Security Control Families Technical Class
Dec 23, 2015
Security Control Families
Technical Class
ID Class Family # ofCA Management Security Assessment and Authorization 6PL Management Planning 5PM Management Program Management 11RA Management Risk Assessment 4SA Management System and Services Acquisition 14/40AT Operational Awareness and Training 5CM Operational Configuration Management 9CP Operational Contingency Planning 10IR Operational Incident Response 8MA Operational Maintenance 6MP Operational Media Protection 6PE Operational Physical and Environmental Protection 19PS Operational Personnel Security 8SI Operational System and Information Integrity 13/84AC Technical Access Control 19AU Technical Audit and Accountability 14IA Technical Identification and Authentication 8SC Technical System and Communications Protection 34/75
Access ControlAC-2 Account ManagementAC-3 Access EnforcementAC-4 Information Flow EnforcementAC-5 Separation of DutiesAC-6 Least PrivilegeAC-7 Unsuccessful Login AttemptsAC-8 System Use NotificationAC-10 Concurrent Session ControlAC-11 Session Lock
AC-14Permitted Actions without Identification or Authentication
AC-17 Remote AccessAC-18 Wireless AccessAC-19 Access Control for Mobile DevicesAC-20 Use of External Information SystemsAC-22 Publicly Accessible Content
800-46 (Telework) 800-77 (IPSec) 800-113 (SSL) 800-114 (External Devices) 800-121 (Bluetooth) 800-48 (Legacy Wireless) 800-94 (IDPS) 800-97 (802.11i Wireless) 800-124 (Cell Phones/PDA)
OMB M 06-16 (Remote Access)
IPSec VPNsSP 800-77
Network Layer Security– The Need for Network Layer Security– Virtual Private Networking (VPN)
• Gateway-to-Gateway Architecture• Host-to-Gateway Architecture• Host-to-Host Architecture
IPsec Fundamentals– Authentication Header (AH– Encapsulating Security Payload (ESP– Internet Key Exchange (IKE– IP Payload Compression Protocol (IPComp– Putting It All Together
• ESP in a Gateway-to-Gateway Architecture• ESP and IPComp in a Host-to-Gateway Architecture• ESP and AH in a Host-to-Host Architecture
Network Layer Security
Confidentiality Integrity Peer Authentication Replay Protection Traffic Analysis Access Control
IPSec VPNs
– Gateway-to-Gateway Architecture– Host-to-Gateway Architecture– Host-to-Host Architecture
Gateway-to-Gateway Architecture
Host-to-Gateway Architecture
Host-to-Host Architecture
Model Comparison
IPsec Protocols
Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) IP Payload Compression Protocol (IPComp)
SSL VPNsSP 800-113
Virtual Private Networking (VPN) SSL Portal VPNs SSL Tunnel VPNs Administering SSL VPNs SSL VPN Architecture
SSL VPNs
SSL Portal VPNs SSL Tunnel VPNs Administering SSL VPNs
Many of the cryptographic algorithms used in some SSL cipher suites are not FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be used in applications that must conform to FIPS 140-2.
SSL VPN Architecture
SSL Protocol Basics
Versions of SSL and TLS Cryptography Used in SSL Sessions Authentication Used for Identifying SSL Servers
Knowledge Check
What is the protocol, used by IPSec that negotiates connection settings, authenticates endpoints to each other, defines the security parameters of IPsec-protected connections, negotiates secret keys, and manages, updates, and deletes IPsec-protected communication channels?
Because AH transport mode cannot alter the original IP header or create a new IP header, transport mode is generally used in which VPN architecture?
Which VPN technologies are approved for use by Federal agencies?
Private Wireless
Public Wireless
Wireless Protocols
Cell Phone Security
Bluetooth Security
Audit & Accountability
AU-2 Auditable EventsAU-3 Content of Audit RecordsAU-4 Audit Storage Capacity
AU-5Response to Audit Processing Failures
AU-6Audit Review, Analysis, and Reporting
AU-7Audit Reduction and Report Generation
AU-8 Time Stamps
AU-9Protection of Audit Information
AU-10 Non-repudiationAU-11 Audit Record RetentionAU-12 Audit Generation
800-92 Log Mgmt
FIPS 180-3 SHA FIPS 186-3 DSS FIPS 198-1 HMAC
Log Management
Log Sources Analyze Log Data Respond to Identified Events Manage Long-Term Log Data Storage
Log Sources
Log Generation Log Storage and Disposal Log Security
Analyze Log Data
Gaining an Understanding of Logs Prioritizing Log Entries Comparing System-Level and Infrastructure-Level
Analysis Respond to Identified Events
Manage Long-Term Log Data Storage
Choose Log Format for Data to be Archived Archive the log Data Verify Integrity of Transferred Logs Store Media Securely
Integrity Standards
FIPS 186-3 Digital Signature Standard FIPS 180-3 Secure Hash Standard FIPS 198-1 The Keyed-Hash Message Authentication
Code (HMAC)
Identification & Authentication
IA-2Identification and Authentication(Organizational Users)
IA-3Device Identification and Authentication
IA-4 Identifier ManagementIA-5 Authenticator ManagementIA-6 Authenticator FeedbackIA-7 Cryptographic Module Authentication
IA-8Identification and Authentication (Non- Organizational Users)
800-63 (E-auth) 800-73 800-76 800-78
FIPS 140-2 FIPS 201 HSPD 12 OMB 04-04 (E-auth) OMB 05-24
(HSPD12)
CryptoBiometricsPIV Interfaces
Personal Identity & Verification (PIV)
IA Policy & Standard
HSPD 12 (Policy) FIPS 201-1 (Implementation)
– PIV-I - Security Requirements – PIV-II - Technical Interoperability Requirements (Smartcards)
30
E-Authentication Guideliens
Level 1 – No Identity Proofing Level 2 – Single-factor Authentication, Identity Proofing
Requirements Level 3 – Multi-factor Authentication Level 4 – Multi-factor using Hard Token
OMB M-04-04 E-Authentication Guidance for Federal Agencies
31
System & Communications ProtectionSC-2 Application PartitioningSC-3 Security Function IsolationSC-4 Information in Shared ResourcesSC-5 Denial of Service ProtectionSC-7 Boundary ProtectionSC-8 Transmission IntegritySC-9 Transmission ConfidentialitySC-10 Network Disconnect
SC-12Cryptographic Key Establishment and Management
SC-13 Use of CryptographySC-14 Public Access ProtectionsSC-15 Collaborative Computing Devices
SC-17 Public Key Infrastructure CertificatesSC-18 Mobile CodeSC-19 Voice Over Internet Protocol
SC-20Secure Name /Address Resolution Service (Authoritative Source)
SC-21Secure Name /Address Resolution Service (Recursive or Caching Resolver)
SC-22Architecture and Provisioning forName/Address Resolution Service
SC-23 Session AuthenticitySC-24 Fail in Known StateSC-28 Protection of Information at RestSC-32 Information System Partitioning
800-32 (PKI) 800-41 (Firewalls) 800-52 (TLS) 800-58 (VoIP) 800-63
FIPS 140-2 FIPS 197 OMB 05-24 (PIV) OMB 08-23 (DNS)
800-77 800-81 (DNSSEC) 800-95 (Secure Web) 800-113
Firewall Technologies
Packet Filtering Stateful Inspection Application Firewalls Application-Proxy Gateways Dedicated Proxy Servers Virtual Private Networking Network Access Control Unified Threat Management (UTM Web Application Firewalls Firewalls for Virtual Infrastructures
Knowledge Check
Name the AES-based, wireless encryption mechanism used in the 802.11i wireless specification?
In which security mode are Bluetooth devices considered “promiscuous”, and do not employ any mechanisms to prevent other Bluetooth-enabled devices from establishing connections?
Which security control requires the information system protect against an individual falsely denying having performed a particular action?
Which e-authentication level, described in the special publication 800-63, requires multifactor authentication, and the use of a hard token?
Cryptographic Services
Data integrity Confidentiality Identification and authentication Non-repudiation
Cryptographic Security Mechanisms
Symmetric Key EncryptionObjective: Confidentiality via Bulk Encryption
The Problem with Symmetric Keys
Asymmetric Key EncryptionObjective: Symmetric Key Exchange/Authentication
Hash FunctionsObjective: Data Integrity
Digital SignatureObjective: Non-Repudiation (Authentication + Integrity)
PKISP 800-32
Security Services Non-cryptographic Security Mechanisms Cryptographic Security Mechanisms PKI Components PKI Architectures
PKI Componenets
Certification Authority (CA) Registration Authority (RA) Repository Archive Public Key Certificate Certificate Revocation Lists (Crls) PKI Users
TLSSP 800-52
Mapping The Security Parts of TLS to Federal Standards
Key Establishment
RSA DH (Diffie-Hellman) Fortezza-KEA
Confidentiality/Symmetric Key Algorithms
IDEA RC4 3DES-EDE AES
Signature & Hashes
RSA DSA MD5 SHA1
VoIPSP 800-58
Overview of VoIP Privacy and Legal Issues with VoIP VoIP Security Issues Quality of Service Issues VoIP Architechtures Solutions to the VoIPsec Issues
Overview of VoIP
Public Facing Web Server
DNS Transaction Threats & Security Objectives
Technical Security Controls Key Concepts & Vocabulary
AC – Access Control AU – Auditing & Accountability IA – Identification & Availability SC – System & Communication Protection