solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page i 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ii Security Assessment Case Studies for Implementing the NSA IAM Russ Rogers Greg Miles Ed Fuller Ted Dykstra Matthew Hoagberg 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 FGH73IP1LM 002 59MVZC6H9Q 003 4XFQIP4MCX 004 GLEQ71P9NC 005 7JHJ8FWEX2 006 VBP9EFC6K9 007 TYN8MF3TYH 008 64YTFXSQ9P 009 H8K3BN4GTV 010 IYGTE37V6N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Security Assessment: Case Studies for Implementing the NSA IAM Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro- duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-932266-96-8 Acquisitions Editor: Catherine B. Nolan Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Copy Editor: Darlene Bordwell Indexer: Nara Wood Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iv Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States by O’Reilly & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen and to all the others who work with us, but whose names we do not know (yet)! The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. A special thanks to all the folks at Malloy who have made things easy for us and espe- cially to Beth Drake and Joe Upton. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page v 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vi vii Contributors Greg Miles (CISSP, CISM, IAM) is a Co-Founder, President, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Greg is a key contributor not only to Security Horizon’s manage- ment, but also in the assessment, information security policy, and incident response areas. Greg is a United States Air Force Veteran and has served in military and contract support for the National Security Agency, Defense Information Systems Agency, Air Force Space Command, and NASA supporting worldwide security efforts. Greg has been a featured speaker at the Black Hat Briefings series of security conferences and APCO conferences and is a frequent con- tributor to “The Security Journal.” Greg holds a bachelor’s degree in electrical engineering from the University of Cincinnati, a master’s degree in management from Central Michigan University in Management, and a Ph.D. in engineering management from Kennedy-Western University. Greg is a member of the Information System Security Association (ISSA) and the Information System Audit and Control Association (ISACA). Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, Chief Executive Officer, Chief Technology Officer, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider. Russ is a key contrib- utor to Security Horizon’s technology efforts and leads the technical security practice and the services business development efforts. Russ is a United States Air Force Veteran and has served in military and contract support for the National Security Agency and the Defense Information Systems Agency. Russ is also the editor-in-chief of “The Security Journal” and a staff member for the Black Hat Briefings series of security conferences. Russ holds a bachelor’s degree in computer science from the University of Maryland and a master’s degree in computer systems management also from the 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vii viii University of Maryland. Russ is a member of the Information System Security Association (ISSA), the Information System Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners. Russ was recently awarded The National Republican Congressional Committee’s National Leadership Award for 2003. Ed Fuller (CISSP, GSEC, IAM) is Senior Vice President and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Ed is the lead for Security Training and Assessments for Security Horizon’s offerings. Ed is a retired United States Navy Veteran and was a key participant on the development of Systems Security Engineering Capability Maturity Model (SSE-CMM). Ed has also been involved in the development of the Information Assurance Capability Maturity Model (IA-CMM). Ed serves as a Lead Instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM) and has served in military and con- tract support for the National Security Agency and the Defense Information Systems Agency. Ed is a frequent contributor to “The Security Journal.” Ed holds a bachelor’s degree from the University of Maryland in information systems management and is a member of the Center for Information Security and the Information Systems Security Engineering Association. Matthew Paul Hoagberg is a Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Matt contributes to the security training, assess- ments, and evaluations that Security Horizon offers. Matt’s experi- ence includes personnel management, business development, analysis, recruiting, and corporate training. He has been responsible for implementing a pilot 3-factor authentication effort for Security 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page viii ix Horizon and managing the technical input for the project back to the vendor. Matt holds a bachelor’s degree in psychology from Northwestern College and is a member of the Information System Security Association (ISSA). Ted Dykstra (CISSP, CCNP, MCSE, IAM) is a Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider.Ted is a key contrib- utor in the technical security efforts and service offerings for Security Horizon, and an instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM).Ted’s background is in both commercial and government support efforts, focusing on secure architecture development and deployment, INFOSEC assessments and audits, as well as attack and penetration testing. His areas of specialty are Cisco networking products, Check Point and Symantec Enterprise Security Products, Sun Solaris, Microsoft, and Linux systems.Ted is a regular contributor to “The Security Journal,” as well as a member of the Information System Security Association (ISSA) and a leading supporter of the Colorado Springs, Colorado technical security group: dc719. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ix [...]... Chapter 2 The Pre -Assessment Visit Introduction Preparing for the Pre -Assessment Visit Questions You Should Ask Determining the Network Environment of the Assessment Site Determining the Security Controls of the Assessment Site Understanding Industry Concerns for the Assessment Site Scheduling Understanding Special Considerations Managing Customer Expectations Defining the Differences Between Assessment and... Organization Security Defining Roles and Responsibilities Who Is the Decision Maker? 31 31 31 32 32 32 33 34 35 35 36 39 40 42 45 46 47 48 48 50 50 52 53 53 54 56 57 58 60 61 286_NSA_IAM_TOC.qxd 12/16/03 2:12 PM Page xiii Contents Who Is the Main Customer POC? Who Is the Assessment Team Leader? Suggestions for the Assessment Team Possible Members of the Customer Team Planning for the Assessment Activities... 322 322 322 323 323 323 323 324 329 329 331 Chapter 10 Final Reporting 333 Introduction 334 Preparing for Analysis 334 Consolidating and Correlating Assessment Information 334 Assessment Team Meetings 335 Assessment Team Writing Assignments 335 Review of Assessment Information 336 Understanding Findings (Doing the Analysis) 336 286_NSA_IAM_TOC.qxd 12/16/03 2:12 PM Page xxi Contents What Is Risk? Analysis... Customer Determine the Customer’s Security Posture Environmental Threats Human Threats Vulnerability Classification Positive Findings Negative Findings Multiple Recommendations for Each Finding Creating and Formatting the Final Report Executive Summary Executive Summary Content Introduction Customer and Assessment Company Information Assessment Process Description Purpose of the Assessment System Description... 397 398 Appendix A Forms, Worksheets, and Templates IAM Pre -Assessment Site Visit Checklist IAM Planning Survey Types of Documents That Require Tracking Policy Documents Guideline/Requirements Documents System Security Plan Documents User Documents Document-Tracking Templates Elements of the Technical Assessment Plan The Interview List The Assessment Timeline 401 402 404 408 408 409 409 410 411 412... 12/16/03 2:21 PM Page x 286_NSA_IAM_TOC.qxd 12/16/03 2:12 PM Page xi Contents Introduction xxv Chapter 1 Laying the Foundation for Your Assessment Introduction Determining Contract Requirements What Does the Customer Expect? Customer Definition of an Assessment Sources for Assessment Work Contract Composition What Does the Work Call For? What Are the Timelines? Understand the Pricing Options Understanding... Criticality Matrix Summary Best Practices Checklist Frequently Asked Questions 140 141 145 147 149 Chapter 5 The System Security Environment 151 Introduction 152 Understanding the Cultural and Security Environment 154 The Importance of Organizational Culture 154 Adequately Identifying the Security Environment 156 Defining the Boundaries 159 Physical Boundaries 160 Logical Boundaries 161 Never the Twain... Summary Organizational Assessment Findings Summary INFOSEC Analysis Organizational Assessment Findings High-Severity Findings Medium-Severity Findings Conclusion Results Summary Best Practices Checklist Frequently Asked Questions 355 Chapter 11 Tying Up Loose Ends Introduction Examining Document Retention Public Domain Documentation Customer Documentation Documentation Generated by the Assessment Team Controlling... Documentation Location 172 What If No Documentation Exists? 172 Ad Hoc Security 173 xv 286_NSA_IAM_TOC.qxd xvi 12/16/03 2:12 PM Page xvi Contents Case Study: Higher Education Summary Best Practices Checklist Frequently Asked Questions Chapter 6 Understanding the Technical Assessment Plan Introduction Understanding the Purpose of the Technical Assessment Plan The TAP: A Plan of Action The TAP: A Controlled... 286_NSA_IAM_TOC.qxd 12/16/03 2:12 PM Page xxiv 286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxv Introduction Welcome to the National Security Agency (NSA) Information Assurance Methodology (IAM) In 1998, the NSA IAM was developed to meet the demand for information security (INFOSEC) assessments—a demand that was increasing due to Presidential Decision Directive 63 (PDD-63) while at the same time NSA was downsizing . Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Ed is the lead for Security. for Information Security and the Information Systems Security Engineering Association. Matthew Paul Hoagberg is a Security Consultant for Security Horizon,