FloridaA&MUniversity

ExcellencewithCaring CIS4360 IntroductiontoComputerSecurity FinalGroupDeliverable

PreparedBy BrandyMurrey KevanKnight RodneyWilson

PreparedFor Ms.ChristyChatmon November29th,2012

Pg.1

TableofContents TitlePagePg.1 TableofContents Groupcontract DoDspecificpolicies,standards,andcontrolsinthefollowingdomains: (1)Servers Pg.5 Pg.2 Pg.45

Policies1.1.1.1.3. Standards1.2.1. Controls1.3.1.

(2)User Pg.56

Policies2.12.1.4. AUP2.22.2.2. Standards2.3.2.3.1.

(3)Workstation Pg.67

Policies3.13.1.5. Standards3.2.3.2.1. Controls3.33.3.1.

(4)LAN Pg.7

Policies4.1.4.1.3. Standards4.2.4.2.1. Controls4.3.4.3.1.

(5)LANtoWAN Pg.8

Policies5.1.5.1.3. Pg.2

Standards5.2.5.2.1. Controls5.3.5.3.1.
(6)WAN Pg.810

Policies6.1.6.1.1. Procedures6.2.6.2.2. Standards6.3.6.3.2. Controls6.4.6.4.5.

(7)RemoteAccessPg.11

Policies7.1.7.1.1 Standards7.2.7.2.2. Controls7.3.7.3.2.

(8)System/Application Pg.1011

Policies8.1.8.1.4. Standards8.2.8.2.1 Controls8.3.8.3.1.

Resources Pg.1213

GroupContract

Thiscontractisalegalandbindingdocumentthatgovernsthisgroupuntiltheassignmentdeadline.
Members

Pg.3

BrandyMurrey KevanKnight RodneyWilson

I.Absences Ifbyanychanceagroupmemberisgoingtobeinabsenceofagroupmeeting,presentation,orduringthe duedateofanassignment,allmembersofthegroupwillbenotifiedandprovidedworkneededtobe submittedinsufficienttime.Theminutesforameetingcanbeprovidedforanymemberthatcouldnotmake itsothathe/sheisstillawareofanyprogressthatwasmade. II.WorkEthic Theeffortof100%isneededfromeverygroupmembernomattertheroleorsituation.Thesamegoesfor beingpunctualandcooperative.Anymemberofthegroupthatisunabletocompleteanyassignedtask mustshowinitiativebyaskingforassistance. III.Roles Atthebeginningofeachprojecttherolesleader,recorder,andskeptic/questionerwillbeassignedand rotated.Thefollowingaretheresponsibilitiesattachedtoeachrole. Leader 1. Organizesgroupmeetings. 2. Createanagendafortheproject. 3. Reinforcescommunicationthroughoutthegroup. Recorder 1. Writesdowntheminutesforeachmeeting. 2. Postsminutesinadesignatedplaceforallmembertoread. Skeptic/Questioner 1. Keepsthegroupontrackwithagenda. 2. Collectsquestionsthegrouphasaboutassignmentsandcontactstheinstructor. 3. PlaysDevilsAdvocateforthegroup. IV.Communication Communicationisanimportantpartofourgroup.Ifbyanychanceahiccupoccurswithanyofthemembers theremainderofthegroupwillbenotifiedandwewillplanaccordingly. V.Assignments Allassignmentswillbesplitamongallofthemembersandweareallresponsibleforourportions.Any memberthatisnotaccountablefortheirpartwithoutinformingothermembersinadvancewillbepenalized. VI.Memberdismissal Amemberofthegroupcanandwillbefiredfromtheirpositionand/orthegroupifthefollowingoccurs: 1. Turnsinincompleteormissinggroupwork. 2. Commitsanyformofcheatingincludingplagiarism. 3. Ifamemberisrudeoruncooperativewiththerestofthegroup.

Bysigningthiscontracteachgroupmemberstatesthattheywillactinaccordancewiththecontract.Ifany memberfailstofollowthecontracttheymaybesubjecttobeingfiredfromtheirpositionorthegroup. Pg.4

DoDspecificpolicies,standards,andcontrolsintheUser,Workstation,LAN,andLANto_WAN, RemoteAccess,System/Applicationdomains

1. 1.1. 1.1.1.

Servers

Policies Theintentofthispolicyistoensurethatallserversaremaintainedregularlyatanappropriatelevel ofsecurityandareconstantlybeingmonitoredforunusualactivity. Allserverscontaininganythingsensitivewillhavemethodsinstalledandenabledtoprotectdata. Datathatisstoredonanyportionoftheserversmustbekeptuptodateandbackeduponadaily basis. Standards ServermaintenanceismanagedbytheITworkerswhoareassignedtoservers.Itisimportantto maintainconfidentiality,integrity,andavailabilityoftheprotectedinformation.Credentialstrengthis usedtopreventforgeryandfraudulentuse.Incorporationofadditionalauthenticationfactorsis necessaryfortheconfidentialityandintegrityofinformationassurance. Controls IT(s)(InformationTechstaffthatareassignedtoservermaintenance)followsourBackupRecovery Plan(BRP)tokeeptheavailabilityofdata.TomaintainInformationassurancedatawillbeseparated intodifferentclassificationlevelsdependingonthesensitivityofthedata(TopSecret,Secret, Confidential,SensitivebutUnclassified,andUnclassified).Informationsystemswithadministrative rolesornotthathandleclassifieddataarerequiredtouseaminimumofCredentialStrengthHto mitigateknownorunanticipatedvulnerabilities.
Users

1.1.2. 1.1.3.

1.2.1.

1.3.1.

2. 2.1. 2.1.1.

Policies Thispolicystatesthatitismandatoryforallstaffthathasaccesstoourorganizationssystemsto keeptheinformationconfidential.Confidentialityistheassurancethatthedataisnotdisclosedto unauthorizedindividuals,processesordevices.Failuretodosowillresultinterminationfromour organizationandpossiblyfines. Employeesmustcompleteourorganizationscomputerawarenesstrainingprogramandagreeto upholdtheacceptableusepolicies(AUP). Allemployeesthatwillbeusersofthesystemissubjecttobackgroundinvestigationsatanytime duringemployment. UsersmustbeincompliancewithDepartmentofDefenseInstruction8500.2,subjectInformation AssuranceImplementation. Pg.5

2.1.2.

2.1.3.

2.1.4.

2.2. 2.2.1. 2.2.2.

AcceptableUsePolicy

Email Limitations a. Useofsystemsthatcouldbeexpectedtocausedirectlyorindirectlycongestion,delay,or disruptionofservicestoanycomputingfacilitiesorcauseinterferencewithothersuseof communications. b. Unauthorizedusesinclude i. Distributingcopyrightedmaterialsbyelectronicmessagingwithoutconsentfromthe owner ii. Sendingorreceivingelectronicmessagesforcommercialorpersonalfinancialgain iii. Intentionallyorunlawfullymisrepresentingyouridentityoraffiliation iv. Sendingharassing,intimidating,abusive,oroffensivematerialto,oraboutothers v. Causingcongestiononthenetworkbysuchthingsaschainletters,junkEmails,and broadcastinginappropriatemessagestogroupsandindividuals Standards Itismandatorythatconfidentialityagreementsbesignedandsecuredfromusersaccessingdata whichneedstobeprotectedfromunauthorizedaccess.Credentialstrengthisusedtoprevent forgeryandfraudulentuse.Incorporationofadditionalauthenticationfactorsisnecessaryforthe confidentialityandintegrityofinformationassurance. Controls Sensitivityofdatawithinthefirmmakespasswordstrengthsimportant.Informationsystemswith administrativerolesornotthathandleclassifieddataarerequiredtouseaminimumofCredential StrengthHtomitigateknownorunanticipatedvulnerabilities.
Workstations

2.3. 2.3.1.

2.4.1.

3. 3.1. 3.1.2.

Policies Theintentofthisdocumentistodescribethepolicyunderwhichonlyauthorizedenduserscan havepermissiontousetheorganizationsworkstations Appropriatemeasuresmustbetakenwhenusingworkstationstoensuretheconfidentiality, integrityandavailabilityofsensitiveinformation. Alldesktopsandcompanylaptopscontainingsensitiveorconfidentialdatamustbepassword protectedandhavebuiltinsecuritytoprotectdata. Ifanemployeelosesordamagesaworkstation,he/sheshouldnotifytheirmanager(s),sothatit canbereportedtolawenforcementorbedismantled.Thisisdonesotheorganization'sprivate informationisnotleftvulnerabletoothers. Standards Pg.6

3.1.3.

3.1.4.

3.1.5.

3.2.

3.2.1.UsersmustfollowtheCodeProtectionstandardbyscanninganythingthatisexternalofthe workstationbeforeaddingittothesystemtokeepoursystemsclean.ApprovedsoftwarebyITstaff canbeused.Systemlogswillbeusedtomonitoranysuspiciousandirregularsystemactivity. Passwordauditsmustbeperformedonaperiodicbasistoassurethattheusersoccupyingthe workstationsareprotected. 3.3. Controls

3.3.1Sensitivityofdatawithinthefirmmakespasswordstrengthsimportant.Informationsystemswith administrativerolesornotthathandleclassifieddataarerequiredtouseaminimumofCredential StrengthHtomitigateknownorunanticipatedvulnerabilities. 4. 4.1. 4.1.1. 4.1.2.

LAN

Policies ThispolicyensuresthatallresourcestravelingoveraLANaretobeencrypted LANconnectionsarenottobetamperedwithandaresolelyusedforbusinesspurposeswithinthe organization CompanymustbeincompliancewithDoDInformationAssuranceCertificationandAccreditation Standards WhentheLANisbeingimplemented,encryptionmeasuresmustbeestablishedtosecurethedata inthenetwork.ThingslikefirewallswillbeusedtofilterWeb,email,andTelnettraffic. Controls Firewallswillblockinboundtrafficthatreekssuspiciousactivitythatarecomingfromunknown sources,orfromthesamesourceasthedestination.RouterSecuritycontrolswillbeinplacefora formofsecurityforroutersandswitches.WifiSecuritywilldefinetheuseofwifionthefirms network.Securityassessmentswillbedoneevery90daystodetermineifsecuritycontrolsare workingasconfigured.AuditEventswilldescribeimportanteventsthatmustbeauditedand reported.
LANtoWAN

4.1.3. 4.2. 4.2.1.

4.3. 4.3.1.

5. 5.1. 5.1.2.

Policies ThispolicyensuresthatallresourcestravelingfromaLANtoWANaretobeencryptedtoprotect thedatathatisbeingtransferred. LANtoWANneedsextraprotectionwhenconnectedtotheInternet,sotheorganization's informationisnotleftvulnerable.TheITssecuritysectorisprimarilyresponsibleforfindingwaysto keepournetworksecure. Pg.7

5.1.3.

5.2. 5.2.1.

Standards ThefirmsLANtoWANinfrastructurewillneedtobenotonlyencrypted,butmonitoredduetothe transactions. Controls WhentransmittingfromaLANtoaWANthroughtheInternet,thenetworkisaprimetargetfor hackers.Measureswillbeputinplacetominimizesuchrisks.DMZcontrolwillcontrolpublicly accessibledevices.Contentfilteringwillbeineffecttocontrolthefirmsdevicestoappropriate contentonontheweb.

WAN

5.3. 5.3.1.

6. 6.1.

Policies

6.1.1.Thispolicyistoensurethatdatatravelingoverawideareanetworkisprotectedatalltimes. 6.2. 6.2.1. Procedures UnclassifiedDoDinformationthathasnotbeenclearedforpublicreleasemaybedisseminatedby thecontractor,grantee,orawardeetotheextentrequiredtofurtherthecontractprovidedthatthe informationisdisseminatedwithinthescopeofassigneddutiesandwithclearexpectationthat confidentialitywillbepreserved.Examplesare:Nonpublicinformationprovidedtocontractor, informationdevelopedduringthecourseofacontract,andprivilegedinformationcontainedin transactions. Adequatesecuritywillvarydependingonthenatureandsensitivityoftheinformationonanygiven nonDoDinformationsystem.However,allunclassifiedDoDinformationinthepossession,or controlofnonDoDentitiesonnonDoDinformationsystemsshallminimallybesafeguardedas follows: a. DonotprocessunclassifiedDoDinformationonpubliclyavailablecomputers(e.g.,those availableforusebythegeneralpublicinkiosksorhotelbusinesscenters). b. ProtectunclassifiedDoDinformationbyatleastonephysicalorelectronicbarrier(e.g., lockedcontainerorroom,logicalauthenticationorlogonprocedure)whennotunderdirect individualcontrolofanauthorizeduser c. Ataminimum,overwritemediathathavebeenusedtoprocessunclassifiedDoD informationbeforeexternalreleaseordisposal. d. Encryptallinformationthathasbeenidentifiedascontrolledunclassifiedinformation(CUI) whenitisstoredonmobilecomputingdevicessuchaslaptopsandpersonaldigital assistants,compactdisks,orauthorizedremovablestoragemediasuchasthumbdrives andcompactdisks,usingthebestencryptiontechnologyavailabletothecontractoror teamingpartner. e. LimittransferofunclassifiedDoDinformationtosubcontractorsorteamingpartnerswitha needtoknow,andobtainacommitmentfromthemtoprotecttheinformationtheyreceive toatleastthesamelevelofprotectionasthatspecifiedinthecontractorotherwritten agreement. Pg.8

6.2.2.

f.

Transmitemail,textmessages,andsimilarcommunicationscontainingunclassifiedDoD informationusingtechnologyandprocessesthatprovidethebestlevelofprivacyavailable, givenfacilities,conditions,andenvironment.Examplesofrecommendedtechnologiesor processesincludeclosednetworks,virtualprivatenetworks,publickeyenabledencryption, andtransportlayersecurity(TLS). g. Encryptorganizationalwirelessconnectionsanduseencryptedwirelessconnectionswhere availablewhentraveling.Ifencryptedwirelessisnotavailable,encryptdocumentfiles(e.g., spreadsheetandwordprocessingfiles)usingatleastapplicationprovidedpassword protectedlevelencryption. h. Transmitvoiceandfaxtransmissionsonlywhenthereisareasonableassurancethat accessislimitedtoauthorizedrecipients. i. DonotpostunclassifiedDoDinformationtowebpagesthatarepubliclyavailableorhave accesslimitedonlybydomainorInternetprotocolrestriction.Suchinformationmaybe postedtowebsitepagesthatcontrolaccessbyuseridentificationandpassword,user certificates,orothertechnicalmeansandprovideprotectionviauseofTLSorother equivalenttechnologiesduringtransmission.Accesscontrolmaybeprovidedbythe intranet(vicethewebsiteitselfortheapplicationithosts) j. Provideprotectionagainstcomputernetworkintrusionsanddataexfiltration,minimally including: i. Currentandregularlyupdatedmalwareprotectionservices,e.g.,antivirus,anti spyware. ii. Monitoringandcontrolofbothinboundandoutboundnetworktraffic(e.g.,atthe externalboundary,subnetworks,individualhosts),includingblockingunauthorized ingress,egress,andexfiltrationthroughtechnologiessuchasfirewallsandrouter policies,intrusionpreventionordetectionservices,andhostbasedsecurity services iii. Promptapplicationofsecurityrelevantsoftwarepatches,servicepacks,and hotfixes. k. ComplywithothercurrentFederalandDoDinformationprotectionandreporting requirementsforspecifiedcategoriesofinformation(e.g.,medical,proprietary,critical programinformation(CPI),personallyidentifiableinformation). l. ReportlossorunauthorizeddisclosureofunclassifiedDoDinformationinaccordancewith contract,grant,orotherlegalagreementrequirementsandmechanisms. m. DonotuseexternalITservices(e.g.,email,contenthosting,database,document processing)unlesstheyprovideatleastthesamelevelofprotectionasthatspecifiedinthe contract,orotherwrittenagreement. 6.3. 6.3.1. Standards Incomingandoutgoingnetworktrafficaremonitoredandfilteredtolimittoonlycompanyrelated business. Securitytunnelswillbesetupinallofficelocations Controls Firewallsconfiguredtofiltereverythingthatisoutsideofthebusinessnetwork. Pg.9

6.3.2. 6.4. 6.4.1.

6.4.2. 6.4.3.

VPNstosecureeachnetworklocationtopreventeavesdropping. AntiVirusprotectionwillbeenabledandregularlyupdatedtohelpmaintainacleanandsecure environment. AntiSpywareprotectionwillbeenabledandregularlyupdatedtohelpmaintainacleanandsecure environment. AntiMalwareprotectionwillbeenabledandregularlyupdatedtohelpmaintainacleanandsecure environment.

RemoteAccess:

6.4.4.

6.4.5

7. 7.1 7.1.1.

Policies Theintentofthispolicyistoensurethatonlyauthorizedusersareaccessingthecompanysserver remotely.Allremoteaccessactivityissubjecttomonitoringtoensurethatonlycompanyrelated businessistakingplacethroughanauthorizedemployeeaccount.Itismandatorythattheremote accessaddressistobekeptconfidentialbyemployees Standards Monitoringwillbemandatoryeverytimeauseraccessesthesystemremotely ApplyAUPpoliciesforremoteaccess. Controls Monitoringsoftwareisputinplacetopreventhumanmistakes.Thisisforreinforcementandfor extraprotectionjustincasethesecuritydepartmentmissesanintrusion. VPNtunnelswillbeinitiatedforallremoteaccessandrequireadditionalcredentialsforaccessof officeresources.Employeeswillbeissuedapinviacompanyemailandcompanyphonetobe certainoftheemployeeaccessingthenetworkthroughthetunnel.
System/Applications

7.2. 7.2.1. 7.2.2. 7.3 7.3.1.

7.3.2.

8. 8.1. 8.1.1.

Policies AllDoDinformationsystemswillmaintainanappropriatelevelofconfidentiality,integrity, authentication,nonrepudiation,andavailabilitythatbalancestheimportanceandsensitivityofthe informationandassets.Allthreatsandvulnerabilitiesmustbedocumented. InformationassurancemustbeavisibleelementofallDoDownedorcontrolledinformation systems,whichincludesoutsourcedITbasedprocessesandplatformITinterconnections. Informationshallbeclassifiedonlywhennecessaryintheinterestofnationalsecurityand declassifiedassoonasitisrequired. Pg.10

8.1.2.

8.1.3.

8.1.4. 8.2. 8.2.1.

Nosharingofusercredentials Standards Passwordsshouldbegeneratedwithletters,numbers,andsymbols. Shouldbemorethan6characterslong. Controls MultiEncryptionforextraprotectionofdataanduserspasswords.

8.3. 8.3.1.

Pg.11

Sources Bookresources: CompTIASecurity+ EssentialsofInformationSecurity(Security+) Webresources: DodSecurityNeedsandCOTSBasedSystems http://www.sei.cmu.edu/library/assets/dodsecurityneeds.pdf(accessedOctober16th,2012) DoDManual www.dtic.mil/whs/directives/corres/pdf/520001_vol1.pdf(accessedOctober16th,2012) DoD8570RequirementsandTraining https://www.isinc.com/2008/08/05/newdod8570requirements/(accessedOctober16th,2012) GuidanceforapplyingtheDoDtrustedcomputersystemevaluationcriteriainspecific environmentshttp://www.windowsecurity.com/uplarticle/12/std003.txt(accessedOctober16th,2012) EnsuringCompliancewithDoDWirelessPolicies http://wirelessnetworksasia.motorola.com/products/images/air_defense/downloads/White_Paper/Ensuring_ Compliance_with_DoD_Wireless_Policies.pdf(accessedOctober16th,2012) DoDPublications http://www.dtic.mil/whs/directives/corres/pub1.html(accessedOctober16th,2012) U.SGovernmentandITSecurityLaws AguidetoITSecurityLegislationandContractorResponsibilities GIACSecurityEssentialsCertification http://www.cs.jhu.edu/~rubin/courses/sp06/Reading/governmentRules.pdf(accessedOctober16th,2012) UnderstandingtheDepartmentofDefenseNetworkModel http://www.techfaq.com/understandingthedepartmentofdefensenetworkmodel.html(accessed October16th,2012)

Thenetworkmodelwhichwascreatedtoenableuserstoexchangedatabetweencomputersystemsover wideareanetwork(WAN) ThenetworkInterfaceLayer(layerone) TheInternet/Internetworkinglayer(layertwo) TheHosttoHost/TransportLayer(layerthree) TheApplicationLayer(layerfour)

DOD8570RequirementsandTraining TheDepartmentofDefensehasputtogetherrequirementslistforanyonewhoworksinInformation

Pg.12

Architecture(IA).Youhavetoobtainatleastoneoftheapprovedcertificationstomeettheminimum requirementsforeachcategory. http://www.defense.gov/webmasters/(accessedOctober16th,2012) www.dod.mil/dodgc/.../10ecc_use_of_government_resources.pdf http://www.dtic.mil/whs/directives/corres/pdf/858201p.pdf http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf http://www.niapccevs.org/pp/draft_pps/archived/remote_accessHA.pdf http://www.dtic.mil/whs/directives/corres/pdf/850001p.pdf

Pg.13