|
Naval Surface Warfare Center AIS Security Domain E
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
NSWCDL AIS Security Domain Explanations
NOTE: This document is not designed to be read stand alone. It is a
supporting document, called by section from the various parts of
the domain security plan worksheets.
Security Domain ID
This is the unique identifier for the security domain. The first letter
is the letter of the department and organization code. Next is the
commonid of the security officer/DAA, followed by two digits, 01 -
99 the first to 99th domain this security.
CD2S-SNORTHC-01 ::= C Department, Stephen Northcutt, the
AIS Security Domain (01) is the only domain in CD2S.
Name (Security Domain Name)
The name that is normally used to describe the security domain.
Examples include NSWCNET, PEP, LINKS, Corporate Database.
Security Officer Reponsible
Name, email address and code of the security officer responsible
for all the AISs in the domain.
Line Manager Reponsible
Name, email address and code of the lowest level line manager
responsible for all the AISs in the domain.
Mission
What is the mission statement of this workgroup, security domain,
network, or group of computers? What does this system accomplish
for the Navy? If the space provided is not sufficient additional
documentation may be added to the package as an appendix.
List Computer Assets In This Domain
List accreditable computing assets, AISs with a CPU, memory, disk
store, and an operating system. Common special purpose devices
such as fax machines, printers, X Terminals which may have some
or all of the characteristics need no be listed. However a general
purpose computer used for a special purpose such as a PC used as a
fax machine must be listed. Computer Operating Systems that have
only minor differences (e.g. DOS 5, DOS 6 or Solaris 2.4, 2.5) may
be grouped together. Large complex domains that require more
room may add an additional sheet as an appendix.
Backups
Backups refer to the practice of creating a usable copy of all
software, data and configuration information for an AIS. Clearly
the lowest risk procedure is a complete daily backup for all
computers. This is also very difficult. The moderate risk approach
is to backup all servers daily and encourage all users to store their
data on the servers. This means that in the event of a failure, only
the user's operating system and configuration files would need to be
replaced. The high risk approach is a policy that backups are an
individual's responsibility. Backups can be a technical challenge
yet are also tedious (AIS Security recommends automating this
process). Backups performed on a greater than a weekly interval are
also high risk, if a lot of information is received or processed and
an incident occurs, the economic cost of recovery can be quite high.
Backup Media Storage
If your building suffered a major fire, or other catastrophe what
would happen to your backups? A lot of backup tapes are stored
right next to the computer ... this is fine for a disk crash, but
otherwise risky. If a computer contains sensitive information, but
the backup media is not stored in a locked container, there is a
potential risk. Offsite backup, literally off the base is a secured
facility is clearly the lowest risk approach, but is overkill except for
high criticality facilities. A perfectly reasonable alternative can be
as simple as arranging to store media in another building, for
instance two workgroups could agree to store each other's
information.
Alternate Processing Capability
In the event of serious destruction (fire, flooding ...) between 50
and 100% of all AISes assigned to a domain may become
inoperable. Undisrupted continuation of service is only possible if
plans were made and tested BEFORE the incident. A hot or cold
site is a facility that is already equipped to provide at least mission
critical services ... it is probably also the storage facility for backup
media and its capability is tested at least yearly, this is the lowest
risk approach and is recommended for very high criticality
facilities. The moderate risk approach is to have a plan and
agreement to use a facility that has similar systems (hardware and
software) to accomplish mission critical tasks. The highest risk
approach is wait till an event occurs, evaluate, beg/borrow/buy
computers and attempt to load from backups, if any backups
survive. This approach is only reasonable for security domains that
have minimal value to the organization.
Information Validation
What steps are taken to ensure the validity of data? If a file or
program was modified could/would it be detected? If there is no
way to detect modification how can a domain be protected against
threats such as: viruses, trojan horses, and data modification. The
lowest risk approach is to generate a cryptographic hash such as
MD5 for all data files and maintain a database of such signatures.
A moderate risk approach is to establish a Configuration
Management process that oversees input to and from the domain of
all critical program and datafiles. If your domain uses a different
process, please detail that process as an appendix to your submittal.
Hardware Investment
Over the preceding three years what is the total amount of money
that has been invested in the computers, routers, disk drives,
printers, network, monitors, plotters and so forth for this domain.
Software Investment
COTS stands for Commercial Off The Shelf, this refers to all
purchased packaged or shrink wrapped software for the last three
years. Extrapolation or estimation is generally sufficiently correct
for the purpose of worksheets. Security officers should be aware of
software that is high priced <$2k/yr per seat or dificult to procure
due to license, or other restrictions.
Local Software Investment
This refers to all custom software whether written by our own
employees, written by contractors on a per hour bais, or contracted
for on a fee basis. Generally the primary cost component of locally
written software is the time invested in its production, but software
that has to be tested in expensive facilities may have additional
costs. Locally written, or custom software tends to be fairly
expensive and is potentially dificult or impossible to replace, so
some care should be used in developing these figures.
Data Investment
This is generally the highest cost component of a domain. Modern
workers use computers to accomplish their tasks from work
processing, to presentations, analysis to programming. Basically,
the cost of data per employee per year is the amount of time they
were at a computer station and were doing anything other than
training or programming. For most non-programmer employees this
will be the cost to put them in an office per year.
Total Best Values
Take your best etimates for the categories above and add them up.
Round to nearest thousand. Place that number in the box.
Jeopardize lives
If an attack or failure of any sort were to happen concerning the
computers, programs, and data of this security domain, could lives
be placed in jeopardy?
Domain Effectiveness Impaired
If an attack, accident , or moderate failure were to happen to the
computers, programs, and data of this security domain, what is your
best estimate of the time that would elapse before returning to full
operational status. If domain relies on fault tolerant or mirrored
servers this cold be seconds or minutes. If you could load from
backups onto a spare system this could be hours.
Resume Critical Ops
If a major attack, natural disaster, or failure of any sort were to
happen to the computers, programs, and data of this security
domain, what is your best estimate of the time that would elapse
before mission critical functions could resume.
Impact to Navy
If this security domain were completely destroyed, right down to
the last backup tape would that negatively impact the Navy's
mission in any way? If the cases listed on the form do not apply to
this domain's situation, circle the best answer and make a note on
the form as to what the impact would (or would not) be.
NSWCDL Domains
Do users that are outside this domain have accounts, access to, or
privildeges on this domain's computing resources? Does this
domain either regularly receive data from, or provide data to,
another domain? These are examples of a domain that regularly
interconnects with another. In these examples the overall security
posture of either domain is affected by the security posture of the
other. For the purpose of this worksheet internal domains are any
domains that are under the direct authority of the Commanding
Officer NSWCDL, that is all employees in all departments.
External domains are everything else, contractors, other Navy
facilities, etc.
(External) Non-NSWCNET Connections
This is probably the most important segment of this worksheet.
Modems have the capability these days to "nail up" fully functional
network connections complete with routing. Internal modems that
came pre-installed in systems, but have not been cabled and are not
used need not be considered. The monthly bill for an ISDN
connection is high enough, that if you have them, someone will
know :) Dedicated leased lines are T1s, Frame Relay, dial on
demand, etc point to point circuits to another facility. If your
domain uses a leased circuit managed by another workgroup or
domain, just note that on the worksheet. The primary thing we are
looking for with "Other external connections" are connections from
your domain to an Internet Service Provder (ISP), but if you have
connections via packet radio, ELF, satellite uplink, etc this is
where to note them.
Sketch of the Domain
A picture is worth a thousand words and this is never so true as a
sketch of your security domain. This helps the Security Office
understand the extent of the domain that you are submitting a
security plan for, and how the connections into/out of that domain
are configured. It also helps you! We have learned that security
officers are not always quite certain of the configuration of the
domains they are responsible for. We recommend that you not
invest your time and energy into making the sketch pretty, the
information is what we are after, pencil and paper are just fine.
Let's consider an example The extent of the domain is three AISes,
two computers and a firewall. There is an internal LAN which
should show a name or address, but doesn't and a single connection
to an external lan (also lacking in information). Despite the
shortcomings of this sketch it does clearly show the extent of the
domain and its external connections.
How about one more example? This sketch shows a domain that is
located on multiple subnets. This sketch implies the domain is
located entirely in NSWCNET address space and has no external
connections of its own. This sketch would be a lot clearer if they
had labeled the office subnet as subnet 128.38.X.0, but it is a start.
One thing this sketch shows which is very helpful is the trust model
of the domain. Sometimes trust is not simply reflexive (everyone
trusts everyone else in the domain). In this example, since one of
the systems, the logger, sits outside the NSWCNET firewall, it is
very vulnerable to attack, consequently none of the other systems
trust it. One system and one system only accepts (only) formatted
data from the logger.
|
|
