NIST 800-14

The network of computers around the world is growing rapidly. The need of security is proportional to the growth of this network. As the need for security grows, so does the need for Standards and Practices. The NIST 800-14 is a document that contains general Standards and Practices that are to be implemented.

The National Performance Review (NPR) recommended as part of the National Information Infrastructure (NII) that the National Institute of Standards and Technology (NIST) develop generally accepted system security principles and practices for the federal government. These security principles and practices are to be applied in the use, protection, and design of government information and data systems, particularly front-line systems for delivering services electronically to citizens. The need for rules, standards, conventions and procedures that define accepted security practices was outlined in the 1991 National Research Council document Computers At Risk. Their recommendation called for the development of a comprehensive set of generally accepted system security principles (GSSP) which would clearly articulate essential security features, assurances, and practices. Work began on implementing the Computers At Risk recommendation in 1992 by several national and international organizations with an interest in computer security.

The Organization for Economic Co-operation and Development's (OECD) Guidelines for the Security of Information Systems were developed in 1992 by a group of international experts to provide a foundation from which governments and the private sector, acting singly and in concert, could construct a framework for securing IT systems. The OECD Guidelines are the current international guidelines which have been endorsed by the United States.

The principles address computer security from a very high-level viewpoint. The principles are to be used when developing computer security programs and policy and when creating new systems, practices or policies. Principles are expressed at a high level, encompassing broad areas, e.g., accountability, cost effectiveness, and integration.

The practices guide organizations on the types of controls, objectives and procedures that comprise an effective IT security program. The practices show what should be done to enhance or measure an existing computer security program or to aid in the development of a new program. The practices provide a common ground for determining the security of an organization and build confidence when conducting multi-organizational business. The document provides the practices in a checklist format to assist organizations in reviewing their current policies and procedures against the common practices.

The document describes eight principles and fourteen practices. Each of the principles applies to each of the practices. The nature of the relationship between the principles and the practices varies. In some cases, practices are derived from one or more principles; in other cases practices are constrained by principles. For example, the Risk Management Practice is directly derived from the Cost-Effectiveness Principle. However, the Comprehensive and Reassessment Principles place constraints on the Risk Management Practice.

	Principles	Practices
1	Computer Security Supports the Mission of the Organization	Policy (Program Policy, Issue-Specific Policy, System-Specific Policy)
2	Computer Security is an Integral Element of Sound Management	Program Management (Central Security Program, System-Level Program)
3	Computer Security Should Be Cost-Effective	Risk Management (Risk Assessment, Risk Mitigation, Uncertainty Analysis)
4	Systems Owners Have Security Responsibilities Outside Their Own Organizations	Life Cycle Planning (Initiation Phase, Development/Acquisition Phase, Implementation Phase, Operation/Maintenance Phase, Disposal Phase)
5	Computer Security Responsibilities and Accountability Should Be Made Explicit	Personnel/User Issues (Staffing, User Administration)
6	Computer Security Requires a Comprehensive and Integrated Approach	Preparing for Contingencies and Disasters (Identify Resources, Develop Scenarios, Develop Strategies, Test and Revise Plan)
7	Computer Security Should Be Periodically Reassessed	Computer Security Incident Handling
8	Computer Security is Constrained by Societal Factors	Awareness and Training
9		Security Considerations in Computer Support and Operations
10		Physical and Environmental Security
11		Identification and Authentication
12		Logical Access Control (Access Criteria, Access Control Mechanisms)
13		Audit Trails (Audit Trail Records, Audit Trail Security, Audit Trail Reviews, Keystroke Monitoring)
14		Cryptography

The above given table shows the eight principles and the fourteen practices described in the document. It is therefore recommended that everybody and every organization follows the NIST 800-14 for the general principles and practices for securing their workplaces or technology in a better way.

References

[1]http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

[2]http://unokitty.freehostia.com/

Blog page : sunil86s.blogspot.com

NIST 800-30

1. What is the National Institute for Standards and Technology(NIST)?

NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.

2. What role does NIST play in information assurance?

The NIST Information Assurance Framework consists of the standards and guidelines for federal information systems that are not designated as national security systems. The guidelines are not mandatory and binding standards.

3. What is the purpose of NIST Special Publication 800-30?

The purpose is to provide a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems.

4. What is the principle goal of an organization’s risk management process?

The principle goals of an organization’s risk management process are:

(1)Securing the IT systems that store, process, or transmit organizational Information

(2)Enabling management to make well-informed risk management decisions to

justify the expenditures that are part of an IT budget

(3) Assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.

5. According to NIST, what three processes compose risk management?

Risk management encompasses three processes:

(1)Risk Assessment,

(2)Risk Mitigation,

(3)Evaluation and Assessment.

6. How does risk management relate to the System Development Life Cycle(SDLC)?

SDLC Phases	Phase Characteristics	Support from Risk Management Activities
Phase 1—Initiation	The need for an IT system is expressed and the purpose and scope of the IT system is documented	Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations(strategy)
Phase 2—Development or Acquisition	The IT system is designed, purchased, programmed, developed, or otherwise constructed	The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development
Phase 3—Implementation	The system security features should be configured, enabled, tested, and verified	The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation
Phase 4—Operation or Maintenance	The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures	Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)
Phase 5—Disposal	This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software	Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner

7. NIST 800-30 defines seven IA “key roles”. Name and briefly describe them.

• Senior Management. Senior management, under the standard of due care and

ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. They must also assess and incorporate results of the risk assessment activity into the decision making process. An effective risk management program that assesses and mitigates IT-related mission risks requires the support and involvement of senior management.

• Chief Information Officer (CIO). The CIO is responsible for the agency’s IT

planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program.

• System and Information Owners. The system and information owners are

responsible for ensuring that proper controls are in place to address integrity,

confidentiality, and availability of the IT systems and data they own. Typically the system and information owners are responsible for changes to their IT systems. Thus, they usually have to approve and sign off on changes to their IT systems (e.g., system enhancement, major changes to the software and hardware). The system and information owners must therefore understand their role in the risk management process and fully support this process.

• Business and Functional Managers. The managers responsible for business

operations and IT procurement process must take an active role in the risk

management process. These managers are the individuals with the authority and

responsibility for making the trade-off decisions essential to mission accomplishment. Their involvement in the risk management process enables the achievement of proper security for the IT systems, which, if managed properly, will provide mission effectiveness with a minimal expenditure of resources.

• ISSO. IT security program managers and computer security officers are responsible for their organizations’ security programs, including risk management. Therefore, they play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also act as major consultants in support of senior management to ensure that this activity takes place on an ongoing basis.

• IT Security Practitioners. IT security practitioners (e.g., network, system,

application, and database administrators; computer specialists; security analysts;

security consultants) are responsible for proper implementation of security

requirements in their IT systems. As changes occur in the existing IT system

environment (e.g., expansion in network connectivity, changes to the existing

infrastructure and organizational policies, introduction of new technologies), the IT security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their IT systems.

• Security Awareness Trainers (Security/Subject Matter Professionals). The

organization’s personnel are the users of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore, the IT security trainers or

security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users.

8. How does NIST 800-30 define a risk?

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

9. How does NIST 800-30 define a threat?

Threat is defined as the potential for a threat-source to exercise(accidentally trigger or intentionally exploit) a specific vulnerability.

10. How is a threat source defined? In your answer, name three common threat sources.

Threat source is defined as either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

The three common threat sources are,

􀂃 Natural Threats—Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.

􀂃 Human Threats—Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network

based attacks, malicious software upload, unauthorized access to confidential information).

􀂃 Environmental Threats—Long-term power failure, pollution, chemicals, liquid leakage.

11. How does NIST 800-30 define vulnerability?

A flaw or weakness in system security procedures, design, implementation, or

internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

12. According to NIST, whose responsibility is IT Security?(technical or management)

IT Security is the responsibility of the management as they have to take care of who is assigned what and is responsible for how secure an organization is.

13. Used appropriately, what does a security control accomplish?

Security controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information. Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission.

14. Define, compare, and contrast technical controls, management controls, and operational controls.

Technical Security Controls

Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware. All of these measures should work together to secure critical and sensitive data, information, and IT system functions. Technical controls can be grouped into the following major categories, according to primary purpose:

• Support: Supporting controls are generic and underlie most IT

security capabilities. These controls must be in place in order to implement other

controls.

• Prevent: Preventive controls focus on preventing security breaches from occurring in the first place.

• Detect and Recover: These controls focus on detecting and recovering from a security breach.

Management Security Controls

Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals and missions.

Management security controls—preventive, detection, and recovery—that are implemented to reduce risk.

Operational Security Controls

An organization’s security standards should establish a set of controls and guidelines to ensure that security procedures governing the use of the organization’s IT assets and resources are properly enforced and implemented in accordance with the organization’s goals and mission. Management plays a vital role in overseeing policy implementation and in ensuring the establishment of appropriate operational controls. Operational controls, implemented in accordance with a base set of requirements (e.g., technical controls) and good industry practices, are used to correct operational deficiencies that could be exercised by potential threat-sources. To ensure consistency and uniformity in security

operations, step-by-step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained.

15. How can the adverse impact of a security event be described?

The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability, and confidentiality.

16. Describe the difference between quantitative and qualitative assessment?

The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. The disadvantage of the qualitative analysis is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.

The major advantage of a quantitative impact analysis is that it provides a measurement of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls. The disadvantage is that, depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be

interpreted in a qualitative manner.

17. Name and describe six risk mitigation options.

Risk mitigation is a systematic methodology used by senior management to reduce mission risk.

Risk mitigation can be achieved through any of the following risk mitigation options:

• Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level

• Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)

• Risk Limitation. To limit the risk by implementing controls that minimize the

adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting,

preventive, detective controls)

• Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls

• Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability

• Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

18. Name and describe the three control categories.

Technical Security Controls

Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware. All of these measures should work together to secure critical and sensitive data, information, and IT system functions.

Management Security Controls

Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals

and missions.

Operational Security Controls

An organization’s security standards should establish a set of controls and guidelines to ensure that security procedures governing the use of the organization’s IT assets and resources are properly enforced and implemented in accordance with the organization’s goals and mission. Management plays a vital role in overseeing policy implementation and in ensuring the

establishment of appropriate operational controls.

19. Define residual risk.

Implementation of new or enhanced controls can mitigate risk by

• Eliminating some of the system’s vulnerabilities (flaws and weakness), thereby

reducing the number of possible threat-source/vulnerability pairs

• Adding a targeted control to reduce the capacity and motivation of a threat-source

• Reducing the magnitude of the adverse impact

The risk remaining after the implementation of new or enhanced controls is the residual risk.

ID theft

Rapper DMX Charged With Medical Identity Theft

The above given headline is from the link http://www.bloggernews.net/116836.

I had selected this article just to show that the ID theft is not only related to the financial field but also to the medical field as well where a person could steal another’s identity to get diagnosis or insurance for a medical reason.

This news article is also important for the fact that not only does the ID theft affect people in the financial matters but also health-wise, where a person could get a wrong treatment for his disease if his ID was stolen by someone else who gives a different ailment. Some people may also fail a medical test for employment.

Live CD

A Live CD is one that contains an operating system that is run upon boot. The operating system is not installed to the hard disk, but rather runs from the CD.A Live CD does not change the operating system already installed in the hard disk or any of the data on it. It only changes the data on the hard disk if it is asked to.

When Windows was the common Operating System and Linux had to be installed on the computer, the disk had to be partitioned for the Linux Operating System. This became a tedious process and even though the Linux Operating System was an Open-Source one, nobody used it just because of the complexity of partitioning their hard disks. The first Linux-based live CD was Yggdrasil Linux (went out of production in 1995), though in practice it did not function well due to the low throughput of then-current CD-ROM drives. The Debian-derived Linux distribution Knoppix was released in 2003, and found popularity as both a rescue disk system and as a primary distribution in its own right. Since 2003, the popularity of live CDs has increased substantially, partly due to Linux Live scripts and remastersys which made it very easy to build customized live systems^[1]. KNOPPIX is a bootable CD or DVD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals^[2]. Knoppix was the first major Linux live CD that was produced with security interests in mind, although it has been used for many other purposes. Many of the tools regarding Live CD were based on Knoppix to some degree.

The Live CD is much more secure than an ordinary operating system on a desktop/laptop as the vulnerability and the threat involved is lesser than that of a normal desktop/laptop and hence the risk is lower as the OS is separately on the CD and difficult to hack into the information that is available on the hard drive. Live CD’s are unique in the sense that the computer running a Live CD could run without a hard disk drive having a huge capacity.

Hence the Live CD contains an Operating System that can be directly booted from the CD which involves having a much lesser risk and is secure to that of a desktop. It is also not necessary for a Live CD to be installed onto a computer to work on it which makes it easier to work with.

References

[1] http://en.wikipedia.org/wiki/Live_CD

[2] http://www.knopper.net/knoppix-info/index-en.html

[3]http://unokitty.freehostia.com