Abstract
This article presents a summary of ten leading sources of security practice definition and implementation guidance. It uses ISO 27002 as a foundation (given its international standard status and broad, installed base) and builds on and augments it with additional source material. A summary of publicly available CERT course materials is presented to aid in practice implementation. The content in this article can be used independently or in concert with the approaches described in the other articles in this content area.
Introduction
Purpose
The intent of this article is to provide a navigational aid through the leading sources of security standards, frameworks, and guidelines, at a more detailed level than the other articles in this content area. We'll look at various standards as well as CERT courseware that can help you better understand how to implement these standards.
You need not read this content from A to Z; instead, you can focus first on those practices or standards that you wish to implement immediately and then later delve into those you might not have considered before. We recommend using this article as a reference and a guide.
Contents
This article
- describes the benefit of using a defense-in-depth or layered defense approach to deploying and operating security practices
- presents a summary of the leading sources of security practice definition and implementation guidance
- uses ISO 27002 [ISO 05A] as a foundation and builds on and augments it with additional source material
- summarizes publicly available CERT courseware that provides detailed, how-to implementation guidance, including online lectures and labs
Many publicly available and useful frameworks, guidelines, and sets of practices describe actions organizations should take to deploy and operate secure systems and deliver secure services to their customers. These include
- the Payment Card Industry Security Standard
- publications provided by the U.S. National Institute of Standards and Technology (NIST) for U.S. federal agencies
- community-based frameworks such as
- ITIL for the IT service management industry
- COBIT for the IT governance and IT audit communities [ITGI 07a], [Campbell 05]
- publications developed by BITS and the Federal Financial Institutions Examination Council (FFIEC) [FFIEC 06] for the U.S. financial services sector
- the American Chemistry Council’s Responsible Care® Program for the chemical industry [ACC 02], [ACC 06]
- member-organization-based frameworks such as the Information Security Forum’s Standard of Good Practice for Information Security [ISF 07]
- user/vendor consensus frameworks such as the Center for Internet Security’s consensus configuration benchmarks for specific operating systems and other technologies
- international standards, most notably ISO/IEC 27002 [ISO 05a], ISO/IEC 27001 [ISO 05b], ISO/IEC 27005 [ISO 08], ISO/IEC 20000 [ISO 05c], and ISO 21827 [ISO 04]
Adoption of any of these, in concert with a commitment to continuous improvement, appears, at least anecdotally,1 to achieve and sustain an improved level of operational security.
Defense in Depth
Such a wealth of security practices can be overwhelming to review, understand, and use as a basis for determining what to do. One effective means for navigating the security practices landscape is to implement a layered defense or defense-in-depth strategy (refer to the BSI Defense in Depth principle description).2
NIST Special Publication 800-27
NIST Special Publication 800-27, Engineering Principles for Information Technology Security [Stoneburner 04] states that
Securing information systems against the full spectrum of threats requires the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. This is due to the highly interactive nature of the various systems and networks and the fact that any single system cannot be adequately secured unless all interconnecting systems are also secured.
By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave the system unprotected. Through user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, layered protections enable effective protection of information technology for the purpose of achieving mission objectives.
As part of Principle 8: Implement tailored system security measures to meet organizational security goals, NIST 800-27 states:
Recognizing the uniqueness of each system allows a layered security strategy to be used – implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.
As part of Principle 16: Implement layered security (ensure no single point of vulnerability), NIST 800-27 goes on to state
For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system.
The need for layered protection is especially important when commercial off-the-shelf (COTS) products are used.
Redundancy and Diversity
Two of the key architectural approaches to consider as part of a layered defense are redundancy3 and diversity. “Redundancy says you have more than one of everything, diversity says you have more than one of everything but they're different. If you can do some redundancy and some diversity where, for example, you distribute your infrastructure in multiple physical locations, then the motivated attacker has to think harder about what part of your organization they're going to target” [Lindner 06].
Another example is to operate both Linux and Windows operating systems on critical servers such that if one is attacked, the other is not affected. Clearly there are risks, tradeoffs, and costs to consider in implementing such a strategy. Redundancy and diversity solutions are typically more expensive and require additional staff skill and competence. These costs need to be weighed against the benefit of fewer or less disruptive security breaches and the ease of restoring a system to its production state after it has been compromised.
Plan, Do, Check, Act, Risk-Centered Practices, and Integrating Security and IT provide additional guidance on how to select practices that can aid in implementing a defense-in-depth approach.
Security Practice Categorization
This section presents categories of security practices to consider during deployment and operations. Its intent is to serve as a navigational aid through the leading sources of security practices and frameworks, at a more detailed level than the other articles in this content area.
Given widespread, international use, ISO 27002 Code of practice for information security management [ISO 05a] and ISO 27001 Annex A Information security management systems [ISO 05b] were used to build the initial master list of practices categories. Categories were then expanded and updated based on the additional sources described below.
Some of the practice categories (such as managing human resources and managing the physical environment for security) are well beyond the scope of deployment and operations. They are included here for completeness; several (such as acquire and develop secure systems) are addressed in much greater detail in other BSI content areas.
The practice categories are as follows. Table 1 (available at the end of this article) identifies subpractices within these categories and sources that provide further details, including guidance for practice implementation in support of secure deployment and operations.
- Assess, manage, and mitigate security risk.
- Develop, review, and maintain a useful security policy.
- Develop, review, and maintain a useful security plan.
- Manage the organization to operate securely, including both internal operations and relationships with external parties.
- Adequately protect organizational assets that have security requirements and affect the security of the enterprise.
- Manage human resources for security prior to employment, during employment, and following changes in assignment or termination.
- Manage the physical environment to meet security requirements and mitigate risk.
- Ensure the correct and secure operation of systems and software. This includes a wide range of practices such as change management, configuration management, third party service delivery, system planning, dealing with malicious code, backup, network security, and all forms of monitoring and security assessment.
- Control access to all classes of assets in support of business requirements.
- Acquire, develop, and maintain secure systems. For the purposes of deployment and operations, this includes vulnerability management and change management.
- Report and manage security incidents.
- Ensure business continuity.
- Comply with legal requirements and other sources of security requirements.
Sources Used to Identify Practice Categories
The following sources were used in constructing the security practice categories described above and expanded in Table 1. They contain security practice definitions and system- and software-neutral implementation guidance:
- ISO/IEC 27002
- ISO/IEC 27001
- COBIT
- Corporate Information Security Working Group
- Information Security Forum
- ITIL
- NIST Special Publication 800-27
- NIST Special Publication 800-53
- NIST Special Publication 800-64
- Enhancing the Development Life Cycle to Produce Secure Software
- VISA U.S.A. Payment Application Best Practices
- CERT Courseware
ISO/IEC 27002
Code of practice for information security management [ISO 05a] describes 11 security domains and addresses compliance with these domains at managerial, organization, legal, operational, and technical levels. The eleven domains include
- security policy
- organization of information security
- asset management
- human resources security
- physical and environmental security
- communications and operations management
- access control
- information systems acquisition, development, and maintenance
- information security incident management
- business continuity management
- compliance
ISO/IEC 27001
Information security management systems [ISO 05b] describes a model for developing and managing an effective Information Security Management System (ISMS). This model is based on the Plan-Do-Check-Act (PDCA) approach commonly used in other quality models. This standard defines the certification requirements for demonstrating compliance with ISO 27002 and comprises both documentation and implementation audits. More information on this standard is available in Plan, Do, Check, Act.
COBIT®
Control Objectives for Information and related Technologies [ITGI 07a]4 describes a framework for IT governance. It is intended to ensure the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information and the systems used to process information. COBIT is organized into
- four domains (planning and organization; acquisition and implementation; delivery and support; and monitoring)
- 34 high-level control objectives
- 318 detailed control objectives
Refer to Integrating Security and IT for more details on COBIT.
Corporate Information Security Working Group
The Corporate Information Security Working Group (CISWG) was convened by Representative Adam Putnam (R-FL) and met from November 2003 through November 2004. The CISWG Phase II Best Practices and Metrics Team had as its goal to “develop a resource that would help Board members, managers, and technical staff establish their own comprehensive structure of principles, policies, processes, controls, and performance metrics to support the people, process, and technology aspects of information security” [CISWG 04].
Information Security Program Elements
This team’s Phase II report gives detailed descriptions of Information Security Program Elements (ISPE) for governance, management, and technical operations. While these elements define security metrics, each metric relies on the presence of one or more security practices against which measures are collected, analyzed, and reported. The report defines 99 metrics. Appendices describe a baseline set of 65 that organizations can use to get started and a smaller subset of 40 for small and medium enterprises.
Governance ISPEs are discussed in the BSI Governance & Management content area. Management and Technical ISPEs are relevant to deployment and operations and are listed in Table 2. Refer to the report for a detailed description of each of these elements.
Table 2. CISWG Information Security Program Elements
Management |
|
Technical |
|
Information Security Forum
The Information Security Forum is an international association of over 280 organizations (including 50 per cent of Fortune 100 companies) that fund and cooperate in conducting practical research in information security.
The ISF’s Standard of Good Practice for Information Security [ISF 07] provides “a set of high-level principles and objectives for information security together with associated statements of good practice.” This guideline is organized into six aspects, each of which covers a particular type of operational environment. These include
- security management
- critical business applications
- computer installations
- networks
- systems development
- end user environment
“Computer installations and networks provide the underlying infrastructure on which the critical business applications run. The end user environment covers the arrangements associated with protecting corporate and desktop applications, which are used by individuals to process information, and support business processes. Systems development deals with how new applications are created and security management addresses high-level direction and control” [ISF 07].
Each aspect comprises multiple areas (36 in all) as shown in Table 3. Each area comprises multiple sections (166 in all). Each section is described by a principle, an objective, and multiple practices.
Table 3. ISF aspects and areas
SM Security Management | SM1 high level direction SM2 security organization SM3 security requirements SM4 secure environment SM5 malicious attack SM6 special topics SM7 management review |
CB Critical Business Applications | CB1 business requirements for security CB2 application management CB3 user environment CB4 system management CB5 local security management CB6 special topics |
CI Computer Installations | CI1 installation management CI2 live environment CI3 system operation CI4 access control CI5 local security management CI6 service continuity |
NW Networks | NW1 network management NW2 traffic management NW3 network operations NW4 local security management NW5 voice networks |
SD Systems Development | SD1 development management SD2 local security management SD3 business requirements SD4 design and build SD5 testing SD6 implementation |
UE End User Environment | UE1 local security management UE2 corporate business applications UE3 desktop applications UE4 computing devices UE5 electronic communications UE6 environment management |
The Topics Matrix of this Standard provides a list of topics that cut across and map to the aspects, areas, and sections. Ten pages of topics are listed in alphabetical order, including acquisition, application controls, change management, development methodologies and environment, malware protection, patch management, resilience, security architecture, security audit/review, specification of requirements, and system design and build.
ITIL
The current version of ITIL (version 3) consists of a set of five core publications, each defined as a set of processes and functions that include high-level overviews as well as detailed definitions of the steps in each process. These are as follows [itSMF 07]:
- Service Strategy Processes: strategy generation, financial management, service portfolio management, demand management
- Service Design Processes: service catalogue management, service level management, capacity management, availability management, IT service continuity management, information security management, supplier management
- Service Transition Processes: change management, service asset and configuration management, knowledge management, transition planning and support, release and deployment management, service validation and testing, evaluation
- Service Operation
- Processes: event management, incident management, request fulfillment, access management, problem management
- Functions: service desk, technical management, application management, IT operations management
- Continual Service Improvement Processes: define what you should measure, define what you can measure, gather the data, process the data, analyze the data, present and use the information, implement corrective action; service measurement, service reporting
ITIL process definitions describe the service management process as defined in ISO/IEC 20000 Information technology – Service management [ISO 05c] and as depicted in Integrating Security and IT.
NIST Special Publication 800-27
Engineering Principles for Information Technology Security [Stoneburner 04] identifies 33 “system-level security principles to be considered in the design, development, and operation of an information system. These principles are also helpful in affirming and confirming the security posture of an already deployed information system.” Nineteen of these are essential to achieving and sustaining the desired security posture during deployment and operations. The 800-27 principle numbers are retained here for ease of traceability:
- Principle 2: Treat security as an integral part of the overall system design.
- Principle 5: Reduce risk to an acceptable level. (See Risk-Centered Practices.)
- Principle 6: Assume that external systems are insecure.
- Principle 7: Identify potential tradeoffs between reducing risk, increased costs, and decreased operational effectiveness (reworded to be more clear).
- Principle 8: Implement tailored system security measures to meet organizational security goals.
- Principle 9: Protect information while being processed, in transit, and in storage.
- Principle 13: Use common language in developing security requirements. (This principle is necessary for evaluating and comparing security products, features, and their performance.) (See BSI Requirements Engineering content area.)
- Principle 14: Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
- Principle 15: Strive for operational ease of use.
- Principle 16: Implement layered security (ensure no single point of vulnerability).
- Principle 17: Design and operate an IT system to limit damage and to be resilient in response.
- Principle 18: Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
- Principle 21: Use boundary mechanisms to separate computing systems and network infrastructures.
- Principle 23: Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
- Principle 24: Strive for simplicity.
- Principle 25: Minimize the system elements to be trusted.
- Principle 26: Implement least privilege.
- Principle 32: Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
- Principle 33: Use unique identities to ensure accountability.
NIST Special Publication 800-53
Recommended Security Controls for Federal Information Systems [Ross 07b] “provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. It applies to all components of an information system that process, store, or transmit federal information.”
Categories of Security Controls
This guideline identifies management, operational, and technical classes of controls in the following categories. The numbers in parentheses are the number of specific controls in each category.
- AC access control (20)
- AT awareness and training (5)
- AU audit and accountability (11)
- CA certification, accreditation, and security assessments (7)
- CM configuration management (8)
- CP contingency planning (10)
- IA identification and authentication (7)
- IR incident response (7)
- MA maintenance (6)
- MP media protection (6)
- PE physical and environmental protection (19)
- PL planning (6)
- PS personnel security (8)
- RA risk assessment (5)
- SA system and services acquisition (11)
- SC system and communications protection (23)
- SI system and information integrity (12)
Mappings to Other Standards
Appendix G Security Control Mappings provides a detailed mapping of 800-53 controls to ISO 17799 (27002) paragraphs.
Appendix H Standards and Guidance Mappings provides a detailed mapping of 800-53 controls to all other relevant NIST Special and FIPS publications.
NIST 800-53 “associates recommended minimum security controls with FIPS 199 [NIST 04] low-impact, moderate-impact, and high-impact security categories” [Ross 07b]. Annex 1 of this publication describes a baseline set of minimum security controls for low-impact information systems, Annex 2 for moderate, and Annex 3 for high.
NIST Special Publication 800-64
The intent of Security Considerations in the Information System Development Life Cycle [Kissel 08] is to assist organizations “in integrating essential information technology (IT) security steps into their established IT system development life cycle.” While this publication covers all life cycle phases, the practices relevant to operations and maintenance include
- Review operational readiness: When a system goes into production, unplanned modifications to software applications can occur. Selected security controls, such as configurations, may need to be retested.
- Manage security control configuration due to system changes: Changes to system hardware, software, and firmware can have a significant security impact. Assessing the impact of all changes on the system security state is essential.
- Monitor security controls continuously: Continuous monitoring is required to ensure that security controls continue to be effective and perform as expected in light of changes to the system and its operational environment. Monitoring practices include security reviews, self assessments, vulnerability scans, patch management, and other forms of security testing.
- Conduct re-authorization: For systems that require certification and accreditation to operate, re- authorization is an opportunity to conduct a full and comprehensive review based on significant changes or the passage of a specific time period. Re-authorization may also be triggered by a monitoring event.
Enhancing the Development Life Cycle to Produce Secure Software
Enhancing the Development Life Cycle to Produce Secure Software [Goertzel 08] ”arms developers, integrators, and testers with the information they need to incorporate security considerations and principles into the practices and processes they use to produce software, and thereby increase the likelihood that the resulting software will be secure.” With respect to deployment and operations, this report recommends the following practices, using the names Secure Distribution, Deployment, and Sustainment for these life cycle phases:
- Prepare for secure distribution
- Distribute all software in a default configuration that is as secure and restrictive as possible
- Deliver all default passwords in encrypted form separate from the software delivery
- Provide an automated installation tool that sets OS directory privileges as restrictively as possible
- Review and sanitize all user-viewable source code including sensitive comments, pathname references, debug information, hard-coded credentials, and data-collecting trapdoors
- Secure distribution
- For online software distribution, implement trusted distribution techniques (such as code signatures or authentication of download links) to prevent or make evident tampering with distributed code.
- For offline distribution, use a storage medium that is non-rewritable and apply a digital code signature
- Secure installation and configuration: Provide instructions for
- Configuring restrictive file system access controls for initialization files and target directories
- Validating install-time security assumptions such as expected access controls for all source code and library routines, and that the software is being installed on the anticipated execution environment
- Removing all unused and unreferenced files
- Changing passwords and account names on default accounts
- Deleting unused default accounts
- Other necessary lockdown procedures such as disabling all non-essential services and any non-secure protocols
- Secure sustainment
- Perform impact assessments and address unacceptable impacts for all patches, updates, and maintenance changes before distribution. Update appropriate system and software documentation.
- Review findings of regularly scheduled security audits, vulnerability scans, and penetration tests. Upon review and approval, take action on findings that affect the systems’ secure posture.
- Study the results of forensic analysis of security incidents to use as one basis for identifying new security requirements for future software releases.
- Use software rejuvenation and reconfiguration techniques to prevent vulnerabilities that emerge due to software aging.
Visa U.S.A. Payment Application Best Practices
In addition to the Payment Card Industry Data Security Standard [PCI 08] discussed in Plan, Do, Check, Act, Visa has developed a set of payment application best practices [Visa 07]. The purpose of these practices is to assist software vendors of payment applications to develop and deploy products that are more secure and are compliant with the PCI standard.
The following practices are relevant to deploying and operating secure software. Each practice description includes detailed subpractices and testing procedures for verifying that the practice is in place.
- Practice 3: Provide secure password features.
- Practice 4: Log application activity.
- Practice 5: Develop secure applications.
- Practice 6: Protect wireless transmissions.
- Practice 7: Test applications to address vulnerabilities.
- Practice 8: Facilitate secure network implementation.
- Practice 10: Facilitate secure remote software updates.
- Practice 11: Facilitate secure remote access to applications.
- Practice 12: Encrypt sensitive traffic over public networks.
- Practice 13: Encrypt all non-console administrative access.
CERT Courseware
Author: Stephanie Losi
This section describes three CERT courses that focus on information assurance:
- Information Assurance Defense-in-Depth: Foundations for Secure and Resilient IT Enterprises
- Survivability and Information Assurance Curriculum
- Virtual Training Environment
Defense-in-Depth: Foundations for Secure and Resilient IT Enterprises
The Defense-in-Depth Foundational Curriculum [May 06] can bring a big-picture perspective to the often detail-focused world of computer and network security, while reinforcing concepts with some implementation details.
Target Audience
The curriculum is designed for students, ranging from system administrators to CIOs, who have some technical understanding of security and want to better understand how security issues affect their entire organization. It can be useful for system administrators and IT security personnel who would like to step up to the management level. It also can provide a refresher for IT managers and executives who want to stay up-to-date on the latest technological threats facing their enterprise.
Instructors should be familiar with both the technical and managerial aspects of security and should have significant real-world experience so they can relate anecdotes as well as present curriculum material. Students should be familiar with basic computer networking and should have an interest not only in learning technological details but also in placing those details within a larger business context.
Curriculum Content
The curriculum consists of eight modules plus an introduction called “Foundations of Information Assurance.” This introduction focuses on how addressing the overarching concepts of confidentiality, integrity, and availability can lead to a comprehensive security strategy.
The eight modules in the curriculum are
- Compliance Management
- Risk Management
- Identity Management
- Authorization Management
- Accountability Management
- Availability Management
- Configuration Management
- Incident Management
The Compliance Management and Risk Management modules are presented at a fairly conceptual level; the remaining modules are presented at a more detailed level, while still preserving the big picture.
Module Descriptions
Each module is divided into several subsections.
Compliance Management is presented as “the lynchpin of security.” This section discusses U.S. laws, the need for executive-level support for security efforts, best practices for writing policies, and methods for increasing awareness of security policies throughout the organization. The Sample Policies section provides a pointer to examples and discusses techniques for creating effective policies.
Risk Management defines the concept of an asset and discusses how organizations can identify, categorize, and protect their assets using a defined process. Risks to assets must be identified and then ranked so that mitigation strategies can be put in place in a way that makes sense and supports the business mission.
Identity Management begins by defining various methods of user and computer identification as well as methods of authentication. It then moves on to discuss methods for protecting identity and privacy.
Authorization Management discusses the pros, cons, and best practices of file-system access control and network-traffic access controls. It also covers application-layer access controls, such as TCP wrappers and proxy servers.
Accountability Management defines accountability as a goal that is achieved through logging and auditing, network monitoring, and intrusion detection. Some of the subtopics discussed include automated availability checking, traffic monitoring and sniffing, antivirus, and integrity monitoring.
Availability Management presents the concepts of reliability, redundancy, failover, and fault tolerance, and then discusses various levels of availability that may be considered acceptable by organizations. Single points of failure are discussed, along with ways to mitigate them and ensure availability and business continuity.
Configuration Management details four methods of managing IT configurations: software update process, inventory control, configuration change management, and internal system assessments (such as penetration testing). Pros and cons and best practices are discussed.
Incident Management takes a process-based approach and covers planning and practice exercises, disaster and recovery preparation, and security incident handling and response.
Survivability and Information Assurance Curriculum
The SIA Curriculum [CERT 05] is useful if your organization approaches IT issues in a technology-centered way but would like to take a more process-centered approach. It helps organize system administration activities, going from a tactical, fire-fighting approach to a long-term, strategic approach.
The material contained in the SIA curriculum can be applied to sharpen system administrators’ enterprise-level perspective and help system administrators and managers speak each other’s language. As such, the SIA curriculum can be a useful tool for bridging the gap that often exists between technology-centered and process-centered approaches to IT.
Target Audience
Students are expected to have at least one to two years of experience in a system administration or closely related role. Instructors are intended to be experienced system administrators or managers of system administrators so that they can refer to real-world anecdotes as well as provided course materials.
Curriculum Description
The key foundations of the SIA curriculum are
- Use the 10 Principles of Survivability and Information Assurance (listed below).
- Understand that the network supports the core business mission—it is not technology for technology’s sake.
- Consider implementing Survivable Functional Units (explained below) to reduce network complexity and increase modularity.
- Learn to build on existing enterprise networks.
- Challenge assumptions.
Three courses form the curriculum.
- The first course focuses on the 10 Principles of Survivability and Information Assurance and is designed so that system administrators and their immediate managers can attend together.
- The second course, “Information Assurance Networking Fundamentals,” applies the 10 principles from Course 1 to the inner workings of the TCP/IP suite. It is geared toward experienced system administrators.
- The third and last course is titled “Sustaining, Improving, and Building Survivable Functional Units (SFUs).” It is designed to integrate all of the information learned in the previous two courses.
Course 1: 10 Principles of Survivability and Information Assurance
This course is taught at a relatively high level but requires some competence with system administration tasks on any operating system. The course itself uses Red Hat Linux 9. There are discussions and a lab. The 10 Principles [Rogers 04] covered in the class are
- Survivability is an enterprise-wide concern.
- Everything is data.
- Not all data is of equal value to an enterprise; risk must be managed.
- Information assurance policy governs actions.
- Identification of users, computer systems, and network infrastructure components is critical.
- Survivable Functional Units (SFUs) are a helpful way to think about an enterprise’s networks.
- Security Knowledge in Practice (SKiP) provides a structured approach.
- The road map guides implementation choices (all technology is not equal).
- Challenge assumptions to understand risk.
- Communication skill is critical to reach all constituencies.
The goal of the course is to apply these 10 principles to understand and solve system administration problems.
Course 2: Information Assurance Networking Fundamentals
Students review TCP/IP networking fundamentals outside of class using the book TCP/IP Illustrated, Volume 1 – The Protocols [Stevens 93]. In class, students
- take quizzes on the readings,
- participate in a lab exercise, and
- discuss the TCP/IP suite, taking a view that challenges assumptions about networking features and attempts to identify the real-world limitations of the protocols.
The goal is to teach students to think like hackers but not act like them.
Course 3: Sustaining, Improving, and Building Survivable Functional Units (SFUs)
The premise is that students
- individually analyze artifacts on an existing network to determine its components
- work in teams to reengineer an existing functional unit of that network, based on the lessons learned in the first two courses
- give a class presentation to explain how they made the functional unit more survivable
Lastly, in an optional third section of the course, teams of students design, build, and graft a new SFU onto an existing enterprise network in a lab environment. This is a situation that many system and network administrators will encounter in their working lives.
The lab for this portion of the curriculum is currently theoretical, but organizations that think this course could serve their needs are encouraged to use the detailed design document provided along with the faculty course materials to build a lab environment.
Course Materials
Course materials, including 2800+ pages of student workbook content, can be downloaded from the curriculum web site.
Virtual Training Environment
CERT’s Virtual Training Environment (VTE), as presented to the public, is a broad collection of more than 1800 modules. Modules may be documents, demonstrations with voiceovers, lecture videos with accompanying slides and notes, or labs.
Many topics are covered within VTE, and content is updated quarterly, so the best approach is to browse the site for the most current offerings. VTE is self-guided, so students who find the content to be of use can continue to explore various areas to gain additional knowledge.
Key goals of the VTE environment are to
- improve information security awareness worldwide
- provide a globally available training platform that improves the efficacy of online training efforts in information, computer, network, and system security
Target Audience
The VTE target audience is information security professionals who are seeking a reference library to acquire new knowledge, refresh on past knowledge, and prepare for certification examinations. They have technical backgrounds but likely possess varying degrees of security knowledge in topics such as forensics, incident handling, TCP/IP, and firewalls.
Instructors looking for material to supplement the courses they teach also may find VTE of value.
Regardless of their job role, students should have some knowledge of computer and networking technologies on Windows and/or Linux, a healthy curiosity about how security technologies work, and a willingness to use the VTE material as a jumping-off point for further study. Simply pointing and clicking through the labs may be instructive, but the best results will be obtained by in-depth, authorized practice of the skills taught.
VTE Modules
This is a sampling of VTE content modules:
- Basics of Router Administration
- SSL and TLS
- Introduction to Log File Analysis Using SWATCH
- Steganography
- Compliance Management
Lab modules require a VTE subscription, but all other content is available to the public at no cost. To view audiovisual content, students will need the Adobe Flash plug-in.
CERT Course Material Available Via VTE
Some of the modules within the main VTE list are part of larger courses and are prefaced by various tags. These are the larger courses, along with a sampling of their associated modules:
- ISFTS - Information Security for Technical Staff
- Policy Formulation and Implementation
- Securing Network Infrastructure
- TCP/IP Security
- Asset and Risk Management
- AISFTS - Advanced Information Security for Technical Staff
- Synchronization and Remote Logging
- Host System Hardening
- Intrusion Detection
- Firewalls and Access Controls
- FRGCF - First Responder's Guide to Computer Forensics
- Cyber Law
- File Systems/First Responder’s Toolkit
- Collecting Volatile Data
- Collecting Persistent Data
- ADVFOR - Advanced Forensics
- Capturing a Running Process
- Configuration and Setup of Online DFS
- Logfile Analysis Using Microsoft Log Parser
- Bookmarking with EnCase
Lastly, with a training subscription, organizations are able to combine material from the VTE platform with material from their own repositories to generate customized training courses.
Conclusion
The intent of this article has been to serve as a navigational aid through the wide range of available security standards, guidelines, and frameworks. We presented categories of security practices to consider during deployment and operations, drawing from leading sources. The content in this article can be used independently or in concert with the approaches described in the other articles in this content area.
Table 1: Security Practice Categories
Given their widespread, international use, ISO 27002 Code of practice for information security management [ISO 05a] and ISO 27001 Annex A Information security management systems [ISO 05b], described above, were used to build the initial master list of practices categories in Table 1. Table entries were then expanded and updated based on additional sources, which are also described in more detail above.
Table 1. Security practice categories
Practice Category | Subpractice | Source |
---|---|---|
Assess, manage, and mitigate security risk. | Assess, manage |
|
Mitigate |
| |
Develop, review, and maintain a useful security policy. |
| |
Develop, review, and maintain a useful security plan. |
| |
Manage the organization to operate securely. | Management commitment to security |
|
Internal organization |
| |
External parties |
| |
Adequately protect organizational assets. | Assign responsibility and ownership |
|
Classify assets |
| |
Manage human resources for security. | Prior to employment |
|
During employment |
| |
Termination or change |
| |
Manage the physical environment to meet security requirements and mitigate risk. | Secure areas |
|
Equipment |
| |
Ensure the correct and secure operation of systems and software. | Operational procedures (change management; segregation of duties, facilities) |
|
Third party service delivery |
| |
System planning (capacity management, system acceptance) |
| |
Malicious and mobile code (such as automated tools) |
| |
Back-up |
| |
Network security, including wireless |
| |
Media handling |
| |
Exchange of information (includes instant messaging) |
| |
Electronic commerce |
| |
Monitoring, reporting |
| |
Control access to all classes of assets in support of business requirements. |
| |
Business requirements |
| |
User access |
| |
User responsibilities |
| |
Network access, including remote, wireless access |
| |
Operating system access |
| |
Application, information access |
| |
Mobile computing |
| |
Acquire, develop, and maintain secure systems. (This topic is treated more comprehensively in other BSI content areas.) |
| |
Security requirements |
| |
Correct processing in applications |
| |
Cryptographic controls |
| |
Security of system files |
| |
Security in development, support processes |
| |
Vulnerability management |
| |
Application is able to operate in a secure environment |
| |
Report and manage security incidents. | Report |
|
Manage |
| |
Forensic investigations |
| |
Ensure business continuity. |
| |
Comply with security requirements. | With legal requirements |
|
With security policies, standards |
| |
Audit |
|
Terms of Use
Responsible Care® Program is registered in the U.S. Patent and Trademark office by the American Chemistry Council.
CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
COBIT® is registered in the U.S. Patent and Trademark office by the Information Systems Audit and Control Association and by the IT Governance Institute.
The IT Infrastructure Library® and ITIL® are registered trademarks of the British Office of Government Commerce (OGC). ITIL was developed in conjunction with the British Standards Institute and is overseen by The IT Service Management Forum (itSMF).
OCTAVE® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM is a service mark of Carnegie Mellon University.
SKiPSM is a service mark of Carnegie Mellon University.
- 1. Refer to the websites noted above. For a description of additional security-related standards, visit the "Other Security Standards" page on the IsecT Ltd. website [IsecT 06].
- 2. See also [NSA] and [Hazlewood 06].
- 3. “Defense-in-depth may mean an engineering solution which emphasizes redundancy—a system that keeps working even when a single component fails—over attempts to design components that will not fail in the first place” [Lindner 06]. For more information, see the Defense-in-depth wikipedia entry [DiD 08].
- 4. See also the COBIT entry in Wikipedia [COBIT 2008].
Copyright © Carnegie Mellon University 2005-2012.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.
NO WARRANTY
THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.