Tuesday, September 22, 2009

Recommended Security Controls for Federal Information Systems and Organizations

This chapter of the NIST (SP) 800-53 discusses the fundamental concepts of security control selection and specification. These concepts include Security Control Organization and Structure, Security Control Baselines, Common Controls, Security Controls in External Environments, Security Control Assurance, and Revisions and Extensions of Controls. Below is a table outlining the Security Control Organization and Structure.

Table 1.1

The below table describes the process of selecting and specifying security controls for an information system to include. These processes include Risk Management, Information System Categorization, Security Control Selection, as well as Security Control Monitoring, The figure below shows the specific processes in the Risk Management framework.

Table 2.1

References:

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-

rev3-final-errata.pdf

Generally Accepted Security Principles
The main purpose of developing the security principals and practices by the National Institute of Standards and Technology (NIST) is to serve the federal government in applying the security principals and practices in use, protection, and design of government information and data systems, particularly front‐line systems for delivering services electronically to citizens. The OEDC provides a setting where governments compare policy experiences, seek answers to common problems, identify good practice and coordinate domestic and international policies. The Generally accepted security principles were based upon the OEDC guidelines. This document is tabulated with eight principles and fourteen practices. Each of the principles applies to each of the practices. The nature of the relationship between the principles and the practices varies. In some cases, practices are derived from one or more principles; in other cases practices are constrained by principles.

Generally Accepted System Security Principles
1. Computer Security Supports the Mission of the Organization
2. Computer Security is an Integral Element of Sound Management
3. Computer Security Should Be Cost‐Effective
4. Systems Owners Have Security Responsibilities Outside Their Own Organization
5. Computer Security Responsibilities and Accountability Should Be Made Explicit
6. Computer Security Requires a Comprehensive and Integrated Approach
7. Computer Security Should Be Periodically Reassessed
8. Computer Security is Constrained by Societal Factors

Common IT Security Practices
1. Policy
2. Program Management
3. Risk Management
4. Life Cycle Planning
5. Personnel/User Issues
6. Preparing for Contingencies and Disasters
7. Computer Security Incident Handling
8. Awareness and Training
9. Security Considerations in Computer Support and Operations
10. Physical and Environmental Security
11. Identification and Authentication
12. Logical Access Control
13. Audit Trails
14. Cryptography

Here is a link to an article where the NIST’s generally accepted principles and practices were applied in order to reduce the fraud which is taking place in the seafood industry. The forum explains how the fraud is taking place in the industry and how the NIST and other agencies has involved in order to set particular standards and to eradicate the fraud happening in the fishing industry.

http://ts.nist.gov/WeightsAndMeasures/upload/Seafood‐Forum‐Final.pdf

Reference:
http://csrc.nist.gov/publications/nistpubs/800‐14/800‐14.pdf

DOS Attacks

When it comes to fighting any method of attack, it is always imperative for information’s security professionals to first understand the attack at hand. If you don’t know how it works, you can’t stop it, fight it, or most importantly, prevent it.

The above error message”Network Timeout” was given when users tried to request for Twitter page. This article is about Twitter and Facebook which were affected by DOS attacks. These kinds of attacks are not new and can be recovered but then there should be some way to keep the websites secure.

Basically DoS/DDoS attacks only purpose is to saturate the target servers/machines with pings/communications requests repeatedly and so quickly that the machine has no resources left. Thus its intended processes and services cannot be completed, and usually result in its respective ‘timing out’. There are all sorts of ‘types’ of DoS/DDoS attacks (ICMP flooding, p2p attacks, teardop attacking, nukes, distro attacks, etc) but the main theory and processes are the same.

http://news.cnet.com/8301-13577_3-10304633-36.html

Reference: http://ocw.mit.edu/NR/rdonlyres/Electrical-Engineering-and-Computer-Science/6-829Computer-NetworksFall2002/7C9AFDED-F5A3-406F-A685-09E5FD1B9F0B/0/L7Security.pdf

Tuesday, September 15, 2009

Malware Attacks Apple Computer’s Mac OS X

Malware is one of the biggest threats to the computer users along with the viruses. It mess up things by hijacking the browser, redirecting the search attempts, serving up the nasty pop‐up ads and tracking what websites we visit. Malware is programmed in such a way that it reduces the speed of the processes which in turn reduces the efficiency of the operating system. Many of them will reinstall themselves even after you think you have removed them, or hide themselves deep within Windows, making them very difficult to clean.

My article is about a malware called Leap‐A. I chose this article because this is something which enlightened me. I always thought Mac OS is one of the most robust and secure operating system. But a malicious program that could be the first Trojan in the wild to target Apple Computer's Mac OS X operating system. The program is not a virus but rather is software which spreads through iChat as a compressed file and requires to be downloaded and executed .Even though the kind of threat is minimal from this malware this is a kind of wakeup call as it is the first OS X malicious content in the wild that's been noted at this point

But the majority of the malware programs must be installed by the user otherwise it can’t enter your system .Unfortunately, getting infected with malware is usually much easier than getting rid of it, and once you get malware on your computer it tends to multiply.

The link to the article is posted below.

References:

http://www.zdnetasia.com/news/security/0,39044215,39311184,00.htm

http://www.macworld.com/article/49459/2006/02/leapafaq.html

NIST 800‐30

1. What is the purpose of NIST Special Publication 800‐30?

The purpose of NIST 800‐30 is to provide a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems and the ultimate goal is to help organizations to better manage IT‐related mission risks.

2. What is the principal goal of an organization’s risk management process?

The principal goal of an organization’s risk management process is should be to protect the organization and its ability to perform their mission, not just its IT assets.

3. According to NIST, what three processes compose risk management?

•Risk Assessment

•Risk Mitigation

•Evaluation and Assessment

4. How does risk management relate to the System Development Life Cycle (SDLC)?

SDLC is an integral part of the functioning of IT systems and it has five phases, all of which partake in risk identification and mitigation. These phases are: initiation, development or acquisition, implementation, operation or maintenance, and disposal.

5. NIST 800‐30 defines seven Information Assurance “key roles”. Name and briefly describe each of them?

•Senior Management ‐ Ensures that necessary resources are effectively applied to ensure that the ultimate mission is accomplished.

•Chief Information Officer‐ Takes care of the IT planning, budgeting and performance including its IT system components.

•System and Information Owners ‐ They are responsible to see that proper controls are in place to ensure integrity, confidentiality and availability of data systems that they own.

•Business and Functional Managers ‐These people are responsible for business operations and IT procurement process must take an active role in the risk management process.

•ISSO ‐ Responsible for their organizations’ security programs, including risk management.

•IT security practitioners ‐ They should look after proper implementation of IT security systems.

•Security Awareness Trainers – Training must be given to the users in order to get awareness on security in an organization.

6. How does NIST 800‐30 define risk?

A function of the likelihood of a given threat‐source’s exercising a particular potential vulnerability, and the resulting impact of the adverse event on the organization.

7. How does NIST 800‐30 define a threat?

NIST defines Threat as the potential for a particular threat‐source to successfully exercise a particular vulnerability.

8. How is a threat source defined? Name three common threat sources.

A threat‐source is defined as any circumstance or event with the potential to cause harm to an IT system. The threat‐sources are: natural, human, and environmental threats

9. How does NIST 800‐30 define vulnerability?

Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited. They result in a security breach or violation of the system’s security policy.

10. According to NIST, whose responsibility is IT Security, (technical or management)

IT security is responsible for both technical and management personnel. Management sets the vision and responsibilities and ensures that the staff has proper technical training. The technical personnel test, implement and maintain security.

11. What is a security control?

Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.

12. Define: technical controls, management controls, and operational controls.

•Technical controls – safeguards that are incorporated into computer hardware, software, or firmware

•Management controls – focus on the stipulation of information protection policy, guidelines and standards, which are carried out through operational procedures to fulfill the organization’s goals and mission.

•Operational controls – used to correct operational deficiencies that could be exercised by potential threat‐sources.

13. How should the adverse impact of a security event be described?

The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability and confidentiality.

14. Describe the difference between quantitative and qualitative assessment?

The qualitative impact analysis prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities and it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost‐benefit analysis of any recommended controls difficult.

The quantitative impact analysis provides a measurement of the impacts’ magnitude, which can be used in the cost‐benefit analysis of recommended controls and depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear such as loss of public confidence, loss of credibility.

15. Name and describe six risk mitigation options.

•Risk Assumption ‐ To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level

•Risk Avoidance ‐ To avoid the risk by eliminating the risk cause and/or consequence.

•Risk Limitation ‐ To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising vulnerability.

•Risk Planning ‐ To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls

•Research and Acknowledgment ‐To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability

•Risk Transference ‐To transfer the risk by using other options to compensate for the loss, such as purchasing insurance

16. What is residual risk?

This is the risk remaining after the implementation of new or enhanced controls. Practically no IT system is risk free, and not all implemented controls can eliminate the risk they are intended to address or reduce the risk level to zero.

References:

NIST 800‐30 ‐ Risk Management in IT systems by Gary Stoneburner, Alice Goguen, and Alexis Feringa.

Information Assurance Model

Information Systems Security Committee (NSTISSC) has defined IA as:

“Information operations (IO) that protect and defend information and information systems be ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities”.

Information Assurance not only expands the coverage, responsibilities and accountability of security

Professionals but also provides a view of information protection that is a subset of Information Operations that include IA defensive measures, but also proactive offensive activities. When viewed from this perspective, the axiom, “Your offense is only as good as your defense” brings a completely new perspective to IA to include such measures as “Active Network Defense”.

According to the author Information Assurance is now viewed as both multidisciplinary and multidimensional and the strength of this model does not lie in redefining of the field of IA, but in the multidimensional view to implement robust IA programs. There are four dimensions of the information system which measures to protect the system and the information resident in that system.

The four dimensions of this model are:

• Information States

• Security Services

• Security Countermeasures

• Time

Information States:

Information states consists of three states Stored, Processed and Transmitted and Information is available in any of these three states and can even co-exist in two different states

Security Services:

Security services are an integral part of the Information Assurance model. It consists of five different security services.

• Availability,

• Integrity

• Authentication

• Confidentiality

• Non-Repudiation.

Security Countermeasures:

Those protective activities required such as the account of technology, operations and people to prevent espionage, sabotage, theft, or unauthorized use of classified or controlled information, systems, or material then the systems becomes vulnerable to the attacks.

Time:

Time is a fourth dimension of the integrated model and it is not a causal agent of change, but a confounding change agent. For example, the introduction of new technology, over time, requires modifications to other dimensions of the integrated model in order to restore a system to a secure state of operation. Finally, the human side of the time line leads to career progression. Individuals involved in IA will become better trained and educated. These learning activities, over time, will produce an enhancement to a system security state.

Conclusion:

Finally the IA model has provided a framework that could be understood by a teacher, student and an analyst who is dealing with it. . It engages students of all backgrounds in individual and group activities that explore areas of Computer Information Assurance with investigative skills appropriate for their grade levels, and it affords the opportunity to come up with problem solutions on their own for the most part, with limited reliance on the teacher. The author clearly explains that he can identify a component by where on the counter-measures dimension it falls. He can understand it by determining how and if it protects information in various states. He also uses this model to help him not think of IA as static, but dynamic.

References:
[1] http://grothoff.org/christian/teaching/2007/3704/w2c3.pdf
[2] https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2007-92.pdf
[3] http://en.wikipedia.org/wiki/Information_assurance

Identity Theft

Identity theft is one of the fastest growing crimes in America. It has been a problem past many years.A dishonest person who has the Social Security number can use it to get other personal information such as bank details ets. Identity thieves can use the number and the good credit score to apply for more credit . Then, they use the credit cards and do not pay the bills. People may not find out that someone is using their number until they are turned down for credit or to get calls from unknown creditors demanding payment for items they never bought.

Criminals have found many ways to hack the information of a common man and use them for the false purpose.Hacking is one of the high tech method for identity theft.

Here is one such article where a group of hackers stole millions of credit card numbers .“Federal authorities said Tuesday that they had cracked the largest case of identity theft in U.S. history, charging 11 people in the theft of more than 40 million credit and debit card account numbers from computer systems at such major retailers as TJ Maxx and Barnes & Noble.The three-year investigation by federal agencies and overseas allies brought home the global nature of the Internet's underground economy as agents tracked leads from China to Ukraine and picked up suspects in Turkey and Germany as well as the U.S.

The full scope of the damage may never be learned, but the Justice Department said the fraud reached at least into the tens of millions of dollars. Many potential victims have yet to be contacted.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," U.S. Atty. Gen. Michael B. Mukasey said at a news conference in Boston, where he announced indictments handed up by grand juries there and in San Diego.Mukasey also thanked other countries for cooperating and helping to coordinate arrests.

To the chagrin of the U.S. Secret Service, which handles many electronic fraud investigations, the trail led back to one of its own informants, Albert Gonzalez. Justice Department officials said Gonzalez served as the ringleader and double-crossed the agency by tipping off his cohorts. Prosecutors said Gonzalez could face a life term in prison”.

Please see the link below for the complete article….

Reference:

http://articles.latimes.com/2008/aug/06/business/fi-hack6

LiveCD

What is LiveCD?

A Live CD is a CD-Rom or a DVD-Rom with an operating system that can be executed from a bootable cd-rom or dvd-rom drive, without having to be installed in a hard drive. The system can return to its previous operating system when the computer is rebooted without the LiveCD.

Its Uniqueness:

Files that would typically install onto the hard drive of the computer are loaded into system RAM and as such simply rebooting the computer will return it to its previous state. These traits make the use of a LiveCD a great idea for anyone needing to use a public computer terminal. Loading an operating system from the CD will allow a user to take advantage of the computers resources, including network access and access to disk drives, but will not load the OS or any applications that are installed on the computer’s hard drive.

Security Perspective:

It is important in terms of security as it helps remove the virus, drive images and recover the dying system when OS of hard disk is at stake. Moreover it is very handy in test driving for a new OS.

Drawback:

It reduces the RAM available for the other applications and apart from that, the operating system runs at a slower rate because it is not executed from the hard disk drive.This is the drawback of the live CD.

Different Types of Live CD’s:

Knoppix

Knoppix is one of the first Linux live CDs that were available. It is a Debain based distribution is packed with open-source goodness. One of the most popular uses of the Knoppix is recovering files from damaged drives. Knoppix contain open source applications for testing disk integrity, recovering files, reading corrupted drives and many more. There are a total of 2,000 programs packed into the disc covering everything from disc recovery to media playback.

Ultimate Boot CD 4 Windows

The Ultimate Boot CD 4 Windows uses your Windows installation discs (only Windows XP and Windows Server 2003 are officially supported) to create a bootable version of Windows contained on a disc. Tons of quality Windows-based tools are included in the custom disc covering everything from backing up and cloning your discs to running diagnostics to partitioning and recovering data. It contains many built in tools such as CCleaner, Ultra VNC, Recuva etc.It is best for the people who use windows.

Puppy Linux

Puppy Linux belongs to the family of ultra small Linux distributions. The size of the operating system is less than 100MB and it can easily be loaded on everything from a CD to a USB drive. The user interface is friendly even for a non-Linux user, and the basic tools you need for partitioning and file recovery are readily available. Although it's just as great for web browsing and basic computing. Puppy Linux also has a rather handy feature: If you burn it to a re-writable CD, you can save your user settings for your next session.

BackTrack

BackTrack is a Live CD which is designed to facilitate penetration testing of computers and networks. BackTrack is a powerful tool which leaves no corner of the computer and network security un-poked,scanned,prodded and analyzed. Backtrack is packed with 300 tools covering everything from packet sniffing to hot spot probing to brute force password attacks. It is best for the network users.

Ubuntu

Ubuntu's enormous popularity as the mainstream Linux distribution certainly helps bolster its rank among live CDs. Many a new user to Ubuntu has messed around with the operating system using a live CD before using that very same live CD to install the full operating system. Even if you don't intend to do a full install, just like Puppy Linux you can do all manner of computing tasks without leaving a trace on the computer you're using. The Ubuntu live CD comes packed with Open Office, Firefox, Pidgin, the Bit Torrent client Transmission, and the open source image editor GIMP—a decent stable of tools for using Ubuntu as a portable computing platform.