Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.

Hosted by

How to Conduct an Information Security (INFOSEC) Assessment

The NSA INFOSEC Assessment Methodology (IAM)

Stephen Mencik, CISSP

ACS Defense, Inc.

Hosted by

Agenda

What is an INFOSEC Assessment?

The need for a common Assessment

Methodology

The NSA INFOSEC Assessment

Methodology (IAM)

Hosted by

What Is an INFOSEC Assessment?

A review of the Information System

Security (INFOSEC) posture of

operational system(s) for the purpose of

identifying potential vulnerabilities.

Once identified, recommendations are

provided for the elimination or

mitigation of the vulnerability.

Hosted by

INFOSEC Assurance Vulnerability Discovery Triad

Cooperative High

Level Overview

Information /

Mission Criticality

Analysis

Includes Policy,

Procedure &

Information Flow

No hands on

testing

Hands-on process

Cooperative Testing

Specific Technical

Expertise

Penetration Tools

Diagnostic Tools

Non-cooperative

External

Penetration Tests

Simulation of

Appropriate

Adversary

Assessments (Level 1)

Evaluations (Level 2)

Red Team (Level 3)

Hosted by

INFOSEC Assessment Characteristics

No hands-on testing

Management buy-in

Success depends on cooperation of

people

Non-attribution

Hosted by

What Is the Purpose of an INFOSEC Assessment?

An INFOSEC Assessment allows one to:

• Determine which information is critical to the organization

• Identify the systems that process, store, or transmit that critical information

• Determine the proper INFOSEC posture for these systems

• Identify potential vulnerabilities

• Recommend solutions to mitigate or eliminate those vulnerabilities

Hosted by

Why the Need for a Common Assessment Methodology?

Compare results over time

Compare assessments done by different

teams

Hosted by

The NSA INFOSEC Assessment Methodology

Developed by the National Security

Agency (NSA) during the mid-late 1990’s• NSA had more assessment requests than they could

handle

• Needed a common methodology to be used by all

contractors performing assessments on NSA’s behalf

Provided to the public sector as a

community service

Hosted by

IAM Phases

Categorize & Define

Information Value

Identify Systems and

Boundaries

Collect System &

Security

Documentation

Generate Assessment

Plan

Team Assignment &

Coordination

Analysis of INFOSEC

Posture (18 Baseline

Categories)

Level 1

•Document Review

•Interviews

•System Demos

Level 1+

•Non-Intrusive Scans

Exit Brief: Strengths and

Weaknesses

Analysis &

Report

Generation:

•Completed

45 – 60 days

after Phase 2

•Proprietary to

Customer

Phase 1 Phase 2 Phase 3

Pre-Assessment Assessment Post-Assessment

On-Site

On/Off-Site

Hosted by

Pre-assessment Phase

Purpose

• Gain an understanding of the criticality of the

customer’s information

• Identify system, including system boundaries

• Coordinate logistics with the customer

• Write an assessment plan

Hosted by

On-site ActivitiesPurpose

• To explore and confirm the information and

conclusions made during the Pre-Assessment Phase

• To perform data gathering and validation Interviews

Documentation

System demonstrations

• To provide initial analysis and feedback to the

customer

Hosted by

Post-assessment

Finalize analysis

Preparation and coordination of a final

report

Hosted by

On-site Details

Gather and validate system information

• Interviews

• System demonstrations

• Documentation review

Analyze assessment information

Develop initial recommendations

Hosted by

Interviews

Used to:

• Gain information from a larger cross section of

the organization

• Learn how operations “really” occur

Hosted by

System Demonstrations

Useful tool to supplement information

gathering

Can be used to resolve conflicting

information

Hosted by

Additional Documentation Review

Supplements information gathered

during interviews

Added assurance if it is documented

Lack of documentation is a finding

Hosted by

Baseline Information Categories

1. INFOSEC documentation

2. INFOSEC Roles and

Responsibilities

3. Identification & Authentication

4. Account Management

5. Session Controls

6. External Connectivity

7. Telecommunications

8. Auditing

9. Virus Protection

10. Contingency Planning

11. Maintenance

12. Configuration

Management

13. Back-ups

14. Labeling

15. Media Sanitization /

Disposal

16. Physical Environment

17. Personnel Security

18. Training and Awareness

Hosted by

1. INFOSEC Documentation

Policy

Guidelines / requirements

System Security Plans (SSP)

Standard Operating Procedures (SOP)

User system security manuals

Hosted by

2. INFOSEC Roles and Responsibilities

Upper Level Management

Systems Operation

User Community

Hosted by

3. Identification & Authentication

Fundamental building block of INFOSEC

Three methods of implementation

• “Something you know”

• “Something you have”

• “Something you are”

Hosted by

4. Account Management

Documented account management policy

and procedures

Written formal account request

• General and privileged user agreements

• Supervisor and data owner approval for access

• Minimal privilege access

Account initialization

Hosted by

4. Account Management (Cont.)

Account termination

Account maintenance

Special accounts

Hosted by

5. Session Controls

Protected, logged on workstation

Time-outs

Lock-screen capability with password

Warning banner

Hosted by

6. External Connectivity

Internet

Modems

Dedicated

Hosted by

7. TelecommunicationsDocumented requirements and procedures

for transmitting sensitive information

Encryption issues

• Purpose (confidentiality, integrity, non-

repudiation)

• Trust in communications medium

• Strength of algorithm

Alternate routes for increased availability

Hosted by

8. Auditing

Policy requiring mandatory auditing

SOP defining what to audit

Audit analysis and reporting on a timely

basis

SSA trained in audit analysis

Hosted by

9. Virus Protection

Written policy• Personal software allowed?

Scan incoming software

System scans

Update tools

Employee education/training

Hosted by

10. Contingency Planning

Documented plan

Identify mission or business critical

functions

Uninterruptible Power Supply (UPS)

Hosted by

11. Maintenance

Policy and procedures

Personnel clearance level

Control of diagnostic software

Remote maintenance access

Hosted by

12. Configuration Management

Documented configuration control plan

Configuration Control Board (CCB)

Software loading issues for SSA approval

Hosted by

13. Back-ups

Documented in SSP and SOP

Schedule

Proper storage

Periodic testing of back-ups

Hosted by

14. LabelingPolicy/SOPs

Document what/why information is sensitive

Employees trained on proper marking procedures

Removable media

System components

Hosted by

15. Media Sanitization/Disposal

Documented policy and SOPs

Media sanitization methods

Establish responsibilities

User education/training

Contract concerns

Hosted by

16. Physical Environment

Physical environment can be used to

offset lack of system security capabilities

Ramifications to INFOSEC posture

Hosted by

17. Personnel Security

Background checks

Security clearance

Signed user agreements

Employee awareness of social

engineering techniques

Hosted by

18. Training and Awareness

Users are usually the weakest link in

security

Documented responsibilities

Formal INFOSEC training program for

users and SSA

Hosted by

Baseline Information Categories Summary

All categories need to be addressed

Category details will be dependent on

the specific system

Additional categories can be included

Hosted by

Analysis of Vulnerabilities

Identify weaknesses or vulnerabilities in

the system and operations that could

potentially be exploited by an adversary

Hosted by

Threat Aspects

Environmental

Human

• External

• Internal malicious

• Internal inadvertent

Hosted by

Develop Recommendations

The assessment team will develop a list

of recommended technical and

operational security countermeasures to

the identified system vulnerabilities

Hosted by

Post-assessment Activities Phase

Additional review of documentation

Additional expertise

Report Coordination

Hosted by

Summary IAM Baseline Activities

Pre-Assessment

• On-site customer coordination Information criticality analysis with matrices

Customers concerns

• Documented INFOSEC assessment plan

Hosted by

Summary IAM Baseline Activities

On-site Assessment

• Information gathering Interviews

Documentation review

System demonstrations

• 18 baseline information categories

Hosted by

Summary IAM Baseline Activities

Post-Assessment

• Documented report

Hosted by

Useful Linkshttp://www.iatrp.com/iam.cfm Official IAM

site

http://www.iatrp.com/indivu2.cfm List of

individuals certified to perform assessments

using IAM

http://www.iatrp.com/certclass.cfm

Information on 2-day IAM training leading to

certification

Hosted by

Contact InformationStephen MencikSr. INFOSEC EngineerACS Defense, Inc.9020 Mendenhall Ct., Suite J.Columbia, MD 21045(410) [email protected]@mencik.com