Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.
Hosted by
How to Conduct an Information Security (INFOSEC) Assessment
The NSA INFOSEC Assessment Methodology (IAM)
Stephen Mencik, CISSP
ACS Defense, Inc.
Hosted by
Agenda
What is an INFOSEC Assessment?
The need for a common Assessment
Methodology
The NSA INFOSEC Assessment
Methodology (IAM)
Hosted by
What Is an INFOSEC Assessment?
A review of the Information System
Security (INFOSEC) posture of
operational system(s) for the purpose of
identifying potential vulnerabilities.
Once identified, recommendations are
provided for the elimination or
mitigation of the vulnerability.
Hosted by
INFOSEC Assurance Vulnerability Discovery Triad
Cooperative High
Level Overview
Information /
Mission Criticality
Analysis
Includes Policy,
Procedure &
Information Flow
No hands on
testing
Hands-on process
Cooperative Testing
Specific Technical
Expertise
Penetration Tools
Diagnostic Tools
Non-cooperative
External
Penetration Tests
Simulation of
Appropriate
Adversary
Assessments (Level 1)
Evaluations (Level 2)
Red Team (Level 3)
Hosted by
INFOSEC Assessment Characteristics
No hands-on testing
Management buy-in
Success depends on cooperation of
people
Non-attribution
Hosted by
What Is the Purpose of an INFOSEC Assessment?
An INFOSEC Assessment allows one to:
• Determine which information is critical to the organization
• Identify the systems that process, store, or transmit that critical information
• Determine the proper INFOSEC posture for these systems
• Identify potential vulnerabilities
• Recommend solutions to mitigate or eliminate those vulnerabilities
Hosted by
Why the Need for a Common Assessment Methodology?
Compare results over time
Compare assessments done by different
teams
Hosted by
The NSA INFOSEC Assessment Methodology
Developed by the National Security
Agency (NSA) during the mid-late 1990’s• NSA had more assessment requests than they could
handle
• Needed a common methodology to be used by all
contractors performing assessments on NSA’s behalf
Provided to the public sector as a
community service
Hosted by
IAM Phases
Categorize & Define
Information Value
Identify Systems and
Boundaries
Collect System &
Security
Documentation
Generate Assessment
Plan
Team Assignment &
Coordination
Analysis of INFOSEC
Posture (18 Baseline
Categories)
Level 1
•Document Review
•Interviews
•System Demos
Level 1+
•Non-Intrusive Scans
Exit Brief: Strengths and
Weaknesses
Analysis &
Report
Generation:
•Completed
45 – 60 days
after Phase 2
•Proprietary to
Customer
Phase 1 Phase 2 Phase 3
Pre-Assessment Assessment Post-Assessment
On-Site
On/Off-Site
Hosted by
Pre-assessment Phase
Purpose
• Gain an understanding of the criticality of the
customer’s information
• Identify system, including system boundaries
• Coordinate logistics with the customer
• Write an assessment plan
Hosted by
On-site ActivitiesPurpose
• To explore and confirm the information and
conclusions made during the Pre-Assessment Phase
• To perform data gathering and validation Interviews
Documentation
System demonstrations
• To provide initial analysis and feedback to the
customer
Hosted by
Post-assessment
Finalize analysis
Preparation and coordination of a final
report
Hosted by
On-site Details
Gather and validate system information
• Interviews
• System demonstrations
• Documentation review
Analyze assessment information
Develop initial recommendations
Hosted by
Interviews
Used to:
• Gain information from a larger cross section of
the organization
• Learn how operations “really” occur
Hosted by
System Demonstrations
Useful tool to supplement information
gathering
Can be used to resolve conflicting
information
Hosted by
Additional Documentation Review
Supplements information gathered
during interviews
Added assurance if it is documented
Lack of documentation is a finding
Hosted by
Baseline Information Categories
1. INFOSEC documentation
2. INFOSEC Roles and
Responsibilities
3. Identification & Authentication
4. Account Management
5. Session Controls
6. External Connectivity
7. Telecommunications
8. Auditing
9. Virus Protection
10. Contingency Planning
11. Maintenance
12. Configuration
Management
13. Back-ups
14. Labeling
15. Media Sanitization /
Disposal
16. Physical Environment
17. Personnel Security
18. Training and Awareness
Hosted by
1. INFOSEC Documentation
Policy
Guidelines / requirements
System Security Plans (SSP)
Standard Operating Procedures (SOP)
User system security manuals
Hosted by
2. INFOSEC Roles and Responsibilities
Upper Level Management
Systems Operation
User Community
Hosted by
3. Identification & Authentication
Fundamental building block of INFOSEC
Three methods of implementation
• “Something you know”
• “Something you have”
• “Something you are”
Hosted by
4. Account Management
Documented account management policy
and procedures
Written formal account request
• General and privileged user agreements
• Supervisor and data owner approval for access
• Minimal privilege access
Account initialization
Hosted by
4. Account Management (Cont.)
Account termination
Account maintenance
Special accounts
Hosted by
5. Session Controls
Protected, logged on workstation
Time-outs
Lock-screen capability with password
Warning banner
Hosted by
6. External Connectivity
Internet
Modems
Dedicated
Hosted by
7. TelecommunicationsDocumented requirements and procedures
for transmitting sensitive information
Encryption issues
• Purpose (confidentiality, integrity, non-
repudiation)
• Trust in communications medium
• Strength of algorithm
Alternate routes for increased availability
Hosted by
8. Auditing
Policy requiring mandatory auditing
SOP defining what to audit
Audit analysis and reporting on a timely
basis
SSA trained in audit analysis
Hosted by
9. Virus Protection
Written policy• Personal software allowed?
Scan incoming software
System scans
Update tools
Employee education/training
Hosted by
10. Contingency Planning
Documented plan
Identify mission or business critical
functions
Uninterruptible Power Supply (UPS)
Hosted by
11. Maintenance
Policy and procedures
Personnel clearance level
Control of diagnostic software
Remote maintenance access
Hosted by
12. Configuration Management
Documented configuration control plan
Configuration Control Board (CCB)
Software loading issues for SSA approval
Hosted by
13. Back-ups
Documented in SSP and SOP
Schedule
Proper storage
Periodic testing of back-ups
Hosted by
14. LabelingPolicy/SOPs
Document what/why information is sensitive
Employees trained on proper marking procedures
Removable media
System components
Hosted by
15. Media Sanitization/Disposal
Documented policy and SOPs
Media sanitization methods
Establish responsibilities
User education/training
Contract concerns
Hosted by
16. Physical Environment
Physical environment can be used to
offset lack of system security capabilities
Ramifications to INFOSEC posture
Hosted by
17. Personnel Security
Background checks
Security clearance
Signed user agreements
Employee awareness of social
engineering techniques
Hosted by
18. Training and Awareness
Users are usually the weakest link in
security
Documented responsibilities
Formal INFOSEC training program for
users and SSA
Hosted by
Baseline Information Categories Summary
All categories need to be addressed
Category details will be dependent on
the specific system
Additional categories can be included
Hosted by
Analysis of Vulnerabilities
Identify weaknesses or vulnerabilities in
the system and operations that could
potentially be exploited by an adversary
Hosted by
Threat Aspects
Environmental
Human
• External
• Internal malicious
• Internal inadvertent
Hosted by
Develop Recommendations
The assessment team will develop a list
of recommended technical and
operational security countermeasures to
the identified system vulnerabilities
Hosted by
Post-assessment Activities Phase
Additional review of documentation
Additional expertise
Report Coordination
Hosted by
Summary IAM Baseline Activities
Pre-Assessment
• On-site customer coordination Information criticality analysis with matrices
Customers concerns
• Documented INFOSEC assessment plan
Hosted by
Summary IAM Baseline Activities
On-site Assessment
• Information gathering Interviews
Documentation review
System demonstrations
• 18 baseline information categories
Hosted by
Summary IAM Baseline Activities
Post-Assessment
• Documented report
Hosted by
Useful Linkshttp://www.iatrp.com/iam.cfm Official IAM
site
http://www.iatrp.com/indivu2.cfm List of
individuals certified to perform assessments
using IAM
http://www.iatrp.com/certclass.cfm
Information on 2-day IAM training leading to
certification
Hosted by
Contact InformationStephen MencikSr. INFOSEC EngineerACS Defense, Inc.9020 Mendenhall Ct., Suite J.Columbia, MD 21045(410) [email protected]@mencik.com