Understanding the Cultural and Security Environment Understanding the cultural and security environment involves more than under- standing the location of the room that contains the components that process, store, or transmit an organization’s critical information.As the INFOSEC assessor, you need to understand the operational culture and security environ- ment that houses the critical information. TERMINOLOGY ALERT The cultural environment is made up of the people who work in that environment and their perceptions of how things are done or should be done. The culture of the organization can, and does, vary with the people in the environment. It includes customer perceptions of their requirements and how those requirements apply to the organization.This information leads to identifi- cation of the security environment. TERMINOLOGY ALERT The security environment is made up of the documented requirements for operations. The requirements can be in the form of legal require- ments and official and unofficial policy. Defining the customer’s perceived environment depends on the applicable laws, regulations, and architecture. Few laws or regulations apply to all organiza- tions.You as the assessor must understand the appropriate regulations to facilitate the definition of the security environment. The Importance of Organizational Culture The organization’s culture is important. Recommendations that you make should fit the organization’s operational requirements. We are all aware that security is www.syngress.com 154 Chapter 5 • The System Security Environment 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 154 usually seen as a hindrance to work. Many people distrust any implementation that is security related. Many aspects of the organization’s environment define the culture and need to be identified.The organization’s culture depends on many factors, including employees’ personal backgrounds (education, experience) and unofficial or unwritten goals and objectives. Some organizations do not want to share any information that is not required; others want to show that they are sharing everything possible. The cultural environment of a higher education institution is usually one that promotes (and even advertises) its openness.To the users, this means that there should be no restrictions on access to any information located within or outside the institution.This is not the case in federal government agencies.They tend to feel that any access should be controlled and limited to people who have a need. Understanding these views is important; otherwise, the team could possibly make recommendations that the customer is not likely to implement. What would be the value of that? Recommendations should fit the organization and provide a road map to improving its security posture. www.syngress.com The System Security Environment • Chapter 5 155 Users Hate Change The recommendations that are made must fit the organization. If you are dealing with an organization that has relied on a command-line interface (CLI) for years, suddenly forcing employees to use a graphical user interface (GUI) can cause serious contention. There was a time when the security recommendation for a customer that was using Tandem mainframes was to migrate all the users from the native Guardian software interface, which was command line to BOSS software that is GUI based. The users hated the idea. In this environment the users tended to have long tenures within the organization. The idea that they couldn’t have their CLI was unacceptable to them. Due to the requirements for the security environment, the users lost the argument and had to migrate. The users tended to try to break the application in order to show that they should have stayed with their favorite. This situation became a headache for the implementers and managers. A good lesson learned from this situation was that there should be an intermediate step in the migration process to allow the users to adjust to the change without a radical cross-over. From the Trenches… 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 155 Adequately Identifying the Security Environment The assessment team must gain an understanding of the operational environment and mode of operation of each system that processes, stores, or transmits the organization’s critical information.This information can be drawn from system architecture and configuration documents, functional and security concept of operations (CONOP), and diagrams and schematics.These documents provide the written facts detailing how the organization should be operating. But don’t forget the senior management interviews that you have already completed.They are very useful in identifying the environment.There are some unofficial ways to assist in determining the environment, such as observation. During interviews and system demonstrations you will find that users are doing things for which they can cite no reason. All they really understand is that these “things” are a requirement. To understand how the system works, the assessment team needs to review available information, including customer-supplied documents such as architec- tural documents, available functional and security concept of operations (CONOPS, SECONOPS), and literature available through open sources such as the Internet. CONOPS or SECONOPS are documents that are readily found in the federal government but that rarely exist in the commercial world.They are supposed to document how and why security controls are used. From experience we have found that usually the CONOPS are quite a bit more extensive than just the “how and why.” CONOPS tend to be expanded to become procedure guidelines and even SOPs. Draw information about the system from accurate system diagrams. Without diagrams, boundaries will never be defined. Without boundaries, the assessment will be very susceptible to scope creep. TERMINOLOGY ALERT Scope creep is the addition of work beyond what the assessment team was originally prepared to do. Scope creep results when the customer adds requirements or includes new components when the assessment team does not have well-defined boundaries. www.syngress.com 156 Chapter 5 • The System Security Environment 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 156 If diagrams don’t exist, you have two options.You can have the customer create them or you can provide assistance to get it done. Keep in mind that there are two types of system diagrams that you need: ■ Logical diagrams From the owner’s and user’s perspectives, depict the system(s) of information utilization and data flow. ■ Physical diagrams Depict the system(s) from the physical component perspective of connectivity and interfaces. The logical diagrams are useful in dealing with upper management. In our experience, using a physical diagram with upper management is a waste of time while these people examine the diagram to determine where they are on it. Logical diagram are the better way to go with upper management. Managers tend to understand the logic information flow displayed and can quickly deter- mine functional relationships. Physical diagrams are much more detailed and show all the components that make up the physical plant. www.syngress.com The System Security Environment • Chapter 5 157 Network in Flux Network diagrams allow you to map and scope the assessment to the actual components within the organization. If you are dealing with a high-tech startup company, the proposed network might be incomplete. For one such company for which we completed an assessment, the entire network was a work in progress. The company had been in oper- ation for about a year, and when we asked to see the network diagram we were shown the frosted glass windows of a conference room. All the windows had been used to draw the proposed final network. When we asked if this was the actual network, we were told no. At that point the customer pointed to a spot on the glass and said, “We are about here.” The result is that the customer really didn’t know of what their actual network consisted. We chose the route of assisting them. Our net- work engineer transcribed the drawings to paper and worked with the customer to validate the network configuration. Without the network diagram, no boundaries could be defined. From the Trenches… 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 157 If the organization is a federal classified system, you will also need to deter- mine mode of operation (for example, system high, multilevel, dedicated, or the like). Mode of operation is well defined in DoD 5200.28-STD, Department of Defense Trusted Computer System Evaluation Criteria.The most common mode that assessors will see is system high. System high is simply explained as a system in which all the personnel who have access to the system for any reason must have a security clearance equal to the highest level of classification of any infor- mation that is processed, stored, or transmitted by that system.This requirement applies to anybody, even if they do not have specific access to that classified information.There are various other levels of mode of operation; if you are not sure what the system definition means, read DoD 5200.28-STD, Department of Defense Trusted Computer System Evaluation Criteria (www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html). Determine system operations and functions, note external and internal con- nectivity to other systems, and generally describe the system configuration in writing.This is important for your assessment team.This information will be used later in the pre-assessment plan and in the final report. Often it is also very useful for all the players to agree on a description to augment the network dia- grams. Identify the key components and primary operation operating systems. It is usually a good idea to write one or two short paragraphs to describe the con- figuration in narrative form.The IAM is not an analysis of physical security; however, physical security will affect vulnerability analysis and recommendations. WARNING Be careful to keep your poker face in place. Identifying an issue that could occur is a pre-judgment of findings and vulnerabilities. Trying to deal with perceived vulnerabilities before they are proven will cause the customer to distrust you. All identified issues should be listed and inves- tigated during the onsite phase, not during the pre-assessment. Remember, your team doesn’t necessarily have all the information yet and shouldn’t pre-judge. www.syngress.com 158 Chapter 5 • The System Security Environment 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 158 Defining the Boundaries Defining the boundaries is paramount to defining the assessment’s scope and controlling scope creep. Problems can occur and will occur when this step is not adequately completed. Boundaries ensure that everybody knows where the assessment team stops. As the pre-assessment continues, the customer will become better educated on the process, and it is not unusual for the customer to begin to add things to the assessment. Keep in mind that if you don’t have a good boundary, the boundary can be shifted.These boundary shifts may each be minor, but they will add up. As they add up, they will begin to stretch the resources of your assessment team.You must keep in mind that doing the pre- assessment in and of itself is a service to the customer.You are removing the proverbial horse blinders from senior management. Often, as an organization becomes set in its ways, management tends to become more fixated on business accomplishment than the big picture. Little things begin to get lost in the weeds of day-to-day operations. www.syngress.com The System Security Environment • Chapter 5 159 The Never-Ending Assessment Without well-defined boundaries, the customer will easily add compo- nents and other activities to the assessment. This is not to say the team won’t do the work, but they may not have the resources to adequately do the job if it expands much beyond the original plan. Take the example of an ISP assessment we did. The boundaries were set to assess the orga- nization. There was no physical network diagram. The organization was verbally defined as consisting of three floors, all located in one building. When the assessment team arrived on site, they discovered that the net- work extended out of the building. The customer expected that the assessment would include their perimeter devices located across town. The assessment team had no problem with including the devices. Then the customer wanted the interlinking devices to be included. The assess- ment team was forced to spend two extra days to generate and gain customer approval of what the network consisted of. From the Trenches… Continued 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 159 Now that you have reawakened the awareness of what everybody is doing, why they are doing it, and what the interdependencies are, you will hear thought-provoking discussions between management. When the team returns for the onsite or even right after the project has been scoped and bounded, most customers usually want to add to the assessment.This isn’t a bad thing; it shows that the pre-assessment was highly successful in increasing the security awareness and security concerns of senior management. Unfortunately, though, this can lead to the team being unprepared to handle the extras that are requested.This is nor- mally the time you’ll need to do a contract modification. One way to handle this issue before it becomes a problem is to adequately define the boundaries, both physical and logical. Hopefully you will make the two meet to allow everybody to understand the limits of the system(s) under assessment. Physical Boundaries Although we already discussed the physical boundaries in Chapter 4, “System Information Criticality,” we review the concept here to see the effect of the boundaries on the scope of the assessment.The physical boundaries are fairly easy for middle managers and managers below them to recognize and understand. These are the points that they are used to dealing with.They can be identified as simple things such as a wall jack, router, and/or perimeter device.You already identified most of these items when you defined the System Information Criticality Matrix (SICM) covered in the last chapter. It is considered a good practice to tie the physical boundary to a specific component and a specific address on the component.This will mean that you need to consider at what part of the component to stop.This is setting the phys- ical boundary for the assessment. For example, if you are assessing a system that is connected to a shared router, are you going to define the assessment boundary as www.syngress.com 160 Chapter 5 • The System Security Environment The result was that the added components included a development network and network operations center that were located in various other buildings. With the contract already signed, this extension of the boundaries resulted in exceptionally long days for the assessment team. The assessment was completed, but it took extra effort on the part of the assessment team to define the new boundaries and wasted valuable resources during the onsite phase. 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 160 the system input to the router or the entire router? Again, this decision should have been made when you defined the SICM.This leads us to the logical part of the boundary. TERMINOLOGY ALERT Physical boundaries are defined by the locations (for instance a room, a building, or a complex) of the system equipment and local procedures regarding the handling and processing of particular types of information. Logical Boundaries Logical boundaries are something that is not so easy for upper management and most middle management to understand and recognize. As discussed in Chapter 4, this is the point at which the customer has no physical control over the infor- mation. Usually management does not realize that this an issue.They want to get that warm and fuzzy feeling that their information is being protected as they feel it should be.The problem is that senior management often does not understand that they really don’t have any control over those components.This is where you as the assessor must educate them.The customer must understand how the log- ical boundary will affect the scoping of the assessment. Consider the issues of having the logical boundary set at the perimeter router. Who owns the router? In many organizations, the ISP or a parent organization owns the perimeter router. If the ISP is one of the major providers such as Sprint, MCI, or AT&T, they might not agree to allow any review of the router.The service-level agree- ment (SLA) may even forbid review of the rule sets used. TERMINOLOGY ALERT Logical boundaries are defined by where responsibility for or authority over information changes hands. www.syngress.com The System Security Environment • Chapter 5 161 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 161 Never the Twain Shall Meet—Or Should They? One of the key issues to boundaries is ensuring that everybody involved under- stands and agrees to them. As we have discussed, you can see that it would not be unusual for the customer to define two different boundaries.This will make your assessment difficult.The issue is whether or not you do the customer any service in including components that they have no control over. Consider the case in which the system for which you are doing the assessment has a physical boundary of a firewall.The firewall is across the street and under the physical and logical control of another organization.The other organization can be of equal status to the organization that hired you, or it could be a parent organization. Does it really matter? The other organization did not request the assessment, has no buy-in to do the assessment, and may have other operational commitments. Also consider the cabling that connects the two organizations. Is it controlled by another separate entity? You might want to ask if your customer has ready access to the cabling and firewall, or do they need to ask for access? In this situation the customer has a physical boundary of the firewall and a logical boundary of the router within their own organization. The simplest method in approaching this situation is to merge the two boundaries.This way there are no conflicts or issues with external organizations. But merging can be an issue in and of itself. Political motivations are usually involved when the customer wants to include components that they have no control over. Being a good listener and asking open-ended questions will usually help you reveal why the customer wants to include the external organizations. We don’t recommend that you become involved in the organization’s internal politics. We do recommend that you try to convince the customer of the value of merging the two boundaries.This will ease the resource requirements on their side, since they would be responsible for coordinating and providing access to the external organizations and components.The customer must clearly understand that lack of this access will affect the results of the assessment. Identifying the Customer Constraints and Concerns Without a doubt you can be assured that senior management will always agree that security is important.Typically, this agreement tends to mean that security is important until it becomes an inconvenience. We are aware that security affects www.syngress.com 162 Chapter 5 • The System Security Environment 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 162 production. Many technical security implementations cause network perfor- mance degradation. Any component that is inserted into a network will slow it down, even if only by nanoseconds.This is why it’s important for you to deter- mine the customer’s pain threshold. The pain threshold equates to the limitations the customer is under. If the customer is already running above 85 percent network capacity, they might not be able to implement any component implementations that will further reduce available network bandwidth. Legacy applications may have adverse reactions to some solutions. It makes no sense to recommend solutions to mitigate findings if the customer is unable or unwilling to implement the solutions.You need to work with the customer to determine the constraints and concerns that have to be addressed. Defining Customer Constraints Why do you need to know the constraints? You need to know the constraints to provide useful recommendations that fit the customer and their unique situa- tions. Knowledge of constraints is helpful when you’re offering alternative rec- ommendations. As we all know, security almost always affects performance. Using the IAM process allows you as the assessor to identify both the benefits and drawbacks of security. Knowing the positive and negative impacts is essential to being able to speak to the customer about which countermeasures are most appropriate for their organization.You need to be aware that operational con- straints, resource constraints, environmental constraints, or even architectural con- straints may be imposed on recommended countermeasures. Types of Operational Constraints Operational constraints come from the users or the type of work being done. This is something that can be drawn from the determination of the operational environment.This means that you need to understand the normal work opera- tions. If the operational environment requires batch processing, there are win- dows of time in which the assessment could potentially interfere with operations. This type of operational constraint is normally called peak processing periods. Normal work hours are something to consider. Many organizations do not operate 24 hours a day, 365 days a year.Time constraints affect the availability of personnel for interviews and demonstrations.This is another operational con- straint normally called normal work hours. www.syngress.com The System Security Environment • Chapter 5 163 286_NSA_IAM_05.qxd 12/11/03 3:28 PM Page 163 [...]... you have the defined the boundaries of the assessment and understand all the concerns and constraints, it’s time to get the documentation Some people would start asking for the documentation as soon as they arrive for the preassessment visit or even request that the documentation be gathered prior to their arrival We don’t recommend that Requesting the documentation prior to arrival for the pre -assessment. .. about security and get firsthand knowledge of the security posture of the institute We then discussed getting the documentation in softcopy, except for the online Help menu .The assistant said that there would be no problem and he should have all the documents in softcopy by the end of the day With this chore out of the way, it is time to move on to putting together the assessment plan and getting the. .. tie together all aspects of an IAM between the customer and the assessment team It is the first line of agreement in maintaining www.syngress.com 286 _NSA_ 06.qxd 12/ 15/ 03 11:32 AM Page 1 85 Understanding the Technical Assessment Plan • Chapter 6 customer expectations, which can be so crucial to security assessments .The TAP is meant to be the outline that the upcoming assessment process follows and the tool... the minimum activities are accomplished? The SOP is the guide that allows a competent individual to fill in and accomplish the job User Documentation User documentation provides users with the security information they need to do their jobs It should include information for awareness and training of the system and information security aspects of each job.There should be guidance and procedures for the. .. What is the official reason for the assessment? What is the unofficial reason for the assessment? Are there any specific areas of interest to the customer? Handling the Documentation Identification and Collection Does policy documentation exist? Does guidelines/requirements documentation exist? www.syngress.com 286 _NSA_ IAM_ 05. qxd 12/11/03 3:28 PM Page 181 The System Security Environment • Chapter 5 Does... Introduction This chapter focuses on one of the key management tools of the IAM, the technical assessment plan (TAP) In the previous chapters we went into great detail about what makes up the TAP, since it can be considered the core outcome of the pre -assessment site visit .The TAP is the primary deliverable created during the pre -assessment phase .The TAP combines all the information that has been created or... boundaries For ITS, an up-to-date physical and logical diagram had been prepared just for this assessment. The technical lead for the assessment went with the ITS senior network engineer to validate the diagram while I worked with the ITS director and his assistant to define the logical boundaries The first cut by the ITS director was to include the entire Class B network Looking at the logical diagram for the. .. action It should cover all the pieces that go into an IAM- derived assessment from the work completed during the pre -assessment site visit all the way to the expectations for final report delivery .The TAP should be used to help document the overall assessment and organize activities for the remaining phases .The plan is really a map that has been approved by both sides of the assessment as to actions that... using the entire Class B would encompass all the organizations outside ITS When we asked if there would be any problem with getting the medical center or colleges to participate, it was identified that they would not We discussed the fact that if www.syngress.com 286 _NSA_ IAM_ 05. qxd 12/11/03 3:28 PM Page 1 75 The System Security Environment • Chapter 5 the external organizations did not participate, the assessment. .. we then worked with the ITS director and the ITS senior network engineer to define what the ITS division actually had physical control of Based on the logical diagram, we defined three routers Router 1 provided the connectivity for the T1 from the Internet Router 2 provided the connectivity for the medical center and colleges Router 3 provided the connectivity for the dorm network.Translating that information . the organization. The idea that they couldn’t have their CLI was unacceptable to them. Due to the requirements for the security environment, the users lost the argument and had to migrate. The. all the information yet and shouldn’t pre-judge. www.syngress.com 158 Chapter 5 • The System Security Environment 286 _NSA_ IAM_ 05. qxd 12/11/03 3:28 PM Page 158 Defining the Boundaries Defining the. effort on the part of the assessment team to define the new boundaries and wasted valuable resources during the onsite phase. 286 _NSA_ IAM_ 05. qxd 12/11/03 3:28 PM Page 160 the system input to the