Russ Rogers CISSP, CISM, IAM is a Co-Founder, ChiefExecutive Officer, Chief Technology Officer, and Principle SecurityConsultant for Security Horizon, Inc., a Colorado-based profes-siona
Trang 2s o l u t i o n s @ s y n g r e s s c o m
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, andCisco study guides in print, we continue to look for ways we can betterserve the information needs of our readers One way we do that is bylistening
Readers like yourself have been telling us they want an Internet-basedservice that would extend and enhance the value of our books Based
on reader feedback and our own strategic plan, we have created aWeb site that we hope will exceed your expectations
Solutions@syngress.com is an interactive treasure trove of useful
information focusing on our book topics and related technologies.The site offers the following features:
■ One-year warranty against content obsolescence due to vendorproduct upgrades You can access online updates for any
affected chapters
■ “Ask the Author” customer query forms that enable you to postquestions to our authors and editors
■ Exclusive monthly mailings in which our experts provide answers
to reader queries and clear explanations of complex material
■ Regularly updated links to sites specially selected by our editorsfor readers desiring additional reliable information on keytopics
Best of all, the book you’re now holding is your key to this amazing
site Just go to www.syngress.com/solutions, and keep this book
handy when you register to verify your purchase
Thank you for giving us the opportunity to serve your needs And besure to let us know if there’s anything else we can do to help you getthe maximum value from your investment We’re listening
www.syngress.com/solutions
Trang 5Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
produc-There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
Security Assessment: Case Studies for Implementing the NSA IAM
Copyright © 2004 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be repro- duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-932266-96-8
Acquisitions Editor: Catherine B Nolan Cover Designer: Michael Kavish
Page Layout and Art: Patricia Lupien Copy Editor: Darlene Bordwell
Indexer: Nara Wood Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada.
Trang 6we do not know (yet)!
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope.
David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines.
A special thanks to all the folks at Malloy who have made things easy for us and cially to Beth Drake and Joe Upton.
Trang 8Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, ChiefExecutive Officer, Chief Technology Officer, and Principle SecurityConsultant for Security Horizon, Inc., a Colorado-based profes-sional security services and training provider Russ is a key contrib-utor to Security Horizon’s technology efforts and leads the technicalsecurity practice and the services business development efforts Russ
is a United States Air Force Veteran and has served in military andcontract support for the National Security Agency and the DefenseInformation Systems Agency Russ is also the editor-in-chief of
“The Security Journal” and a staff member for the Black HatBriefings series of security conferences Russ holds a bachelor’sdegree in computer science from the University of Maryland and amaster’s degree in computer systems management also from the
Trang 9University of Maryland Russ is a member of the InformationSystem Security Association (ISSA), the Information System Auditand Control Association (ISACA), and the Association of CertifiedFraud Examiners Russ was recently awarded The National
Republican Congressional Committee’s National Leadership Awardfor 2003
Ed Fuller (CISSP, GSEC, IAM) is Senior Vice President andPrinciple Security Consultant for Security Horizon, Inc., aColorado-based professional security services and training provider
Ed is the lead for Security Training and Assessments for SecurityHorizon’s offerings Ed is a retired United States Navy Veteran andwas a key participant on the development of Systems SecurityEngineering Capability Maturity Model (SSE-CMM) Ed has alsobeen involved in the development of the Information AssuranceCapability Maturity Model (IA-CMM) Ed serves as a LeadInstructor for the National Security Agency (NSA) InformationAssurance Methodology (IAM) and has served in military and con-tract support for the National Security Agency and the DefenseInformation Systems Agency Ed is a frequent contributor to “TheSecurity Journal.” Ed holds a bachelor’s degree from the University
of Maryland in information systems management and is a member
of the Center for Information Security and the Information SystemsSecurity Engineering Association
Matthew Paul Hoagbergis a Security Consultant for SecurityHorizon, Inc., a Colorado-based professional security services andtraining provider Matt contributes to the security training, assess-ments, and evaluations that Security Horizon offers Matt’s experi-ence includes personnel management, business development,analysis, recruiting, and corporate training He has been responsiblefor implementing a pilot 3-factor authentication effort for Security
Trang 10Horizon and managing the technical input for the project back tothe vendor Matt holds a bachelor’s degree in psychology fromNorthwestern College and is a member of the Information SystemSecurity Association (ISSA)
Ted Dykstra (CISSP, CCNP, MCSE, IAM) is a SecurityConsultant for Security Horizon, Inc., a Colorado-based profes-sional security services and training provider.Ted is a key contrib-utor in the technical security efforts and service offerings forSecurity Horizon, and an instructor for the National SecurityAgency (NSA) Information Assurance Methodology (IAM).Ted’sbackground is in both commercial and government support efforts,focusing on secure architecture development and deployment,INFOSEC assessments and audits, as well as attack and penetrationtesting His areas of specialty are Cisco networking products, CheckPoint and Symantec Enterprise Security Products, Sun Solaris,Microsoft, and Linux systems.Ted is a regular contributor to “TheSecurity Journal,” as well as a member of the Information SystemSecurity Association (ISSA) and a leading supporter of the ColoradoSprings, Colorado technical security group: dc719
Trang 12Customer Definition of an Assessment 4
What Does the Work Call For? 11
Understand the Pricing Options 18
Networking and Operating Systems 27
Adequately Understanding Customer Expectations 30
What Does the Customer Expect for Delivery? 30Adjusting Customer Expectations 30
Trang 13xii Contents
Educating the Customer 31Helping the Customer Understand the Level
of Effort 31Explaining Timeline Requirements 31Understand the Commitment 32Project Leadership 32Constant Communication with the Customer 32Constant Communication with Team Members 33Timeliness of the Effort 34Long Nights, Impossible Odds 35Initial Resistance Fades to Cooperation 35Case Study: Scoping Effort for the Organization
for Optimal Power Supply 36Summary 39Best Practices Checklist 40Frequently Asked Questions 42
Chapter 2 The Pre-Assessment Visit 45
Introduction 46Preparing for the Pre-Assessment Visit 47Questions You Should Ask 48Determining the Network Environment of the
Assessment Site 48Determining the Security Controls of the
Assessment Site 50Understanding Industry Concerns for the
Assessment Site 50Scheduling 52Understanding Special Considerations 53Managing Customer Expectations 53Defining the Differences Between Assessment
and Audit 54Results, Solutions, and Reporting 56Interference on Ops 57Impact on Organization Security 58Defining Roles and Responsibilities 60Who Is the Decision Maker? 61
Trang 14Contents xiii
Who Is the Main Customer POC? 61Who Is the Assessment Team Leader? 62Suggestions for the Assessment Team 63Possible Members of the Customer Team 63Planning for the Assessment Activities 65Developing Mission Identification 66Understanding Industry Differences 67Relating the Mission to Pre-Assessment Site
Visit Products 68Defining Goals and Objectives 69Understanding the Effort: Setting the Scope 69Information Request 69Coordinate 70Establish Team Needs for Remaining Assessment 70Industry and Technical Considerations 70Case Study:The Bureau of Overt Redundancy 71The Organization 71Summary 75Best Practices Checklist 76Frequently Asked Questions 77
Chapter 3 Determining the Organization’s Information Criticality 81
Introduction 82Identifying Critical Information Topics 86Associating Information Types with the Mission 90Common Issues in Defining Types 91Common Mistakes in Defining Types 92Identifying Impact Attributes 93Common Impact Attributes 95Confidentiality 96Integrity 96Availability 96Additional Impact Attributes 97Based on Regulatory or Legal Requirements 97Personal Preference 98Recommendation of a Colleague 99
Trang 15xiv Contents
Creating Impact Attribute Definitions 99Understanding the Impact to the Organization 99Can We Live Without This Information? 100Example Impact Definitions 100High, Medium, and Low 100Numbered Scales 103Creating the Organizational Information
Criticality Matrix 104Prioritizing Impact Based on Your Definitions 105The Customer Perception of the Matrix 107Case Study: Organizational Criticality at TOOT 108TOOT Information Criticality Topics 109Identifying Impact Attributes 110Creating Impact Definitions 110Creating the Matrix 111Summary 113Best Practices Checklist 115Frequently Asked Questions 116
Chapter 4 System Information Criticality 119
Introduction 120Stepping into System Criticality 121Defining High-Level Security Goals 123Locating Additional Sources of Requirements 126Determining System Boundaries 128Physical Boundaries 128Logical Boundaries 128Defining the Systems 130What Makes a System Critical? 132Breaking the Network into Systems 133What Makes Sense? 134Creating the System Criticality Matrix 134The Relationship Between OICM and SCM 135Refining Impact Definitions 136
A Matrix for Each System 137Unexpected Changes 138Case Study: Creating the SCM for TOOT 140
Trang 16Contents xv
Locating System Boundaries 140Completing the System Criticality Matrix 141Summary 145Best Practices Checklist 147Frequently Asked Questions 149
Chapter 5 The System Security Environment 151
Introduction 152Understanding the Cultural and Security Environment 154The Importance of Organizational Culture 154Adequately Identifying the Security Environment 156Defining the Boundaries 159Physical Boundaries 160Logical Boundaries 161Never the Twain Shall Meet—Or Should They? 162Identifying the Customer Constraints and Concerns 162Defining Customer Constraints 163Types of Operational Constraints 163Types of Resource Constraints 164Environmental Constraints 164Architectural Constraints 165Determining Customer Concerns 166Why Are You There in the First Place? 166Specific Criteria to Assess 166Handling the Documentation Identification and Collection 167What Documentation Is Necessary? 169Policy 169Guidelines/Requirements 169Plans 170Standard Operating Procedures 170User Documentation 170Obtaining the Documentation 171Use the Customer Team Member 171Tracking the Documents 171Determining Documentation Location 172What If No Documentation Exists? 172
Ad Hoc Security 173
Trang 17xvi Contents
Case Study: Higher Education 174Summary 179Best Practices Checklist 179Frequently Asked Questions 181
Chapter 6 Understanding the Technical
Introduction 184Understanding the Purpose of the Technical
Assessment Plan 184The TAP: A Plan of Action 187The TAP: A Controlled and Living Document 187Linking the Plan to Contract Controls 188Understanding the Format of the TAP 190Point of Contact 191Mission 192Organizational Information Criticality 193System Information Criticality 194Customer Concerns and Constraints 195System Configuration 196Interviews 197Documents 198Timeline of Events 200Customizing and Modifying the TAP to Suit the
Job at Hand 200Modifying the Nine NSA-Defined Areas 201Level of Detail 201Format 202Case Study:The Bureau of Overt Redundancy 202The BOR TAP 202Contact Information 203Mission 204Organization Information Criticality 206System Information Criticality 208Concerns and Constraints 209System Configuration 209The Interview List 210