Independent Security Assessment Phase II Preparedness Guide...What is the Independent Security Assessment (ISA)? The Independent Security Assessment (ISA) is required by California

Independent Security Assessment — Phase II

Preparedness Guide

Version 2.4, dated 12/4/2017, Previous editions are obsolete

Pre-Assessment Materials Preparation

On-Site Configuration Requirements

Personnel Availability

Impact on Assessed Organization

2

Legal Notice and Disclaimer:

Please note that much of this publication is based on prior professional experience and anecdotal evidence. Although the author and organization have made every reasonable attempt to achieve complete accuracy of the content in this guide, they assume no responsibility for errors or omissions. Also, you should use this information in accordance with your existing internal security protocols and practices. Follow these instructions at your own risk. Your particular situation may not be exactly suited to the examples illustrated here as every entity’s network is unique. If you have questions on how to proceed, please contact the CND Engagement Manager for assistance at 916-369-5030.

Any trademarks, service marks, product names or named features are assumed to be the property of their respective owners and are used only for reference. There is no implied endorsement if we use one of these terms.

3

What is the Independent Security Assessment (ISA)?

The Independent Security Assessment (ISA) is required by California Government Code

11549.3 as amended on January 1, 2016. An ISA, sometimes referred to as an AB670

Assessment is an assistance visit, not an audit. The assessment’s goal is to provide a

third party view of the entity’s current cybersecurity state and provide recommendations

for improvement. The assessment analyzes a series of technical controls, as designated by the State

Chief Information Security Office (CISO). These controls change with each iteration of the

assessment. To ensure a smooth process with the least amount of impact to entity staff, a series of

pre-assessment preparation steps are provided within this guide. Due to the constrained timeline for

each ISA, the entity’s overall results can be impacted should the entity be ill prepared. This guide

attempts to mentor entities to the best possible outcomes during the assessment process.

Entities Formally Selected for Assessment

Entities begin the assessment process when they are formally notified by the State Chief

Information Officer (CIO). Once notified, the entity management team must accomplish one of the two

following actions within 10 days of notification:

A) Open a Service Request with California Department of Technology (CDT) to schedule an ISA

(See Appendix B for instructions)

OR

B) Submit an Exemption Request to the Office of Information Security (OIS). Exemptions are used

for two specific purposes:

1) An entity erroneously scheduled separately from their parent Agency for an ISA (see OIS

criteria)

2) An entity approved for an assessment rendered by a commercial third party. For criteria and

required documentation to accompany the request, please see Appendix B

4

Guide Purpose

This guide is designed to help the assessed entity prepare for a successful engagement. It is critical

for this document be disseminated to the responsible individuals within the entity that will be

conducting the required pre-assessment, in-engagement, and post-assessment activities. The entity’s

senior cybersecurity manager should be the person designated responsible to ensure the

organization is ready for their assessment prior to the start date. Delays, missing documentation, or

absent staff prevent the assessment team from rendering a complete assessment in the time frame

allotted and may result in ‘Non-compliance’ findings. Please help the CND help you achieve the most

benefit possible by ensuring your readiness for assessment.

Guide Usage

This guide is divided into three sections based on generally accepted functional roles in a typical

Information Technology organization. The sections are:

• Information Security Management Actions

• Network Administrator Actions

• System Administrator Actions

Can the Organization Be Pre-Assessed or Volunteer for an ISA this Year?

The goal of the assessment process is to help entities understand their current cyber

risks. If an entity would like to perform a pre-assessment or preemptively perform

any portion of the assessment separately, the CND can offer several service options

to meet requirements. All pre-assessment options are provided outside of the ISA

process directly to the entity. For more information, please contact the CND using

the contact information in Appendix A. Entities, once assigned to the 3-Year Cybersecurity Oversight

cycle, must request any changes to their officially designated cycle directly to OIS.

Preparing for Assessment

Every entity will receive a copy of the Phase II assessment criteria. Entities are encouraged to use the

criteria to perform internal self-assessments to identify areas that would benefit from improvement.

The criteria documentation provides the Task, Condition,

and Standard used to determine success. For entities

whom have undergone an ISA in the past, the most

significant change between the previous phase and this

phase is the addition of a Penetration Test.

How will the ISA Impact the Organization and Staff?

The CND recognizes staff time is valuable and constrained. To lower the burden on entity staff, the

CND has developed a streamlined order of execution that is designed to minimize time and impact.

The CND team can conduct most ISAs with minimal staff interaction (typically within 1 to 4 weeks)

depending on the entity’s size, complexity, and readiness. The specific time required to complete

your assessment will be identified during the scheduling process.

5

Assessment / Penetration Testing

Tasks Lists Breakout

Role General Related Tasks Page

Information Security Management • Pre-assessment actions

• Assessment actions

• Post assessment actions

6-8

Network Administrator • Pre-assessment actions


9

System Administrator • Pre-assessment actions


• Post-assessment actions

10-11

Usage: A requirements breakdown by generally accepted roles is provided to assist the entity in

their preparation for a successful Independent Security Assessment (ISA). This guide is specifically

developed for entities undergoing the Independent Security Assessment conducted by the

California Military Department.

Entities should distribute the tasks lists to their responsible parties for review and

execution at the earliest possible date. It is recommended the CIO/AIO or ISO

understand all task lists as well. Some of the identified tasks require external

coordination or incur additional time to complete.

Requirement: The entity CIO/AIO or ISO (as applicable) is the recommended primary Point of

Contact (POC) for the assessment. Entities are discouraged from delegating this role below these

levels of management. The designated individual is responsible to ensure the successful

coordination of their teams’ efforts throughout the process. The responsible individual should be

prepared to discuss these times and any entity concerns during the In-brief. The entity must

transmit all pre-assessment deliverables 72 hours prior to the pre-assessment In-brief.

The entity will need to assign an Assessment Liaison. The Assessment Liaison is the individual

who will be working directly with the Assessment and Penetration Test Teams during the

assessment period. This person must be technical and have change order oversite.

6

Pre-Assessment Actions (in order of execution)

• Initiate the ISA Service Request (see Appendix B) within 10 days of notification.

• Provide the CND Engagement Manager (see Appendix A) with the following deliverables.

• Provide the ISA Service Request Number received from CDT via email.

• Submit the annotated Entity Asset Count Worksheet (Appendix C). (Not required for the ISA Service Request)

• Coordinate your assessment date with CND Engagement Manager.

• Return the signed CND Cost Estimate/Work Order Authorization form (required prior to work but no lass than 30 days prior to commencement).

• Complete the In/Out-of-Scope Documentation (Appendix D/Phase II Data Call

spreadsheet); submit to the CND Engagement Manager no less than 7 days prior to the

pre-assessment In-brief. Specific concerns should be addressed immediately to the

CND!

• Complete all third party hosted / cloud provider PenTest requests and document approval

(see Appendix E/Phase II Data Call spreadsheet)

• Distribute role-based assessment checklists; breakout pages are listed on page 5

• Review the assessment criteria with entity internal team(s); develop any questions/

concerns prior to the pre-assessment In-brief conference call

• Ensure all pre-assessment actions are completed prior to pre-assessment In-brief

conference call

• Schedule the entity’s pre-assessment In-brief conference call with the CND Engagement

Manager no less than 3 weeks prior to ISA engagement date

• Document the entity’s Points of Contact notification list (Appendix C or on the POC tab of

the Phase II Data Call spreadsheet);

• Ensure a work location for the assessment team has been coordinated. The location must be able to accommodate:

• 6-8 personnel

• 8 dedicated Cat5/6 network data jacks capable of at least 100Mbps each

• 4 ports MUST be in a Management VLAN

• 4 ports MUST be in your busiest User VLAN with normal user traffic

To the lower the burden on the entity, we recommend using a managed switch with

ports assigned logically to those identified VLANs, For additional questions, contact

CND Engagement Manager.

• Where possible, the space should afford privacy from common space (e.g.

Conference Room) and be able to be secure.

• Assign an Assessment Liaison for the duration of the ISA.

Information Security Management (CIO, AIO, ISO)

Provide a copy to designated responsible party

7

• Schedule a conference room for the initial CND team on-site In-brief. This may be the same location as the work space if it will support the number of attendees

• Schedule the assessment on-site In-brief with the appropriate entity staff members and

management team(s) for 9 AM on the first day of assessment. Email the meeting request

to the CND Engagement Manager for distribution to the CND Team

• Prepare the pre-assessment / PenTest documents listed on Appendix F to

be delivered via DVD to the CND team during the on-site In-brief

Phishing Actions:

• There are two types of phishing events that will occur during the assessment window:

• Phishing Susceptibility Test (Assessment)

• Targeted Spear Phishing Campaign (Penetration Test)

• Instructions for Phishing Susceptibility Test: (See Appendix H for Whitelisting Procedures)

• Entity must designate a minimum 100 users or 100% of your user population

whichever is less. The group must include 3 executives, 3 IT administrators, and the

remaining users a mixture from all entity’s business units

• Participants must be provided to the CND via the phishing tab on the Phase II Data

Call worksheet that includes the mandatory fields

• Rules of Engagement Warning: The entity is prohibited from notifying the

Phishing Susceptibility Test participants of the pending phishing exercise.

Notifying users will result in a ‘Non-Compliance’ score for the associated event

• Instructions for the Targeted Spear Phishing Campaign:

• Users for this portion are selected by the Penetration Testing Team Leader. These

participants are identified during the open source data collection phase. As a result,

these users may be a different set from those submitted for the Phishing

Susceptibility Test

• The Targeted Spear Phishing Campaign users may receive specially crafted emails

with a custom payload designed to test the ability of the team to establish a backdoor

into the internal entity network

• The backdoors are designed to test security controls implementation and will be

eliminated upon completion of the test

• The entity may take defensive actions for any target spear phishing campaign

once the Assessment Liaison has confirmed with the CND Team leader or the

CND Engagement Manager

• DO NOT REPORT any ISA related phishing in Cal-CSIRS

Web Assessment Portion:

• Provide the entity’s public-facing website(s) via the Phase II Data Call spreadsheet

• If the site(s) requires credentials for access to any public facing portions, generate a

standard user account in the system for testing with the name starting with “CND_”

provide to the CND Engagement Manager

Reminder: Sites hosted external to the entity (e.g. Agency Data Center, CDT, Third

Party Cloud Provide) must have the third party notification documentation attached

8

• Identify any areas of concern if detected that should result in an immediate notification (e.g.

Ability to extract user SSNs; ability to submit as a different user; etc.)

• Designation of an Assessment Liaison: Identify a single point of contact for coordination

between penetration testing team and the entity security team. Provide 24-hour contact

info

• This individual must be in the notification loop for all firewall, anti-virus, and incident

response operations in entity network

• This individual will be the coordination point for all Penetration Testing

coordination / information exchange actions

Assessment Actions

Coordinate with senior management to ensure all necessary entity personnel are scheduled to be in attendance for the entire assessment period. Absence of key personnel could adversely impact the entities overall score.

• Provide the team members access (badges, parking spaces, etc)

• Act as the facilitator between the CND Team Leader and entity staff

• Facilitate the CND team and entity team introductions

• Ensure the Assessment Liaison immediately notifies the CND Team Leader of any

detected anomalous events (System Anomalies, Rogue Device detection, Phishing

detection). These measures are time sensitive for scoring purposes

Post-Assessment Actions

• Coordinate the entity’s preparation of the CDT Plan of Actions and Milestones (POA&M),

SIMM 5305-C

• Submit to the CDT within 15 days of receipt of the final report

• Update the CDT until all findings on the POA&M have been mitigated; see SIMM

5305 for details

• Remediate Findings.

• Securely retain copies of assessment for audit and inspection purposes.

NOTE: In accordance with AB 670 a copy of your results will be provided to the State CISO and the

Cal-CSIC.

Pre-Assessment Actions

• 8 dedicated Cat5/6 network data jacks capable of at least 100Mbps each

• 4 ports MUST be in a management VLAN and have full WAN/

LAN/VLAN access to all entity IT assets (e.g. workstations,

laptops, servers across all locations and subnets) and there

are no blocking Access Control Lists (ACLs)

• The assessment team requires unrestricted access to ports

22,135,137,139, and 445 for all internal network segments.

• Do not open these ports to untrusted network interfaces

• 4 ports MUST be in your busiest User VLAN, no port access controls applied

• NOTE: If the entity has DHCP with leases greater than 7 days, static IP are not

necessary; otherwise 10 static IP addresses in the appropriate VLAN segments

listed above.

• Prepare the Network Interconnection diagram (See Appendix F)

• Prepare IP address listings as identified in the Phase II Data

Call Spreadsheet

• Identify at the PreAssessment Briefing if the entity has

any hosts that only use IPv6 for their addressing.

• Entities that can not identify host IPs in the /24 format will require intensive IP

scanning. This will cause significant traffic on your network.

Assessment Actions

• Be available for the network portion of the assessment interview process

• Provide troubleshooting assistance for scan related ACL issues (as needed)

• Provide the perimeter firewall configuration files. For specific instructions, please consult

your Assessment Team Leader during the pre-assessment In-brief conference call

Network Administrator (Net-Admin)

Provide a copy to designed responsible party

9

10

Pre-Assessment Actions

Host Access:

• Have any settings disabled that could cause the hosts to sleep or otherwise

disconnect from the network to include Sleep settings during off hours for the duration of

the assessment period. There can be no exceptions to this requirement.

• Domain Systems: Prepare root/domain administrator level credentials for use by the

Assessment team for all directory joined servers,

workstations, and laptops. The credentials provided must

start with “CND_” If more than one domain is present,

prepare this for all domains. These may be existing

credentials provided to the CND Team Leader or manually

entered by the entity Systems Administrator

• Non-Domain Systems: Prepare root/administrator level credentials for use by the

Assessment team for all non-directory joined servers, workstations, laptops, and

appliances. The credentials provided must start with “CND_”. These may be existing

credentials provided to the CND Team Leader or manually entered by the entity Systems

Administrator. The same username/password must work across all such systems

• Ensure the “Server” service is running on all Windows operating system hosts. Ensure the

firewall accepts ports 135,137,139, and 445 requests

• Add exceptions (as required) to any host-based firewall, host-based intrusion prevention

system, or anti-virus protections for these ports to/from the CND IP addresses or white list

the static IP address(es) assigned to these devices (as appropriate)

• Ensure all Linux / Unix / AIX / Macintosh operating systems hosts accept port 22 requests;

add exceptions to/from the CND IP addresses to any host-based firewall and host-based

intrusion prevention protections for this port or white list the static IP address(es) assigned

to these devices (as appropriate)

Host Hardening:

• Identify 3 workstations and 3 laptops that will be made

available for System Hardening scanning. These hosts

must NOT:

• Have users logged on during the hardening test

period (typically 30 minutes); coordinate time with CND Team Leader

• Identify 1 domain controller and 3 application servers for the System Hardening

scan. This scan will take approximately 30 minutes to complete and will add a minor

workload to the host

System Administrator (Windows/Linux)

Provide a copy to designed responsible party

11

Assessment Actions

• Troubleshoot network credential issues/port issues on hosts (as applicable)

• Provide access to the CND Team Leader to run various PowerShell scripts to

validate controls (as required)

• Provide the CND Team Leader access to AD Users and Computers to perform

random sampling selections and validations (as required)

• Be available for the systems portion of the assessment interview process

Post-Assessment Actions

• Coordinate with internal entity management for attendance to the assessment Out brief

• Conduct a mandatory password reset for any users whose passwords were compromised as a

result of the Phishing or Penetration Test events. The CND will formally notify the entity of these

users via separate cover at the conclusion of the event

• Remove any whitelisting, IP reservations, or other measures required for the assessment

• Remove all accounts created for the CND.

• Return systems to normal configurations

• Disable or delete any accounts created for CND use

• Designate the primary and alternate recipients for the final report delivery

• Assist in the preparation of the entity’s Plan of Actions and Milestones (POA&M), SIMM

5305-C, to CDT within 15 days of receipt of the final report

• Update cybersecurity management staff on all related findings and status until all findings on the

POAM have been mitigated; see SIMM 5305 for details

12

Appendix A - Links and Resource Pointers

A. Online resources

* Requires an account to be provisioned by CDT for system access. Please contact your Agency CDT account repre-

sentative for assistance

** Requires user to request access. Access requests are granted to individuals in the State of California

Information Technology community. Please ensure you use your official State of California email address in your

request

B. CND Point of Contact

For all Assessment related coordination and technical questions:

C. CDT Point of Contact

Resource Full Web Address Shortened Link

1 CDT Service Request System * https://cdt.ca.gov/support/ N/A

2 ISA Portal ** https://cacnd.sharepoint.com/sites/public/SitePages/

Independent%20Security%20Assessment%20Program.aspx

https://goo.gl/

UN52F1

3 CDT Assessment Portal https://cdt.ca.gov/security/oversight/#Assessment-

Program N/A

Name Email Phone

Alice Allersmeyer [email protected] (916) 369-5030

Name Email Phone

Helen Woodman [email protected] (916) 431-4698

13

Appendix B - Service Request Procedure

CDT Remedy Service Request:

• Open the Remedy Service Ticket Application (see Appendix A [1])

• Select the Applications Side Tab

• Click on the “Service Request Management Tab

B-1

14

• Professional Services

• Select “Independent Security Assessment (ISA)” option

• Complete the ISA information

Notes:

- The SR is required to be opened within 10 calendar days of ISA notification

- Once opened, submit a completed Category Worksheet to the CND Engagement Manager to

receive a Cost Estimate

- Once the cost estimate is received, update the cost factors on your SR

B-2

15

16

Appendix C - Entity Asset Count Worksheet and Entity POC Worksheet -

Phase II Data Call

17

Appendix D - Entity Penetration Testing In/Out-of-Scopes Documentation

- Phase II Data Call

Example— Penetration Test Scoping Worksheet

D-1

18

D-2

Appendix D - Entity Penetration Testing In/Out-of-Scopes Documentation -

Phase II Data Call

19

D-3

Appendix D - Entity Penetration Testing In/Out-of-Scopes Documentation

20

Appendix E - Pre-Assessment / Penetration Test Documentation

** To be delivered to CND Engagement Manager no less than 7 days prior to pre-assessment In-brief **

Documentation Required Submitted Approved

3rd Party Hosted Penetration Test Notification / Approval

Cloud Hosted Penetration Test Request / Approval Form

Data Center Service Request (Pentest / Scan notification) Form

Entity / 3rd Party Hosted Point of Contact Listing Yes

IP Range(s) {Vulnerability Assessment portion of the ISA} Yes

Entity Nominated Phishing participants in Data Call Yes

Entity Public-facing Primary Web Site Address Yes

10 static assigned IP addresses for use during assessment (If

DHCP Leases are for less that 7 days) Yes

Entity POC roster (Name, Daytime, Evening #) for CIO, AIO or

ISO, Network Manager, Service Manager Yes

Completed forms must be emailed to: Alice Allersmeyer at [email protected], within 7 days of the

scheduled Pre-Assessment In-brief conference call.

I certify I have reviewed the network architecture of this entity and all externally hosted assets, services, (including

those at data centers not directly under my control) have been notified and all required approvals completed.

Printed Name of Entity CIO:__________________________________________________________

Signature: _________________________________________________________ Date:____________________

21

Appendix F - Assessment / Penetration Required Documentation

** To be delivered via DVD to CND Team Leader during on-site In-brief on Day 1 of Assessment **

Documentation Required Submitted Approved

Provide the Network Interconnection Diagram Yes

Firewall Configuration (Replace password hash with 3 Hash Marks

###) in accordance with the instructions provided by the CND

Team Leader

Yes

2 Domain Administrator / Root level user account (Vulnerability

Scanning only) user names and passwords (Must start with

“CND_”)

Yes

1 Standard User-level network account (for credential testing) user

name and password (Must start with “CND_”) Yes

10 Static IP’s assigned to the Assessment team (If DHCP Leases

are for less that 7 days) Yes

Entity IP Address ranges for assessment scan Yes

I certify I have reviewed the network architecture of this entity and all externally hosted assets, services, (including

those at data centers not directly under my control) have been notified and all required approvals completed.

Printed Name of Entity CIO:__________________________________________________________

Signature: _________________________________________________________ Date:____________________

22

Appendix G - Skype Pre/Post Assessment Briefing Instructions

To reduce the impact on supported entities, the CND delivers the pre-assessment briefing via tele-

conference and the post-assessment briefing over video/teleconference. This provides the as-

sessed entity the maximum opportunity for participation by distributed team members. To reduce

complexity of this content delivery, the CND has standardized on Skype as the method for video

conferencing with state entities. This model supports both the state mandated migration to Office

365 and simplifies the installation of tools within supported entity environments. To facilitate your

success, please see the provided information:

Preparing for Meetings (24 hours prior):

1) If you do not have the current Skype client installed on the conference room / desktop

workstation you will be viewing the meeting, please install the client now

2) Test your ability to connect to Skype in advance of the scheduled meeting to ensure con-

nectivity issues are not present (e.g. blocked in entity firewall, etc.). For more infor-

mation, please see: https://support.skype.com/en/faq/FA265/how-do-i-test-my-sound-is-

working-in-skype-make-an-echo-test-call

Note: Viewing Skype from the browser instead of the native client automatically

introduces a 30 second delay in video to the user. This will result in a poor

experience for that user

Attending a Meeting:

1. The entity designated Point of Contact (POC) which is typically the AIO or ISO, will receive an

email invitation to the briefing. The CND requests this POC coordinate the location for their in-

ternal team members attendance (e.g. conference room with computer projection resources)

that will support as many co-located participants per connection as possible. If remote partici-

pants will be included, the CND requests the POC make distribution of the invitation to ensure

only entity designed team members attend

2. Using the invitation, locate and click on the “Join Skype Meeting” link

3. If the Skype client is installed, it will spawn the meeting. If the client is not installed, it will open a

web page asking the user to select the “Skype Meetings Apps plug-in” link; this client has a 30

second delay built-in (see above)

Note: CND Recommends only using the desktop client for Skype

4. Once the install is completed, return to the Skype web page and select the green “Join Skype

Meeting” button as listed in Step 2

5. When the Skype Meetings App opens, please type in your name and click the “Join” button

If you are having trouble connecting, please call the CND Engagement Manager at (916) 369-5030

to assist you in troubleshooting the issue.

23

Appendix H - Phishing Whitelisting Procedures

2. Click on Admin -> Exchange.

Office 365 Whitelist phishing server IP assessment

1. Log into your mail server admin portal and go into the Admin -> Exchange.

24

3. Click on the Connection Filter (beneath protection heading).

4. Click on Connection Filter, then the Pencil icon to edit the default connection filter policy.


25


5. Under the IP Allow list, click the + sign to add an IP address.

6. On the “Add allowed IP address” screen, add the following IP addresses: 52.10.14.222

26


BYPASS CLUTTER AND SPAM FILTERING

7. Go to Admin -> Mail -> Mail flow and create a new rule.

a. Name the rule CND Phishing Bypass clutter & Spam Filtering by IP Address. b. Click on more options. c. Add the condition Apply this rule if… d. Select The sender -> IP address is in any of these ranges or exactly matches.

27

8. Add the following sender IP addresses, then click OK


28


b. Beneath Do the following, click Modify the message properties then Set a Message Header.

29

9. Set the message header to: X-MS-Exchange-Organization-BypassClutter

10. Set the value to: true

NOTE: Both "X-MS-Exchange-Organization-BypassClutter" and "true" are case sensitive.


30

11. Add an additional action beneath Do the following to Modify the message properties. Here click on Set the spam confidence level (SCI) to… and select Bypass Spam Fil-tering.


31

12. Click Save. An example of the complete rule is below.


32


Whitelist Phishing Server in URL filtering appliance

Please whitelist 12.183.171.35 in your URL filtering appliance. This is the IP that the links in the phishing email will resolve to. This will ensure that any links users click on will get through to record the results.

References.

https://whois.arin.net/rest/net/NET-52-0-0-0-1/pft?s=52.10.14.222


http://www.thelinuxfix.com/

Additional Information.

The two IP addresses identified in this document are used by the CND as part of its phishing campaign. 52.10.14.22 is an Amazon Web Service (AWS) IP that is used by The Linux Fix hosting provider that we use for hosted DNS/domain presence. 12.183.171.35 is an IP address assigned to us from AT&T for our internet connection. This is IP is used to record the phishing email statistics and is housed on a server in



http://www.thelinuxfix.com/

Documents

Independent Security Assessment Phase II Preparedness Guide...What is the Independent Security Assessment (ISA)? The Independent Security Assessment (ISA) is required by California