Cyber Security Advisory Council

1

• Cyber Security Advisory Council

Information Technology Division February 4, 2004
2
Agenda

• Working Group Results
• Wireless
• Computer Access
• Configuration Management

3
Wireless Working Group Recommendations

• All access points registered with CSMIS per
  Wireless Policy
• Access Points will reside on a network external
  to the Campus Zone
• Access points residing on the internal network
  due to operational need handled on a case-by-case
  basis through CSMIS review by Cyber Security
• Must define criteria
• Access points on internal network must have
  encryption enabled
• Highest available rather than mandate 64 bit, 128
  bit
• NAT disabled direct knowledge of devices on the
  networks
• Move wireless access points residing on the
  internal network to wireless zone
• Except those that received a waiver
• Security review of each access point (Legacy and
  new)
• Rogue access points when detected will be
  disconnected from the network per policy
• Notify users of new policy
• Monday Morning Memo
• BNL Broadcast
• Cyber Security Training
• Wireless Policy on ITD website
• Update SBMS

4
Corrective Action Plan for September 2003 Audit
Wireless Working Group

• Rewrite policy to address accepted
  recommendations (2/04)
• All access points registered with CSMIS per
  Wireless Policy (5/04)
• Access Points will reside on external network
• Access points residing on the internal network
  due to operational need handled on a case-by-case
  basis through CSMIS review by Cyber Security
• Access points on internal network must have
  encryption enabled
• Highest available rather than mandate 64 bit, 128
  bit and NAT disabled
• Security review of each access point (Legacy and
  new) on internal network (7/04)
• Move wireless access points residing on the
  internal network to extranet (7/04)
• Except those that received a waiver
• Rogue access points when detected will be
  disconnected from internal network per policy
• Deploy AirDefense pilot program to detect rogue
  access points (4/04)
• Fully deploy AirDefense (contingent upon funding)
• End war driving

5
Computer Access Working Group Recommendations

• Onsite Access
• Non-sensitive systems
• Active employees, users/contractors granted
  access to systems at time of appointment
• System administrators (SA) delegated authority by
  department/division manager to create accounts on
  the systems that they administer
• SAs will verify users status via LDAP before
  creating account, records must be kept
• Web forms, scripts, databases for SAs to verify
  users status is in LDAP record account creation
• Use of account system recommended, not mandatory
• SAs who choose to keep their own records are
  subject to audit by Cyber Security
• Sensitive Systems
• Export Controlled Information
• US Citizens need approval by Principal
  Investigator
• Foreign nationals need approval by BNL
  Counterintelligence, Export Control Officers,
  Technology Transfer, and Local Approval Authority
• CRADA/Proprietary Research Agreement Information
• Approval by Principal Investigator.
• Web form will be created to route account
  requests for approval and to record approvals in
  a database

6
Computer Access Working Group Recommendations

• Remote-only Access
• Develop application form for FNs requesting
  remote access
• Designated officials to examine the application
• For justification
• Specified period of time
• All users, remote and local, must have life or
  guest numbers to get accounts
• PeopleSoft forms will be created to apply for an
  appointment as a remote user
• Applications will be reviewed following the same
  procedures that are now used for on-site access
• IA-473 for foreign nationals (irrelevant fields
  such as passport and visa information not
  required)
• Create temporary accounts while IA-473 approval
  pending? The committee could not decide.
• Account Auditing
• Fraction of systems will by audited annually by
  cyber security to ensure all of the accounts on
  the system are assigned to valid users
• Automated audit procedures
• Available for Windows and UNIX
• Already used on 90 of critical and sensitive
  systems
• Will be used on other major systems
• SAs can also keep their own records but they must
  be available for inspection

7
Configuration Management Recommendations

• Utilize features of RHEN for Linux CFG MGT
• System state and installed package reporting
• Standard builds - BNL child channels for security
  packages
• Use RH Satellite server to assist other
  distributions if possible
• Integrate Satellite server db info with
  registration data for reporting
• Utilize SMS for Windows CFG MGT
• Asset management tool made for the windows
  platform
• Complete Hardware/software inventory
• Security/patch analysis and deployment
• Extend functionality of SUS
• Implement methods to get direct knowledge of
  Other Unix systems
• Non-privileged account via ssh from single system
  most plausible
• Manual data entry/upload option with auditing for
  compliance
• Provide better vulnerability reports to
  admins/owners/management
• Report card to management to show progress of
  closing vulnerabilities
• Use Windows accounts from single source (Active
  Directory)
• Better tracking of who is using what account
• Windows systems to be members of domain
• Leverages automated tools for remediation and
  support

8
CFG MGT Recommendations (cont.)

• Revisit issue of building new machines with
  preconfigured images prior to delivery to desktop
  was suggested in DOE CH 2003 audit
• Password Cracking
• Automate collection of password files (https
  upload or ssh)
• Link BNL Windows domain accounts with life number
  in Active Directory for more accurate
  email/deptcode information
• Screen Savers
• Require password protected screen savers
  document in PUA
• System Registration
• Unregistered machines - Either enforce the CSPP
  policy as written or update the policy
  Documentation should match what is being done
• Clean up registration data update from other
  sources
• Banners
• Routinely scan for missing banners on services
  (ex FTP)
• Develop method to check motd on Unix systems (via
  direct knowledge item above)
• Automate scan for banner registry entry on
  Windows systems
• Central Logging
• Require for Systems with conduits, Servers,
  Critical/Sensitive systems

9
CFG MGT Recommendations (cont.)

• Modem Registration
• Implement routine war dialing process (quarterly
  perhaps) instead of one time effort in prep for
  an audit
• Personal Firewalls
• Recommend a product and provide configuration
  information on its use
• DOE may purchase Black Ice
• Clock Servers
• Provide better docs on configuring servers to use
  local clock servers
• Important for Cyber to correlate events across
  multiple machines
• Continue to improve integration of data from CFG
  MGT sources to provide better quality information
  to owners, admins, and management