FAISSR MEETING September 24, 2003 - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

FAISSR MEETING September 24, 2003

Description:

Enrol: https://enrol.dss.mil/enrol/default.asp. Feedback Auto. Security Plan Template (FAST) ... INITIAL CLASSIFIED USE OF WORKSTATION. CONNECTING UNCLASSIFIED REMOTES ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 37
Provided by: johne187
Category:

less

Transcript and Presenter's Notes

Title: FAISSR MEETING September 24, 2003


1
FAISSR MEETINGSeptember 24, 2003
  • IS Security Issues
  • John Edmiston, CISSP

2
Briefing Highlights
  • - Overview ISOM Chapter 8 - Frequently
    Asked Questions
  • - New Technology

3
DSS Academy IS Training
  • NISPOM Chapter 8 Requirements
  • Location Double Tree Hotel, Cocoa Beach, FL
  • Date Jan 20-22, 2004
  • NISP Network Security Basics (Teletraining)
  • Place Linthicum, MD Date various
  • Enrol https//enrol.dss.mil/enrol/default.asp

4
Feedback Auto. Security Plan Template (FAST)
  • Tool developed through CIA to automate creation
    of SSP
  • Question answers format (similar to TurboTax)
  • Testing currently at selected contractors
  • Due out in Spring

5
Automated Tools for NISP Systems
  • Windows (NT, 2000, XP) and UNIX (Solaris 8,
    Linux 7.0, Irix 6.5) systems
  • PL1, PL2 and PL3
  • Tool verifies system configuration against NISPOM
    requirements
  • Results in report
  • Non compliance needs explanation prior to
    accreditation
  • Compliance with technical requirements

6
DSS Assessed Products List (APL)
  • DSS approved disk sanitization software
  • Previous accreditations grandfathered until
    next reaccreditation
  • Test and verify functionality
  • Accreditation of SSP
  • Other software for non-volatile memory
    sanitization still permitted

7
Timeframe for Accreditations
  • ISOM timeframe 60 days final accreditation
  • Request Interim Approval To Operate (IATO) if
    needed sooner

8
Special Note on Reaccreditations of SSPs
  • SSPs previously accredited to the May 2000 Ch 8
    requirements may lack procedures for
  • Trusted Download
  • Network Security Plan
  • Sanitization Software
  • Destruction of floppies

9
IS Accreditations
  • Lock Down your BIOS
  • Configuration
  • Time and date
  • Password protect it

Vulnerabilities - Rearrange jumper switch,
remove battery, manufactures backdoor password,
software attacks.
10
IS Accreditations
  • Enclosure 27 for SSP Review Form A No answer
    will prevent accreditation - should answer N/A
  • Automated Audit trails not required in 2 cases
  • Operating System not capable (e.g. Win 98, ME)
  • Single User Standalone
  • Manual log
  • Rule of thumb use automated audit trails if
    available

11
Virus Protection Software
  • ALL systems must use virus protection
    software if available (ISL 01-1 Q10)
  • Note latest ISOM exempts UNIX from virus
    detection software but still
  • must check for malicious
  • software as required by 8-305

12
Security Relevant Objects (SROs)
  • Defined as some system software, virus checking
    software, audit records, access controls,
    sanitization software

13
Wide Area Networks (WANS) Interconnected
  • No Self Certification of like WANS
  • Can self certify additional workstations on WAN
  • Separately accredited SSP for each node
  • Separately accredited Network Security Plan
  • Network Protection Level (PL) equals highest node
    on network
  • Nodes independently determine PL
  • Prime or designated sub is host

14
Wide Area Networks (WANS) Interconnected
Node Site
Potential Node Site
Host Site
15
Wide Area Networks (WANS) Interconnected
  • Network ISSO duties
  • Perform weekly reviews
  • Evaluate impact of security-relevant system
    network changes
  • Recommend to DSS to rescind MOU NSP, if
    necessary
  • Provide reaccredited NSPs to nodes

16
SIPRNET Items of Interest
  • SIPRNET Customer Connection Process Guide Contact
    Jim Nostrand DISA (703-735-3238)
  • No self certification
  • Replacement (not addition)
    of like equipment allowed

17
Who Can Self Certify?
  • DSS authorizes only ISSM
  • All self certifications are in writing NO VERBAL
    SELF CERTIFICATIONS
  • Self certification documentation is in place
    PRIOR to use of components
  • All additional hardware and security software
    baseline changes require self certification by
    ISSM

18
Self-Certification
  • Master SSP must include
  • Hardware and operating system
  • Provision for testing and ensuring features
    enabled
  • Requirement that DSS be notified (e.g. submit
    self certified profile)
  • Each additional self certification must have
    statement System(s) added implements the
    requirements in Master SSP
  • FAISSR Master SSP is Master and profile together
  • FAISSR SSP version 4.0

19
Technical Requirements Which Cant be Accomplished
  • If operating system can not meet technical
    requirements then document in SSP as
    vulnerability (8-610a(1)(c))
  • Example Operating System
  • only recognizes 6 character
  • passwords

20
Group Accounts
  • NISPOM Definition any account where more than
    one user (i.e. person) knows the password
  • Common Examples
  • Administrator
  • Root
  • Sysadmin
  • ISSMs, many times, will incorrectly define it as
    a collection of user accounts

21
Group Accounts (continued)
  • Group accounts, if used, must be listed in the
    SSP
  • Solution in Windows environment
  • Instead of 3 users all using Administrator, each
    user can be given Administrator privileges but
    each uses a unique account

22
Physical Security Seals
  • Is it possible to have a restricted area with no
    seals?

23
Periods Processing
  • Upgrade and downgrade between sessions
  • Clearance between sessions (ISL 01-1)
  • Can be used for different NTK, classification
    levels and Protection Levels
  • Procedure documented in SSP
  • Separate media for each period of processing
  • Record required

NISPOM 8-502, ISL 01-1, Q53
24
Closed Area Periods Processing
  • Situations that would cause an IS in a closed
    area to do Periods Processing
  • INITIAL CLASSIFIED USE OF WORKSTATION
  • CONNECTING UNCLASSIFIED REMOTES
  • MULTIPLE PROJECTS WITHOUT SAME NTK
  • UNCLEARED MAINTENANCE PERSON WITH DIAGNOSTICS

25
Degaussers
  • NSA Degausser Products List
  • Rating based on Orested value
  • Validated within 6 months of purchase then again
    after additional 6 months if marginal or annually
    if not marginal. Once every 2 years after that

26
Degaussers
  • 2500 Orested Tapes DVC Pro, DDS3, DDS4, DTF 2
  • Change of policy No degaussing barium ferrite
    disks or tapes

27
Frequently Asked Questions
  • Is a separate maintenance copy of the operating
    system required? Answer ONLY if maintenance
    personnel are not appropriately cleared
  • Accreditation by other DoD activity can DSS
    accept it? Yes with ISSM certification that SSP
    meets baseline NISPOM

28
Frequently Asked Questions
  • Can an IS be sent to another DSS region without a
    second accreditation? Yes
  • SSP accreditation letter
  • Certification by gaining ISSM
  • Connection to another IS may require
    accreditation

29
Frequently Asked Questions
  • How often is write protected media tested?
    Answer once per session
  • One time connection of contractor to GOV site
    Is an MOU DISN solution required? Answer Yes

30
Frequently Asked Questions
  • Zip drive not rigid media, no sanitization
    overwrite permitted can degauss
  • Jazz drive rigid media, can be sanitized by
    approved overwrite program can degauss can
    write protect

31
Frequently Asked Questions
  • Is reaccreditation required for IS that is moved?
    Answer Yes, if different physical security
    environment
  • What is an acceptable review of unclassified
    software developed by uncleared developer for use
    on an IS? Answer line by line review of source
    code

32
Frequently Asked Questions
  • Can an ISSM self certify remote or interconnected
    network connections? Answer No
  • Trusted download Is factory fresh media
    required? Answer Yes

33
New Technology
  • Sony AIT-3 tapes radio frequency transmitters
    OK
  • Wireless notebooks disconnect wireless
  • IBM Asset Identification embedded RF
    Transmitter disconnect
  • Models Intellistation 300PL GL, Thinkpad
    660E 770Z
  • USB Watches

34
Auditing Issue Aid
  • Possible solution for auditing unsuccessful
    access attempts to Security Relevant Objects
  • SNARE
  • www.intersectalliance.com/projects/Snare
  • LINUX, SOLARIS and Windows

35
When is Sanitization Required?
  • Sanitization is only accomplished under 2
    conditions
  • IS no longer required
  • Repair IS outside facility

36
Scenario
  • You have a requirement for a STU III connection
    to a Government site
  • Is an MOU required?
  • Do you need to list the remote sites?

37
Questions???
Write a Comment
User Comments (0)
About PowerShow.com