Configuring Technical Safeguards

1.0 Identification Data
1.1 BSP Number
00003
1.2 BSP Title/Name
Reviewing the Configuration of Technical Safeguards at USAID Mission
1.3 Version Number
1.1
1.4 Adoption Date
January 23, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
In the Security Process Framework: Technical Security/Operate/Administer Technical Security Safeguards/Monitor Security Safeguards.

In the SSE CMM Framework: Monitor Security Posture /Monitor Security Safeguards.

1.9 Reserved
Not to be completed by the drafter
1.10 Points of Contact
Government BSP Owner:
  • James P. Craft, CISSP
    USAID Information Systems Security Officer
    1300 Pennsylvania Ave., Suite 2.12-032
    Washington, DC 20523-2120
    Telephone: 202-712-5460
    Fax: 202-216-3053
    E-mail: jcraft@usaid.gov

Vendor Partner:

2.0 What This BSP Does
2.1 BSP's Purpose
This BSP discusses how to review the technical configuration of the security mechanisms of selected operating systems, network operating systems, and firewalls, and, if the configuration is not secure, to reconfigure the mechanisms at USAID missions worldwide. The procedures efficiently blend remote monitoring with onsite validation.

UNIX

This section provides a checklist designed to assess the UNIX operational security posture of an organization. Individual line items in the UNIX checklist that are checked "No" should be documented in the Justifications section of the checklist.

Windows NT

This section provides a checklist for configuring the security of an NT 4.0 system.

The checklist contains items relative to physical security, user account security, auditing and supervisor account security. Security configuration compliance with the checklist is considered as a minimum requirement and is mandatory for host systems connected to the organization's backbone and/or to the Internet. The security configurations included herein will also be used for any initial and follow-on system accreditation, security plans, and similar activities. This checklist is subject to change if any new system anomalies or vulnerabilities are identified.

Individual line items in the Windows NT checklist that are checked "No" should be documented in the Justifications section of the checklist.

Banyan

This section provides a checklist for configuring the security of a BANYAN VINES-based system.

The checklist contains items relative to the physical security, user account security, auditing and supervisor account security. Security configuration compliance with the checklist is considered as a minimum requirement and is mandatory for host systems connected to the organization's backbone and/or to the Internet. The security configurations included herein will also be used for any initial and follow-on system accreditation, security plans, and similar activities. This checklist is subject to change if any new system anomalies or vulnerabilities are identified. Personnel using this checklist are cautioned that, because there are several variants of the basic BANYAN VINES operating, additional configuration requirements may be necessary.

Individual line items in the Banyan checklist that are checked "No" should be documented in the justifications section of the checklist.

Microsoft Proxy Server

This section provides a checklist to assess the Microsoft Proxy Server operational security posture of an organization. Individual line items in the Microsoft Proxy Server checklist that are checked "No" should be documented in the Justifications section of the checklist.

Network Review (General Security Checklist)

This section provides a checklist to assess the physical, operational, and administrative security posture of an organization. Individual line items that are checked "No" should be documented in the Comments section.

2.2 Requirements for this BSP
OMB A-130 Appendix III:
  • Section A.3.a.3 states: "Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system."
2.3 Success Stories
Below is correspondence from an organization expressing their appreciation for raising their security posture through the use of this Risk Assessment Process.

Subject: COMPUTER SECURITY TEAM VISIT

Source: David Bayer, USAID Peru Executive Office

If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.

And last but not  least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.

Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.

3.0 What This BSP Is
3.1 Description of BSP
3.1.1 Inputs
  1. Scanning tools and results (see Section 4.4)
  2. Safeguards Configuration Checklists
  3. Safeguards Configuration Handbooks
3.1.2

Process

Step 1. Determine the operating system on each target system host(s).

Step 2. Determine the IP addresses associated with each operating system on the target system host(s).

Step 3. Run the tool appropriate for the system(s) being reviewed to determine where configuration problems exist. (see Tools Section 4.4)

Step 4. Document problems, evaluate and obtain patches/fixes.

Step 5. Conduct an on-site visit to the organizations whose system(s) is being verified.

  • Use the appropriate Checklist to determine what configuration items should be verified.
  • Use the appropriate Handbook to determine how to verify the configuration items and how to correct those which may create a vulnerability.

Step 6. Complete the Checklist as each item is verified/corrected. Items not found on the checklist should be analyzed and appropriate action taken. Items implemented as a result of the analysis should be submitted for addition to the OS checklist.

Step 7. Coordinate and document all changes with Application owners as well as the system administrators.

Step 8. Run the tool appropriate for the system being reviewed to determine that the configuration problems have been resolved. Document any remaining vulnerability.

Step 9. Prepare the Final Report and forward to the organization's ISSO, the reviewed system's owner, and other appropriate parties.

3.1.3 Outputs
The results of the Technical Safeguard Configuration review are contained in the overall final report of the mission's cyber-security assistance visit report. A template of that report's table of contents is attached.
3.2 Relationship to Other BSPs
This BSP comprises a sub-set of the total integrated process for conducting a cyber-security assistance visit at USAID missions worldwide.
4.0 How To Use This BSP
4.1 Implementation Guidance
Having the Administrator of the system being reviewed work closely with the individual conducting the review can enhance the efficiency of this process.
4.2 Implementation Resource Estimates
Personnel: Operating System Administrator or knowledge equivalent.

Time per System/Device:

  • Preparation Time up-front: 2 - 4 hours identifying the current condition of the configuration and downloading the appropriate patches in preparation for the on-site activities.
  • On-Site Time: 4 - 8 hours depending on the status of the device. Four hours to verify a previously configured device, and up to 8 hours to configure a newly installed device.
  • Final Report Preparation Time: 4 hours; this includes the documentation of activities by the reviewer and also the transfer of the documentation by the report writer into the final report.
4.3 Performance Goals and Indicators (Metrics)
General Goal: To eliminate those security vulnerabilities associated with the configuration of the subject systems.

Performance Goal: To identify existing vulnerabilities, define and implement countermeasures, and verify solution effectiveness.

Outcome Goal: Known vulnerabilities will be resolved. Unresolved vulnerabilities will be documented for further analysis and resolution development.

Output goal: To achieve compliance with OMB A130 guidelines.

General Objective: To protect automated information systems against potential threats.

Performance Indicator: The results obtained from each system scan/evaluation will provide metrics for determining requirements for repetition interval.

4.4 Tools
The tools used to perform the Technical Safeguards Configuration Review are the configuring mechanisms provided with the subject systems and selections from the available configuration scanning tools. The tools shown here are configuration scanners in general use that have been found effective in past network surveys. Because new vulnerabilities can be discovered at any time, other tools should be evaluated and may be used if they augment the functions included in this list. The latest versions of all tools should be used:
4.5 Training Materials
User guides and materials for the above listed tools
Appendices
A Executive Overview and Briefing
Appendix A
B Reference List
Not available
C Procurement Information
The United States Agency for International Development (USAID) has contracted for general IRM support with Computer Sciences Corporation (CSC) under the Agency's Principle Resource for Information Management Enterprisewide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at Appendix C
D Evaluation Information
Not yet evaluated.
E Recommended Changes
Version 1.0 of the BSP was reviewed after conducting cyber-assistance visits to Phnom Penh, Cambodia and Manila, Philippines during November and December, 2000. The review has determined the original BSP remains valid and has incorporated minor editorial revisions.
F Glossary
Not available.