1 / 12

Defense Security Service Top 10 Vulnerabilities

Defense Security Service Top 10 Vulnerabilities. Corrie Velez Jeff Vaccariello. July 10, 2013. Number 10. Not auditing and reviewing audit results for classified systems Ensure Information System Security Officer (ISSO) understands DSS auditing requirements

talor
Download Presentation

Defense Security Service Top 10 Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defense Security Service Top 10 Vulnerabilities Corrie Velez Jeff Vaccariello July 10, 2013

  2. Number 10 • Not auditing and reviewing audit results for classified systems • Ensure Information System Security Officer (ISSO) understands DSS auditing requirements • Recognizes event codes and symbols • Was I suppose to come in from my vacation

  3. Number 9 • Processing on an unaccredited system • Must have an Authority to Operate (ATO), Interim Authority to Operate (IATO), or Self Certification Authority • We don’t have time for security; we have a milestone to reach

  4. Number 8 • Lack of process to detect and deter viruses / malicious code • Anti Virus requirements should be documented in your Master System Security Plan (MSSP) or System Security Plan (SSP) • What's anti-virus

  5. Number 7 • Not reporting classified compromises • Compromise must be reported within 24 hours of confirmation • A final report is due within 15 days • Check your Contract Security Classification Specification (DD254) for additional reporting requirements • I swear I spun the lock

  6. Number 6 • Classified IS configuration and connectivity management • Provide detailed description of hardware, software, and any other items listed in your SSP. Include make, model, serial numbers, memory, etc. • I needed to use it on my other program

  7. Number 5 • Persons without proper eligibility accessing classified • Continuously check JPAS for accuracy and change in records • Ensure visitors are checked for proper eligibility prior to granting access • They are the customer, it’s their data

  8. Number 4 • Unreported FCL change conditions (foreign buyout, etc) • Check with your legal department and company officers • What's eFCL

  9. Number 3 • Uncleared Key Management Personnel • How is your company structured? • Is there a Board of Directors? If so, do they have authority to make decisions on classified issues • Check all the company officers • They don’t work on anything classified, why do they need to be cleared

  10. Number 2 • Personnel clearance re-investigations out-of-scope • Check JPAS records continuously • Make sure that employees submit all the necessary information • What's the charge number, this packet is too long

  11. Number 1 • Poor safe combination security • Meet with employees to inspect their safe • He doesn't have a badge, he can’t even get on site

More Related