | PRE / POST TRANSMISSION HANDLING • (3) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS • (4) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CONCEAL / RANDOMIZE COMMUNICATIONS
SC-30 Virtualization Techniques Control:The organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations. • Control Enhancements: • The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. • The organization employs randomness in the implementation of the virtualization techniques.
SC-32 Information System Partitioning Control: The organization partitions the information system into[Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].
Amazing Network Security 7 Best Practices to Help Meet Compliance
Best Practice 1: Inventory • Inventory of networked devices should be kept up-to-date • Change control procedures must be followed to synchronize the inventory with what is actually installed and deployed on our network. • Scanning for rogue devices and network services will take place periodically to validate the inventory.
Best Practice 2: Firewalls • Firewalls must be installed and maintained in multiple locations on our network. • Ingress filtering will limit the network traffic coming into our network. • Egress filtering will limit the data that is allowed to leave our network. • Internal firewalls will be used for network segmentation, zoning, and client isolation. • Proxies for web browsing and file transfer for users will be used to monitor and limit dangerous network activity (e.g. malware downloads or inappropriate activity)
Best Practice 3: IDS • Intrusion Detection Systems (IDS) will be utilized to monitor the network. • IDS must be installed and configured most securely as they offer high-value, high-risk targets for attackers. • Signatures for IDS detection must be kept up to date. • IDS alerts must be monitored and follow-up will include incident response practices. • Full packet capture will be utilized as storage limits and costs permit to support investigations. • Network Flow/Session Monitoring will be stored for longer-term to support operations as well as incident investigation.
Best Practice 4: Encryption • Network encryption will be managed appropriately. • SSH and scp are required in place of telnet and ftp everywhere. • SSL for web-based connections and applications is strongly encouraged. • SSL certificate management for our systems and websites will be managed through the CISO.
Best Practice 5: Network Protocols • The following network protocols will be restricted or managed by the security group. • telnet / rsh / rlogin • ftp / anonymous ftp / tftp • IRC and other instant messaging protocols • SMTP • Peer-to-peer networking or file sharing • Tor browsing and Tor peer routing
Best Practice 6: Wireless Security • Wireless security • Only company wireless should be used. Only WPA2 encryption should be used. Only approved devices will be permitted to connect wirelessly. • No rogue wireless connections or BYOD are allowed at Amazing. • Periodic spectrum scans for wireless devices will be conducted by the security group. • The use of Bluetooth should be managed.
Best Practice 7: VPN • Virtual Private Network Usage • Remote Access connections must be approved and secured. • Extranet / Business Partner connections are approved and secured, periodically reviewed, and have a designated point of contact
Questions? Don’t forget to review the Online Manual: Best Practices Network Security Policy Guidelines Incident Response Policy And take the QUIZ!
Group Activity • Pair up • Brainstorm • Place Ideas into the Hat • Draw from the Hat • Prepare Your Response • Present Your Response • Vote for your Favorite!