FAISSR MEETING September 24, 2003

1
FAISSR MEETINGSeptember 24, 2003

• IS Security Issues
• John Edmiston, CISSP

2
Briefing Highlights

• - Overview ISOM Chapter 8 - Frequently
  Asked Questions
• - New Technology

3
DSS Academy IS Training

• NISPOM Chapter 8 Requirements
• Location Double Tree Hotel, Cocoa Beach, FL
• Date Jan 20-22, 2004
• NISP Network Security Basics (Teletraining)
• Place Linthicum, MD Date various
• Enrol https//enrol.dss.mil/enrol/default.asp

4
Feedback Auto. Security Plan Template (FAST)

• Tool developed through CIA to automate creation
  of SSP
• Question answers format (similar to TurboTax)
• Testing currently at selected contractors
• Due out in Spring

5
Automated Tools for NISP Systems

• Windows (NT, 2000, XP) and UNIX (Solaris 8,
  Linux 7.0, Irix 6.5) systems
• PL1, PL2 and PL3
• Tool verifies system configuration against NISPOM
  requirements
• Results in report
• Non compliance needs explanation prior to
  accreditation
• Compliance with technical requirements

6
DSS Assessed Products List (APL)

• DSS approved disk sanitization software
• Previous accreditations grandfathered until
  next reaccreditation
• Test and verify functionality
• Accreditation of SSP
• Other software for non-volatile memory
  sanitization still permitted

7
Timeframe for Accreditations

• ISOM timeframe 60 days final accreditation
• Request Interim Approval To Operate (IATO) if
  needed sooner

8
Special Note on Reaccreditations of SSPs

• SSPs previously accredited to the May 2000 Ch 8
  requirements may lack procedures for
• Trusted Download
• Network Security Plan
• Sanitization Software
• Destruction of floppies

9
IS Accreditations

• Lock Down your BIOS
• Configuration
• Time and date
• Password protect it

Vulnerabilities - Rearrange jumper switch,
remove battery, manufactures backdoor password,
software attacks.
10
IS Accreditations

• Enclosure 27 for SSP Review Form A No answer
  will prevent accreditation - should answer N/A
• Automated Audit trails not required in 2 cases
• Operating System not capable (e.g. Win 98, ME)
• Single User Standalone
• Manual log
• Rule of thumb use automated audit trails if
  available

11
Virus Protection Software

• ALL systems must use virus protection
  software if available (ISL 01-1 Q10)
• Note latest ISOM exempts UNIX from virus
  detection software but still
• must check for malicious
• software as required by 8-305

12
Security Relevant Objects (SROs)

• Defined as some system software, virus checking
  software, audit records, access controls,
  sanitization software

13
Wide Area Networks (WANS) Interconnected

• No Self Certification of like WANS
• Can self certify additional workstations on WAN
• Separately accredited SSP for each node
• Separately accredited Network Security Plan
• Network Protection Level (PL) equals highest node
  on network
• Nodes independently determine PL
• Prime or designated sub is host

14
Wide Area Networks (WANS) Interconnected
Node Site
Potential Node Site
Host Site
15
Wide Area Networks (WANS) Interconnected

• Network ISSO duties
• Perform weekly reviews
• Evaluate impact of security-relevant system
  network changes
• Recommend to DSS to rescind MOU NSP, if
  necessary
• Provide reaccredited NSPs to nodes

16
SIPRNET Items of Interest

• SIPRNET Customer Connection Process Guide Contact
  Jim Nostrand DISA (703-735-3238)
• No self certification
• Replacement (not addition)
  of like equipment allowed

17
Who Can Self Certify?

• DSS authorizes only ISSM
• All self certifications are in writing NO VERBAL
  SELF CERTIFICATIONS
• Self certification documentation is in place
  PRIOR to use of components
• All additional hardware and security software
  baseline changes require self certification by
  ISSM

18
Self-Certification

• Master SSP must include
• Hardware and operating system
• Provision for testing and ensuring features
  enabled
• Requirement that DSS be notified (e.g. submit
  self certified profile)
• Each additional self certification must have
  statement System(s) added implements the
  requirements in Master SSP
• FAISSR Master SSP is Master and profile together
• FAISSR SSP version 4.0

19
Technical Requirements Which Cant be Accomplished

• If operating system can not meet technical
  requirements then document in SSP as
  vulnerability (8-610a(1)(c))
• Example Operating System
• only recognizes 6 character
• passwords

20
Group Accounts

• NISPOM Definition any account where more than
  one user (i.e. person) knows the password
• Common Examples
• Administrator
• Root
• Sysadmin
• ISSMs, many times, will incorrectly define it as
  a collection of user accounts

21
Group Accounts (continued)

• Group accounts, if used, must be listed in the
  SSP
• Solution in Windows environment
• Instead of 3 users all using Administrator, each
  user can be given Administrator privileges but
  each uses a unique account

22
Physical Security Seals

• Is it possible to have a restricted area with no
  seals?

23
Periods Processing

• Upgrade and downgrade between sessions
• Clearance between sessions (ISL 01-1)
• Can be used for different NTK, classification
  levels and Protection Levels
• Procedure documented in SSP
• Separate media for each period of processing
• Record required

NISPOM 8-502, ISL 01-1, Q53
24
Closed Area Periods Processing

• Situations that would cause an IS in a closed
  area to do Periods Processing
• INITIAL CLASSIFIED USE OF WORKSTATION
• CONNECTING UNCLASSIFIED REMOTES
• MULTIPLE PROJECTS WITHOUT SAME NTK
• UNCLEARED MAINTENANCE PERSON WITH DIAGNOSTICS

25
Degaussers

• NSA Degausser Products List
• Rating based on Orested value
• Validated within 6 months of purchase then again
  after additional 6 months if marginal or annually
  if not marginal. Once every 2 years after that

26
Degaussers

• 2500 Orested Tapes DVC Pro, DDS3, DDS4, DTF 2
• Change of policy No degaussing barium ferrite
  disks or tapes

27
Frequently Asked Questions

• Is a separate maintenance copy of the operating
  system required? Answer ONLY if maintenance
  personnel are not appropriately cleared
• Accreditation by other DoD activity can DSS
  accept it? Yes with ISSM certification that SSP
  meets baseline NISPOM

28
Frequently Asked Questions

• Can an IS be sent to another DSS region without a
  second accreditation? Yes
• SSP accreditation letter
• Certification by gaining ISSM
• Connection to another IS may require
  accreditation

29
Frequently Asked Questions

• How often is write protected media tested?
  Answer once per session
• One time connection of contractor to GOV site
  Is an MOU DISN solution required? Answer Yes

30
Frequently Asked Questions

• Zip drive not rigid media, no sanitization
  overwrite permitted can degauss
• Jazz drive rigid media, can be sanitized by
  approved overwrite program can degauss can
  write protect

31
Frequently Asked Questions

• Is reaccreditation required for IS that is moved?
  Answer Yes, if different physical security
  environment
• What is an acceptable review of unclassified
  software developed by uncleared developer for use
  on an IS? Answer line by line review of source
  code

32
Frequently Asked Questions

• Can an ISSM self certify remote or interconnected
  network connections? Answer No
• Trusted download Is factory fresh media
  required? Answer Yes

33
New Technology

• Sony AIT-3 tapes radio frequency transmitters
  OK
• Wireless notebooks disconnect wireless
• IBM Asset Identification embedded RF
  Transmitter disconnect
• Models Intellistation 300PL GL, Thinkpad
  660E 770Z
• USB Watches

34
Auditing Issue Aid

• Possible solution for auditing unsuccessful
  access attempts to Security Relevant Objects
• SNARE
• www.intersectalliance.com/projects/Snare
• LINUX, SOLARIS and Windows

35
When is Sanitization Required?

• Sanitization is only accomplished under 2
  conditions
• IS no longer required
• Repair IS outside facility

36
Scenario

• You have a requirement for a STU III connection
  to a Government site
• Is an MOU required?
• Do you need to list the remote sites?

37
Questions???