solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page i 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ii Security Assessment Case Studies for Implementing the NSA IAM Russ Rogers Greg Miles Ed Fuller Ted Dykstra Matthew Hoagberg 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 FGH73IP1LM 002 59MVZC6H9Q 003 4XFQIP4MCX 004 GLEQ71P9NC 005 7JHJ8FWEX2 006 VBP9EFC6K9 007 TYN8MF3TYH 008 64YTFXSQ9P 009 H8K3BN4GTV 010 IYGTE37V6N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Security Assessment: Case Studies for Implementing the NSA IAM Copyright © 2004 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro- duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-932266-96-8 Acquisitions Editor: Catherine B. Nolan Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Copy Editor: Darlene Bordwell Indexer: Nara Wood Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iv Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States by O’Reilly & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen and to all the others who work with us, but whose names we do not know (yet)! The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy,Shannon Russell,and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. A special thanks to all the folks at Malloy who have made things easy for us and espe- cially to Beth Drake and Joe Upton. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page v 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vi vii Contributors Greg Miles (CISSP, CISM, IAM) is a Co-Founder, President, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Greg is a key contributor not only to Security Horizon’s manage- ment, but also in the assessment, information security policy, and incident response areas. Greg is a United States Air Force Veteran and has served in military and contract support for the National Security Agency, Defense Information Systems Agency,Air Force Space Command, and NASA supporting worldwide security efforts. Greg has been a featured speaker at the Black Hat Briefings series of security conferences and APCO conferences and is a frequent con- tributor to “The Security Journal.” Greg holds a bachelor’s degree in electrical engineering from the University of Cincinnati, a master’s degree in management from Central Michigan University in Management, and a Ph.D. in engineering management from Kennedy-Western University. Greg is a member of the Information System Security Association (ISSA) and the Information System Audit and Control Association (ISACA). Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, Chief Executive Officer, Chief Technology Officer, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider. Russ is a key contrib- utor to Security Horizon’s technology efforts and leads the technical security practice and the services business development efforts. Russ is a United States Air Force Veteran and has served in military and contract support for the National Security Agency and the Defense Information Systems Agency. Russ is also the editor-in-chief of “The Security Journal” and a staff member for the Black Hat Briefings series of security conferences. Russ holds a bachelor’s degree in computer science from the University of Maryland and a master’s degree in computer systems management also from the 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vii viii University of Maryland. Russ is a member of the Information System Security Association (ISSA), the Information System Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners. Russ was recently awarded The National Republican Congressional Committee’s National Leadership Award for 2003. Ed Fuller (CISSP, GSEC, IAM) is Senior Vice President and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Ed is the lead for Security Training and Assessments for Security Horizon’s offerings. Ed is a retired United States Navy Veteran and was a key participant on the development of Systems Security Engineering Capability Maturity Model (SSE-CMM). Ed has also been involved in the development of the Information Assurance Capability Maturity Model (IA-CMM). Ed serves as a Lead Instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM) and has served in military and con- tract support for the National Security Agency and the Defense Information Systems Agency. Ed is a frequent contributor to “The Security Journal.” Ed holds a bachelor’s degree from the University of Maryland in information systems management and is a member of the Center for Information Security and the Information Systems Security Engineering Association. Matthew Paul Hoagberg is a Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Matt contributes to the security training, assess- ments, and evaluations that Security Horizon offers. Matt’s experi- ence includes personnel management, business development, analysis, recruiting, and corporate training. He has been responsible for implementing a pilot 3-factor authentication effort for Security 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page viii ix Horizon and managing the technical input for the project back to the vendor. Matt holds a bachelor’s degree in psychology from Northwestern College and is a member of the Information System Security Association (ISSA). Ted Dykstra (CISSP, CCNP, MCSE, IAM) is a Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider.Ted is a key contrib- utor in the technical security efforts and service offerings for Security Horizon, and an instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM).Ted’s background is in both commercial and government support efforts, focusing on secure architecture development and deployment, INFOSEC assessments and audits, as well as attack and penetration testing. His areas of specialty are Cisco networking products, Check Point and Symantec Enterprise Security Products, Sun Solaris, Microsoft, and Linux systems.Ted is a regular contributor to “The Security Journal,” as well as a member of the Information System Security Association (ISSA) and a leading supporter of the Colorado Springs, Colorado technical security group: dc719. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ix [...]... 286 _NSA_ IAM_ TOC.qxd 12/16/03 2:12 PM Page xxiv 286 _NSA_ IAM_ Intro.qxd 12/16/03 2:49 PM Page xxv Introduction Welcome to the National Security Agency (NSA) Information Assurance Methodology (IAM) In 1998, the NSA IAM was developed to meet the demand for information security (INFOSEC) assessments—a demand that was increasing due to Presidential Decision Directive 63 (PDD-63) while at the same time NSA. .. within the INFOSEC community .The National Defense University (NDU) now teaches the IAM; it is required for the university’s chief information officer (CIO) certification program .The CISSP is coordinating with the IAM sponsors to incorporate the IAM into the CISSP It has already been included in CISSP study guides Doing a search over the Internet shows that the IAM has even gone international The National... is the test Due to the purpose of the government IAM class, appropriated funds can be use to provide this training for free As always, this raises the question,“Why can’t I go to the free class and, if I meet the INFOSEC prerequisites, take the test and be certified? The answer has to do with ethics It’s not fair for some individuals to be certified for free while others are charged a fee The NSA IAM. .. during the testing and evaluation phase The IAM provides the standard process and individual certification, but it is only half the IATRP .The other part of the IATRP is the rating program .The rating provides us with a list of appraised organizations that have been rated in www.syngress.com 286 _NSA_ IAM_ Intro.qxd 12/16/03 2:49 PM Page xxvii Introduction xxvii their capabilities for supporting IAM assessments;... such a list was the original NSA goal For this rating, the IATRP went to the Capability Maturity Model (CMM) community, in particular the System Security Engineering CMM (SSE-CMM) Basically, CMMs provide a means of rating a process area consistently In other words, the system ascertains whether the process be repeated with the same results .The higher the rating, the more institutionalized the process Examples...286 _NSA_ IAM_ FM.qxd 12/16/03 2:21 PM Page x 286 _NSA_ IAM_ TOC.qxd 12/16/03 2:12 PM Page xi Contents Introduction xxv Chapter 1 Laying the Foundation for Your Assessment Introduction Determining Contract Requirements What Does the Customer Expect? Customer Definition of an Assessment Sources for Assessment Work Contract Composition What Does the Work Call For? What Are the Timelines? Understand the Pricing... classes are for the providers Providers are people or vendors who are in the business of profiting from performing assessments.This creates a winwin partnership for the providers, NSA, and customers .The certification gives IAM providers something extra when they attempt to obtain new business In turn, the government now has someone (the providers) championing the standard In order to be certified, the student... Pre -Assessment Visit Introduction Preparing for the Pre -Assessment Visit Questions You Should Ask Determining the Network Environment of the Assessment Site Determining the Security Controls of the Assessment Site Understanding Industry Concerns for the Assessment Site Scheduling Understanding Special Considerations Managing Customer Expectations Defining the Differences Between Assessment and Audit Results, Solutions,... assessments the way NSA does To recap, the IAM trains the individuals in the IAM standard, while the IACMM appraises the organization’s ability to support the IAM providers and provides a profile rating of those providers Both pieces of information are freely provided to consumers and can be viewed at www.iatrp.com Filling a Need You’ve gone to the IAM class—now what? Your company wants to see the value... protecting national security Although this is true, the reasons for doing an assessment remain the same regardless of the industry or organization to which it is being applied An INFOSEC assessment of any system can help the information’s owners answer key questions: I What is the critical information? I What controls are in place for the system? I What is the system’s current security posture? I Should . listening. www.syngress.com/solutions 286 _NSA_ IAM_ FM.qxd 12/16/03 2:21 PM Page i 286 _NSA_ IAM_ FM.qxd 12/16/03 2:21 PM Page ii Security Assessment Case Studies for Implementing the NSA IAM Russ Rogers Greg Miles Ed. responsible for implementing a pilot 3-factor authentication effort for Security 286 _NSA_ IAM_ FM.qxd 12/16/03 2:21 PM Page viii ix Horizon and managing the technical input for the project back to the. contrib- utor in the technical security efforts and service offerings for Security Horizon, and an instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM) .Ted’s background