1 / 46

How to Conduct an Information Security (INFOSEC) Assessment

How to Conduct an Information Security (INFOSEC) Assessment. The NSA INFOSEC Assessment Methodology (IAM). Stephen Mencik, CISSP ACS Defense, Inc. Agenda. What is an INFOSEC Assessment? The need for a common Assessment Methodology The NSA INFOSEC Assessment Methodology (IAM).

hornberger
Download Presentation

How to Conduct an Information Security (INFOSEC) Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.

  2. Agenda • What is an INFOSEC Assessment? • The need for a common Assessment Methodology • The NSA INFOSEC Assessment Methodology (IAM)

  3. What Is an INFOSEC Assessment? A review of the Information System Security (INFOSEC) posture of operational system(s) for the purpose of identifying potential vulnerabilities. Once identified, recommendations are provided for the elimination or mitigation of the vulnerability.

  4. INFOSEC Assurance Vulnerability Discovery Triad Assessments (Level 1) Evaluations (Level 2) Red Team (Level 3)

  5. INFOSEC Assessment Characteristics • No hands-on testing • Management buy-in • Success depends on cooperation of people • Non-attribution

  6. What Is the Purpose of an INFOSEC Assessment? • An INFOSEC Assessment allows one to: • Determine which information is critical to the organization • Identify the systems that process, store, or transmit that critical information • Determine the proper INFOSEC posture for these systems • Identify potential vulnerabilities • Recommend solutions to mitigate or eliminate those vulnerabilities

  7. Why the Need for a Common Assessment Methodology? • Compare results over time • Compare assessments done by different teams

  8. The NSA INFOSEC Assessment Methodology • Developed by the National Security Agency (NSA) during the mid-late 1990’s • NSA had more assessment requests than they could handle • Needed a common methodology to be used by all contractors performing assessments on NSA’s behalf • Provided to the public sector as a community service

  9. IAM Phases Phase 1 Phase 2 Phase 3 Post-Assessment Pre-Assessment Assessment On-Site On/Off-Site

  10. Pre-assessment Phase • Purpose • Gain an understanding of the criticality of the customer’s information • Identify system, including system boundaries • Coordinate logistics with the customer • Write an assessment plan

  11. On-site Activities • Purpose • To explore and confirm the information and conclusions made during the Pre-Assessment Phase • To perform data gathering and validation • Interviews • Documentation • System demonstrations • To provide initial analysis and feedback to the customer

  12. Post-assessment • Finalize analysis • Preparation and coordination of a final report

  13. On-site Details • Gather and validate system information • Interviews • System demonstrations • Documentation review • Analyze assessment information • Develop initial recommendations

  14. Interviews • Used to: • Gain information from a larger cross section of the organization • Learn how operations “really” occur

  15. System Demonstrations • Useful tool to supplement information gathering • Can be used to resolve conflicting information

  16. Additional Documentation Review • Supplements information gathered during interviews • Added assurance if it is documented • Lack of documentation is a finding

  17. Baseline Information Categories 10. Contingency Planning 11. Maintenance 12. Configuration Management 13. Back-ups 14. Labeling 15. Media Sanitization / Disposal 16. Physical Environment 17. Personnel Security 18. Training and Awareness 1. INFOSEC documentation 2. INFOSEC Roles and Responsibilities 3. Identification & Authentication 4. Account Management 5. Session Controls 6. External Connectivity 7. Telecommunications 8. Auditing 9. Virus Protection

  18. 1. INFOSEC Documentation • Policy • Guidelines / requirements • System Security Plans (SSP) • Standard Operating Procedures (SOP) • User system security manuals

  19. 2. INFOSEC Roles and Responsibilities • Upper Level Management • Systems Operation • User Community

  20. 3. Identification & Authentication • Fundamental building block of INFOSEC • Three methods of implementation • “Something you know” • “Something you have” • “Something you are”

  21. 4. Account Management • Documented account management policy and procedures • Written formal account request • General and privileged user agreements • Supervisor and data owner approval for access • Minimal privilege access • Account initialization

  22. 4. Account Management (Cont.) • Account termination • Account maintenance • Special accounts

  23. 5. Session Controls • Protected, logged on workstation • Time-outs • Lock-screen capability with password • Warning banner

  24. 6. External Connectivity • Internet • Modems • Dedicated

  25. 7. Telecommunications • Documented requirements and procedures for transmitting sensitive information • Encryption issues • Purpose (confidentiality, integrity, non-repudiation) • Trust in communications medium • Strength of algorithm • Alternate routes for increased availability

  26. 8. Auditing • Policy requiring mandatory auditing • SOP defining what to audit • Audit analysis and reporting on a timely basis • SSA trained in audit analysis

  27. 9. Virus Protection • Written policy • Personal software allowed? • Scan incoming software • System scans • Update tools • Employee education/training

  28. 10. Contingency Planning • Documented plan • Identify mission or business critical functions • Uninterruptible Power Supply (UPS)

  29. 11. Maintenance • Policy and procedures • Personnel clearance level • Control of diagnostic software • Remote maintenance access

  30. 12. Configuration Management • Documented configuration control plan • Configuration Control Board (CCB) • Software loading issues for SSA approval

  31. 13. Back-ups • Documented in SSP and SOP • Schedule • Proper storage • Periodic testing of back-ups

  32. 14. Labeling • Policy/SOPs • Document what/why information is sensitive • Employees trained on proper marking procedures • Removable media • System components

  33. 15. Media Sanitization/Disposal • Documented policy and SOPs • Media sanitization methods • Establish responsibilities • User education/training • Contract concerns

  34. 16. Physical Environment • Physical environment can be used to offset lack of system security capabilities • Ramifications to INFOSEC posture

  35. 17. Personnel Security • Background checks • Security clearance • Signed user agreements • Employee awareness of social engineering techniques

  36. 18. Training and Awareness • Users are usually the weakest link in security • Documented responsibilities • Formal INFOSEC training program for users and SSA

  37. Baseline Information Categories Summary • All categories need to be addressed • Category details will be dependent on the specific system • Additional categories can be included

  38. Analysis of Vulnerabilities • Identify weaknesses or vulnerabilities in the system and operations that could potentially be exploited by an adversary

  39. Threat Aspects • Environmental • Human • External • Internal malicious • Internal inadvertent

  40. Develop Recommendations • The assessment team will develop a list of recommended technical and operational security countermeasures to the identified system vulnerabilities

  41. Post-assessment Activities Phase • Additional review of documentation • Additional expertise • Report Coordination

  42. Summary IAM Baseline Activities • Pre-Assessment • On-site customer coordination • Information criticality analysis with matrices • Customers concerns • Documented INFOSEC assessment plan

  43. Summary IAM Baseline Activities • On-site Assessment • Information gathering • Interviews • Documentation review • System demonstrations • 18 baseline information categories

  44. Summary IAM Baseline Activities • Post-Assessment • Documented report

  45. Useful Links • http://www.iatrp.com/iam.cfm Official IAM site • http://www.iatrp.com/indivu2.cfm List of individuals certified to perform assessments using IAM • http://www.iatrp.com/certclass.cfm Information on 2-day IAM training leading to certification

  46. Contact Information Stephen Mencik Sr. INFOSEC Engineer ACS Defense, Inc. 9020 Mendenhall Ct., Suite J. Columbia, MD 21045 (410) 953-7313 stephen.mencik@acs-inc.com steve@mencik.com

More Related