solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page i 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ii Security Assessment Case Studies for Implementing the NSA IAM Russ Rogers Greg Miles Ed Fuller Ted Dykstra Matthew Hoagberg 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 FGH73IP1LM 002 59MVZC6H9Q 003 4XFQIP4MCX 004 GLEQ71P9NC 005 7JHJ8FWEX2 006 VBP9EFC6K9 007 TYN8MF3TYH 008 64YTFXSQ9P 009 H8K3BN4GTV 010 IYGTE37V6N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Security Assessment: Case Studies for Implementing the NSA IAM Copyright © 2004 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro- duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-932266-96-8 Acquisitions Editor: Catherine B. Nolan Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Copy Editor: Darlene Bordwell Indexer: Nara Wood Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page iv Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States by O’Reilly & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen and to all the others who work with us, but whose names we do not know (yet)! The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy,Shannon Russell,and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. A special thanks to all the folks at Malloy who have made things easy for us and espe- cially to Beth Drake and Joe Upton. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page v 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vi vii Contributors Greg Miles (CISSP, CISM, IAM) is a Co-Founder, President, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Greg is a key contributor not only to Security Horizon’s manage- ment, but also in the assessment, information security policy, and incident response areas. Greg is a United States Air Force Veteran and has served in military and contract support for the National Security Agency, Defense Information Systems Agency,Air Force Space Command, and NASA supporting worldwide security efforts. Greg has been a featured speaker at the Black Hat Briefings series of security conferences and APCO conferences and is a frequent con- tributor to “The Security Journal.” Greg holds a bachelor’s degree in electrical engineering from the University of Cincinnati, a master’s degree in management from Central Michigan University in Management, and a Ph.D. in engineering management from Kennedy-Western University. Greg is a member of the Information System Security Association (ISSA) and the Information System Audit and Control Association (ISACA). Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, Chief Executive Officer, Chief Technology Officer, and Principle Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider. Russ is a key contrib- utor to Security Horizon’s technology efforts and leads the technical security practice and the services business development efforts. Russ is a United States Air Force Veteran and has served in military and contract support for the National Security Agency and the Defense Information Systems Agency. Russ is also the editor-in-chief of “The Security Journal” and a staff member for the Black Hat Briefings series of security conferences. Russ holds a bachelor’s degree in computer science from the University of Maryland and a master’s degree in computer systems management also from the 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page vii viii University of Maryland. Russ is a member of the Information System Security Association (ISSA), the Information System Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners. Russ was recently awarded The National Republican Congressional Committee’s National Leadership Award for 2003. Ed Fuller (CISSP, GSEC, IAM) is Senior Vice President and Principle Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Ed is the lead for Security Training and Assessments for Security Horizon’s offerings. Ed is a retired United States Navy Veteran and was a key participant on the development of Systems Security Engineering Capability Maturity Model (SSE-CMM). Ed has also been involved in the development of the Information Assurance Capability Maturity Model (IA-CMM). Ed serves as a Lead Instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM) and has served in military and con- tract support for the National Security Agency and the Defense Information Systems Agency. Ed is a frequent contributor to “The Security Journal.” Ed holds a bachelor’s degree from the University of Maryland in information systems management and is a member of the Center for Information Security and the Information Systems Security Engineering Association. Matthew Paul Hoagberg is a Security Consultant for Security Horizon, Inc., a Colorado-based professional security services and training provider. Matt contributes to the security training, assess- ments, and evaluations that Security Horizon offers. Matt’s experi- ence includes personnel management, business development, analysis, recruiting, and corporate training. He has been responsible for implementing a pilot 3-factor authentication effort for Security 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page viii ix Horizon and managing the technical input for the project back to the vendor. Matt holds a bachelor’s degree in psychology from Northwestern College and is a member of the Information System Security Association (ISSA). Ted Dykstra (CISSP, CCNP, MCSE, IAM) is a Security Consultant for Security Horizon, Inc., a Colorado-based profes- sional security services and training provider.Ted is a key contrib- utor in the technical security efforts and service offerings for Security Horizon, and an instructor for the National Security Agency (NSA) Information Assurance Methodology (IAM).Ted’s background is in both commercial and government support efforts, focusing on secure architecture development and deployment, INFOSEC assessments and audits, as well as attack and penetration testing. His areas of specialty are Cisco networking products, Check Point and Symantec Enterprise Security Products, Sun Solaris, Microsoft, and Linux systems.Ted is a regular contributor to “The Security Journal,” as well as a member of the Information System Security Association (ISSA) and a leading supporter of the Colorado Springs, Colorado technical security group: dc719. 286_NSA_IAM_FM.qxd 12/16/03 2:21 PM Page ix [...]... Defining the Systems What Makes a System Critical? Breaking the Network into Systems What Makes Sense? Creating the System Criticality Matrix The Relationship Between OICM and SCM Refining Impact Definitions A Matrix for Each System Unexpected Changes Case Study: Creating the SCM for TOOT 99 99 10 0 10 0 10 0 10 3 10 4 10 5 10 7 10 8 10 9 11 0 11 0 11 1 11 3 11 5 11 6 11 9 12 0 12 1 12 3 12 6 12 8 12 8 12 8 13 0 13 2 13 3 13 4 13 4 13 5... Redundancy The BOR TAP Contact Information Mission Organization Information Criticality System Information Criticality Concerns and Constraints System Configuration The Interview List 17 4 17 9 17 9 18 1 18 3 18 4 18 4 18 7 18 7 18 8 19 0 19 1 19 2 19 3 19 4 19 5 19 6 19 7 19 8 200 200 2 01 2 01 202 202 202 203 204 206 208 209 209 210 286 _NSA_ IAM_ TOC.qxd 12 /16 /03 2 :12 PM Page xvii Contents Documentation Events Timeline Summary... Documents System Security Plan Documents User Documents Document-Tracking Templates Elements of the Technical Assessment Plan The Interview List The Assessment Timeline 4 01 402 404 408 408 409 409 410 411 412 413 414 Index 417 xxiii 286 _NSA_ IAM_ TOC.qxd 12 /16 /03 2 :12 PM Page xxiv 286 _NSA_ IAM_ Intro.qxd 12 /16 /03 2:49 PM Page xxv Introduction Welcome to the National Security Agency (NSA) Information Assurance... Determining the Audience for the Closeout Meeting Who Is Your Audience? Who Should Attend? Organizing the Closeout Meeting Determining Time and Location Time of Meeting Day of Week Meeting Room Determining Supply List for the Closeout Meeting 309 310 310 311 311 312 312 313 313 313 313 xix 286 _NSA_ IAM_ TOC.qxd xx 12 /16 /03 2 :12 PM Page xx Contents Other Concerns about the Meeting Understanding the Meeting... 13 4 13 4 13 5 13 6 13 7 13 8 14 0 286 _NSA_ IAM_ TOC.qxd 12 /16 /03 2 :12 PM Page xv Contents Locating System Boundaries Completing the System Criticality Matrix Summary Best Practices Checklist Frequently Asked Questions 14 0 14 1 14 5 14 7 14 9 Chapter 5 The System Security Environment 15 1 Introduction 15 2 Understanding the Cultural and Security Environment 15 4 The Importance of Organizational Culture 15 4 Adequately... You There in the First Place? 16 6 Specific Criteria to Assess 16 6 Handling the Documentation Identification and Collection 16 7 What Documentation Is Necessary? 16 9 Policy 16 9 Guidelines/Requirements 16 9 Plans 17 0 Standard Operating Procedures 17 0 User Documentation 17 0 Obtaining the Documentation 17 1 Use the Customer Team Member 17 1 Tracking the Documents 17 1 Determining Documentation Location 17 2...286 _NSA_ IAM_ FM.qxd 12 /16 /03 2: 21 PM Page x 286 _NSA_ IAM_ TOC.qxd 12 /16 /03 2 :12 PM Page xi Contents Introduction xxv Chapter 1 Laying the Foundation for Your Assessment Introduction Determining Contract Requirements What Does the Customer Expect? Customer Definition of an Assessment Sources for Assessment Work Contract Composition What Does the Work Call For? What Are the Timelines? Understand the Pricing... Knowledge Picking the Right People Adequately Understanding Customer Expectations The Power of Expectations What Does the Customer Expect for Delivery? Adjusting Customer Expectations 1 2 3 4 4 7 7 11 16 18 20 21 21 21 22 23 24 25 27 27 27 28 28 30 30 30 30 xi 286 _NSA_ IAM_ TOC.qxd xii 12 /16 /03 2 :12 PM Page xii Contents Educating the Customer Helping the Customer Understand the Level of Effort Explaining... Organization Security Defining Roles and Responsibilities Who Is the Decision Maker? 31 31 31 32 32 32 33 34 35 35 36 39 40 42 45 46 47 48 48 50 50 52 53 53 54 56 57 58 60 61 286 _NSA_ IAM_ TOC.qxd 12 /16 /03 2 :12 PM Page xiii Contents Who Is the Main Customer POC? Who Is the Assessment Team Leader? Suggestions for the Assessment Team Possible Members of the Customer Team Planning for the Assessment Activities... the Security Environment 15 6 Defining the Boundaries 15 9 Physical Boundaries 16 0 Logical Boundaries 16 1 Never the Twain Shall Meet—Or Should They? 16 2 Identifying the Customer Constraints and Concerns 16 2 Defining Customer Constraints 16 3 Types of Operational Constraints 16 3 Types of Resource Constraints 16 4 Environmental Constraints 16 4 Architectural Constraints 16 5 Determining Customer Concerns 16 6 . listening. www.syngress.com/solutions 286 _NSA_ IAM_ FM.qxd 12 /16 /03 2: 21 PM Page i 286 _NSA_ IAM_ FM.qxd 12 /16 /03 2: 21 PM Page ii Security Assessment Case Studies for Implementing the NSA IAM Russ Rogers Greg Miles Ed. responsible for implementing a pilot 3-factor authentication effort for Security 286 _NSA_ IAM_ FM.qxd 12 /16 /03 2: 21 PM Page viii ix Horizon and managing the technical input for the project back to the. the Matrix 11 1 Summary 11 3 Best Practices Checklist 11 5 Frequently Asked Questions 11 6 Chapter 4 System Information Criticality 11 9 Introduction 12 0 Stepping into System Criticality 12 1 Defining