Cybersecurity exchange briefing oct 2012 v2


Published on

Presentation by Greg Wilshusen and Naba Barkakati at the Oct 2, 2012 breakfast meeting of Meritalk Cybersecurity Exchange.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cybersecurity exchange briefing oct 2012 v2

  1. 1. GAO’s Information Security Audits Presented to:Cyber Security Exchange October 2, 2012 1
  2. 2. Cyber Security ExchangeAgenda• Source of Audits• Audit Methodology for IS Controls• Assessing Finding Significance• Communicating Audit Results• Recent GAO Reports• Q&A 2
  3. 3. Source of Audits• Statutory mandates• Congressional requests• Comptroller General’s authority• Engagement acceptance meeting 3
  4. 4. FISMA - Mandate Report / Annual Analysis - Small, Micro, & Independent Agencies - Census, NTSB, NMB - FCC ESN - Cyber risk management - High impact systems Emerging Issues Privacy- Cybersecurity Strategies - Taxpayer Privacy Protections- Oversight of Contractor Security - Privacy of Location-Based Information- Implantable Medical Devices - Data Breach Notification and Response- Cyber Incident Handling & Response - Computer Matching Agreements- Continuous Monitoring- FedRAMP Consolidated Financial Statements Critical IT Systems & Infrastructure- IRS - Smart Grid - TARP - Communications Networks Security- BPD/Federal Reserve - FHFA- FDIC - SOSI - Security of Mobile Devices- SEC - Maritime Cyber Threats and Security - CFPB - Federal Cyber Coordination w/ States & Locals- OIGs Training/Methodology & External Liaison - FISCAM - GAO Internal Controls - Internal/External Training - Technical Assistance to Hill - OMB/NIST/NASCIO
  5. 5. Audit Methodology for IS Controls• Federal Information System Controls Audit Manual (GAO-09- 232G)• Objective: To assess effectiveness of agency’s security controls in protecting the confidentiality, integrity, and availability of its information systems and information.• Scope: • Access controls • Configuration management • Segregation of duties • Contingency planning • Security management 5
  6. 6. Audit Methodology for IS Controls(cont.) & Audit Guidance:Technical• Federal Laws – FISMA• Office of Management and Budget (OMB)• National Institute of Standards & Technology (NIST)• Defense Information Systems Agency (DISA)• National Security Agency (NSA)• Vendor Guidance and Industry Practices• Government Auditing Standards 6
  7. 7. Audit Methodology for IS Controls(cont.) Iterative and Holistic Assessment Approach 7
  8. 8. Audit MethodologyUnderstanding the Environment• Identify most important assets (information, databases, systems)• Approach: formal and informal discussions• Network diagrams and simple tools (telnet, for instance or nmap)• Confirm our understanding of environment 8
  9. 9. Audit Methodology – Logical AccessControl Areas Focus on main controls that might stop an intruder, based on knowledge of latest vulnerabilities such as: browser – Java, ActiveX, Flash, PDF “spoofed” emails 9
  10. 10. Audit Methodology – Controlling Access To and FromNetworks If exploited, how does information go out? HTTP, HTTPS, DNS Authentication of network routing protocols (EIGRP, BGP) Cisco SAFE (Security Reference Architecture) VPN – use of TLS v SSL Firewall rules (Cisco ASA, Checkpoint, etc.) Data loss prevention solutions 10
  11. 11. Audit Methodology – Controlling Access To and FromHost Devices • Ask agencies to run scripts to get key configuration settings (Windows, Linux/Unix, etc) • Database scanner • Email server (sendmail, postfix) settings • Internet Explorer, MS Office settings • Conformance to vendor guidance (Microsoft, Apple) • Up to date patches • Virtualization – hypervisor security settings, Storage Area Network (SAN) configurations 11
  12. 12. Audit MethodologyConsider Trust Relationships Formal trust – Windows domains Informal – any device connecting to VPN Check Windows Active Directory group policy Weak links that may be exploited 12
  13. 13. Assessing Finding Significance Vulnerabilities should be assessed in context to the network and the impact on the organization’s mission. 13
  14. 14. Communicating Audit Results Focus on most important problems – the ones that’ll help agency become more secure Criteria – CIS, NIST, vendor guidance Condition – describe problem Effect – explain what could happen if exploited Cause – sometimes unclear, often related to immature information security program 14
  15. 15. Communicating Audit Results (cont.)• Reports: • Publicly available • Limited distribution• Testimony statements• Congressional briefings• Media Interviews 15
  16. 16. Recent GAO Reports• GAO-12-757, Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged (Sept. 2012)• GAO-12-961T, Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape (July 2012)• GAO-12-926T, Cybersecurity: Challenges in Securing the Electricity Grid (July 2012)• GAO-12-696, Information Security: Environmental Protection Agency Needs to Resolve Weaknesses (July 2012)• GAO-12-876T, Information Security: Cyber Threats Facilitate Ability to Commit Economic Espionage (June 2012) 16
  17. 17. Recent GAO Reports (cont.)• GAO-12-666T, Cybersecurity: Threats Impacting the Nation (April 2012)• GAO-12-424R, Management Report: Improvements Needed in SEC’s Internal Control and Accounting Procedure (April 2012)• GAO-12-393, Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data (March 2012)• GAO-12-361, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks (March 2012)• GAO-12-507T, Cybersecurity: Challenges in Securing the Modernized Electricity Grid (February 2012) Page 17
  18. 18. Recent GAO Reports (cont.)• GAO-12-92, Critical Infrastructure Protection: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use (December 2011)• GAO-12-8, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination (November 2011)• GAO-12-130T, Information Security: Additional Guidance Needed to Address Cloud Computing Concerns (October 2011)• GAO-12-137, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements (October 2011) Page 18
  19. 19. Recent GAO Reports (cont.)• GAO-11-751, Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards (September 2011)• GAO-11-708, Information Security: FDIC Has Made Progress, but Further Actions Are Needed to Protect Financial Data (August 2011)• GAO-11-695R, Defense Department Cyber Efforts: Definitions, Focal Point, and Methodology Needed for DOD to Develop Full-Spectrum Cyberspace Budget Estimates (July 2011)• GAO-11-865T, Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure (July 2011) Page 19
  20. 20. Recent GAO Reports (cont.)• GAO-11-149, Information Security: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain (July 2011)• GAO-11-75, Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber Activities (July 2011)• GAO-11-605, Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate (June 2011)• GAO-11-463T, Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure and Federal Information Systems (March 2011)• GAO-11-308, Information Security: IRS Needs to Enhance Internal Control Over Financial Reporting and Taxpayer Data (March 2011) Page 20
  21. 21. Contact Information Greg Wilshusen Director, Information Security Issues 202.512.6244 – Naba Barkakati, Ph.D Director, Center for Science, Technology & Engineering Chief Technologist 202.512.4499 – 21