GAO's Technical Approach to Assessing Computer Security at Federal Agencies Naba Barkakati Lon Chin West Coile US   GAO 4/...
Agenda  FISCAM Overview Challenges of Computer Security Audits Logical Access Control Assessment Approach  Sample Results,...
Challenges of Computer Security Audits
Computer Security Audit Challenges Lumeta Corporation’s Internet Map Patent(s) Pending & Copyright (c) Lumeta Corporation ...
<ul><li>Compliance checklists  </li></ul><ul><li>Limited scope reviews </li></ul><ul><li>Vulnerability scanning  </li></ul...
FISCAM Overview Federal Information System Controls Audit Manual
Presents a methodology for conducting audits of information system controls FISCAM Originally issued January 1999 Updated ...
FISCAM – General Controls
Logical Access Controls Assessment Approach
Trust but verify
Methodology Iterative and Holistic Assessment Approach
Network Control Points Controlling and securing network traffic Inbound Outbound
Host Control Points Access Path Access Path Access Path
Logical Access: Control Areas
Consider Trust Relationships
Putting the Pieces Together Vulnerabilities should be assessed in context to the network and the impact on the organizatio...
Sample Results
Sample Result  1:   Rogue Internet Printer
Sample Result  2:   Layered Insecurity
Sample Result  3:   Mail Attack
Sample Result  4:   Application Password Reset
Summary Points <ul><li>Understand the controls environment </li></ul><ul><li>Select key control points  (considering a hol...
Some Closing Thoughts … <ul><li>It depends … </li></ul><ul><li>If then else … (don’t rely only on checklists) </li></ul><u...
Questions & Comments
Upcoming SlideShare
Loading in …5
×

RSA 2009 talk on GAO Technical Approach to Assessing Computer Security at Federal Agencies

357 views
279 views

Published on

Slides for RSA 2009 talk on GAO's Technical Approach to Assessing Computer Security at Federal Agencies by Naba Barkakati, Lon Chin, and West Coile

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
357
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

RSA 2009 talk on GAO Technical Approach to Assessing Computer Security at Federal Agencies

  1. 1. GAO's Technical Approach to Assessing Computer Security at Federal Agencies Naba Barkakati Lon Chin West Coile US GAO 4/24/09 | Session ID: GPG-401
  2. 2. Agenda FISCAM Overview Challenges of Computer Security Audits Logical Access Control Assessment Approach Sample Results, Summary Points, and Q&A
  3. 3. Challenges of Computer Security Audits
  4. 4. Computer Security Audit Challenges Lumeta Corporation’s Internet Map Patent(s) Pending & Copyright (c) Lumeta Corporation 2009. All Rights Reserved
  5. 5. <ul><li>Compliance checklists </li></ul><ul><li>Limited scope reviews </li></ul><ul><li>Vulnerability scanning </li></ul>Computer Security Audit Challenges <ul><li>Networks are becoming more complex, diverse and interconnected </li></ul><ul><li>New computing environments limit the effectiveness of the more traditional types of IT audits </li></ul>
  6. 6. FISCAM Overview Federal Information System Controls Audit Manual
  7. 7. Presents a methodology for conducting audits of information system controls FISCAM Originally issued January 1999 Updated February 2009 http://www.gao.gov/new.items/d09232g.pdf
  8. 8. FISCAM – General Controls
  9. 9. Logical Access Controls Assessment Approach
  10. 10. Trust but verify
  11. 11. Methodology Iterative and Holistic Assessment Approach
  12. 12. Network Control Points Controlling and securing network traffic Inbound Outbound
  13. 13. Host Control Points Access Path Access Path Access Path
  14. 14. Logical Access: Control Areas
  15. 15. Consider Trust Relationships
  16. 16. Putting the Pieces Together Vulnerabilities should be assessed in context to the network and the impact on the organization’s mission.
  17. 17. Sample Results
  18. 18. Sample Result 1: Rogue Internet Printer
  19. 19. Sample Result 2: Layered Insecurity
  20. 20. Sample Result 3: Mail Attack
  21. 21. Sample Result 4: Application Password Reset
  22. 22. Summary Points <ul><li>Understand the controls environment </li></ul><ul><li>Select key control points (considering a holistic approach) </li></ul><ul><li>Conduct testing & validation </li></ul><ul><li>Analyze data </li></ul><ul><li>Identify trust relationships </li></ul><ul><li>Select additional devices for assessment </li></ul><ul><li>Analyze results in context to the network and impact on mission </li></ul>
  23. 23. Some Closing Thoughts … <ul><li>It depends … </li></ul><ul><li>If then else … (don’t rely only on checklists) </li></ul><ul><li>Take a holistic view of the controls environment </li></ul><ul><li>Understand & recognize “trust relationships” </li></ul><ul><li>Vulnerability scanners are not a silver bullet </li></ul><ul><li>Context </li></ul>
  24. 24. Questions & Comments

×