Cybersecurity exchange briefing oct 2012 v2

1

GAO’s Information Security Audits

Presented to:

Cyber Security Exchange

October 2, 2012

• Source of Audits• Audit Methodology for IS Controls• Assessing Finding Significance• Communicating Audit Results• Recent GAO Reports• Q & A

2

Cyber Security Exchange

Agenda

Source of Audits

• Statutory mandates• Congressional requests• Comptroller General’s authority• Engagement acceptance meeting

3

FISMA- Mandate Report / Annual Analysis- Small, Micro, & Independent Agencies- Census, NTSB, NMB- FCC ESN- Cyber risk management- High impact systems

Privacy- Taxpayer Privacy Protections- Privacy of Location-Based Information- Data Breach Notification and Response- Computer Matching Agreements

Critical IT Systems & Infrastructure- Smart Grid- Communications Networks Security- Security of Mobile Devices- Maritime Cyber Threats and Security- Federal Cyber Coordination w/ States & Locals

Emerging Issues- Cybersecurity Strategies- Oversight of Contractor Security- Implantable Medical Devices- Cyber Incident Handling & Response- Continuous Monitoring- FedRAMP

Training/Methodology & External Liaison

- FISCAM- GAO Internal Controls- Internal/External Training- Technical Assistance to Hill- OMB/NIST/NASCIO

Consolidated Financial Statements- IRS- BPD/Federal Reserve- FDIC- SEC- OIGs

- TARP- FHFA - SOSI- CFPB

Audit Methodology for IS Controls• Federal Information System Controls Audit Manual (GAO-09-

232G)• Objective: To assess effectiveness of agency’s security

controls in protecting the confidentiality, integrity, and availability of its information systems and information.

• Scope: • Access controls• Configuration management• Segregation of duties• Contingency planning• Security management

5

Audit Methodology for IS Controls (cont.)Technical & Audit Guidance:• Federal Laws – FISMA

• Office of Management and Budget (OMB)

• National Institute of Standards & Technology (NIST)

• Defense Information Systems Agency (DISA)

• National Security Agency (NSA)

• Vendor Guidance and Industry Practices

• Government Auditing Standards

6

7

Iterative and HolisticAssessment Approach

Audit Methodology for IS Controls (cont.)

8

Audit Methodology

Understanding the Environment• Identify most important assets (information,

databases, systems)

• Approach: formal and informal discussions

• Network diagrams and simple tools (telnet, for instance or nmap)

• Confirm our understanding of environment

9

Audit Methodology – Logical Access

Control Areas

Focus on main controls that might stop an intruder, based on knowledge of latest vulnerabilities such as:

browser – Java, ActiveX, Flash, PDF

“spoofed” emails

10

Audit Methodology – Controlling Access To and From

NetworksIf exploited, how does information go out? HTTP, HTTPS, DNS

Authentication of network routing protocols (EIGRP, BGP)

Cisco SAFE (Security Reference Architecture)

VPN – use of TLS v SSL

Firewall rules (Cisco ASA, Checkpoint, etc.)

Data loss prevention solutions

11

Audit Methodology – Controlling Access To and From

Host Devices• Ask agencies to run scripts to

get key configuration settings (Windows, Linux/Unix, etc)

• Database scanner • Email server (sendmail,

postfix) settings• Internet Explorer, MS Office

settings• Conformance to vendor

guidance (Microsoft, Apple)• Up to date patches• Virtualization – hypervisor

security settings, Storage Area Network (SAN) configurations

12

Audit Methodology

Consider Trust RelationshipsFormal trust – Windows domains

Informal – any device connecting to VPN

Check Windows Active Directory group policy

Weak links that may be exploited

13

Vulnerabilities should be assessed in context to the network and the impact on the organization’s mission.

Assessing Finding Significance

14

Communicating Audit ResultsFocus on most important problems – the ones that’ll help agency become more secure

Criteria – CIS, NIST, vendor guidanceCondition – describe problemEffect – explain what couldhappen if exploitedCause – sometimes unclear, often related to immature information security program

Communicating Audit Results (cont.)• Reports:

• Publicly available• Limited distribution

• Testimony statements

• Congressional briefings

• Media Interviews

15

Recent GAO Reports• GAO-12-757, Information Security: Better Implementation of

Controls for Mobile Devices Should Be Encouraged (Sept. 2012)

• GAO-12-961T, Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape (July 2012)

• GAO-12-926T, Cybersecurity: Challenges in Securing the Electricity Grid (July 2012)

• GAO-12-696, Information Security: Environmental Protection Agency Needs to Resolve Weaknesses (July 2012)

• GAO-12-876T, Information Security: Cyber Threats Facilitate Ability to Commit Economic Espionage (June 2012)

16

Recent GAO Reports (cont.)• GAO-12-666T, Cybersecurity: Threats Impacting the Nation

(April 2012)• GAO-12-424R, Management Report: Improvements Needed

in SEC’s Internal Control and Accounting Procedure (April 2012)

• GAO-12-393, Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data (March 2012)

• GAO-12-361, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks (March 2012)

• GAO-12-507T, Cybersecurity: Challenges in Securing the Modernized Electricity Grid (February 2012)

Page 17

Recent GAO Reports (cont.)• GAO-12-92, Critical Infrastructure Protection: Cybersecurity

Guidance is Available, but More Can Be Done to Promote Its Use (December 2011)

• GAO-12-8, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination (November 2011)

• GAO-12-130T, Information Security: Additional Guidance Needed to Address Cloud Computing Concerns (October 2011)

• GAO-12-137, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements (October 2011)

Page 18

Recent GAO Reports (cont.)• GAO-11-751, Personal ID Verification: Agencies Should Set a

Higher Priority on Using the Capabilities of Standardized Identification Cards (September 2011)

• GAO-11-708, Information Security: FDIC Has Made Progress, but Further Actions Are Needed to Protect Financial Data (August 2011)

• GAO-11-695R, Defense Department Cyber Efforts: Definitions, Focal Point, and Methodology Needed for DOD to Develop Full-Spectrum Cyberspace Budget Estimates (July 2011)

• GAO-11-865T, Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure (July 2011)

Page 19

Recent GAO Reports (cont.)• GAO-11-149, Information Security: State Has Taken Steps to

Implement a Continuous Monitoring Application, but Key Challenges Remain (July 2011)

• GAO-11-75, Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber Activities (July 2011)

• GAO-11-605, Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate (June 2011)

• GAO-11-463T, Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure and Federal Information Systems (March 2011)

• GAO-11-308, Information Security: IRS Needs to Enhance Internal Control Over Financial Reporting and Taxpayer Data (March 2011)

Page 20

21

Contact Information

Greg WilshusenDirector, Information Security Issues

202.512.6244 – [email protected]

Naba Barkakati, Ph.DDirector, Center for Science, Technology & Engineering

Chief Technologist202.512.4499 – [email protected]