Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Independent Security Assessment — Phase II
Preparedness Guide
Version 2.4, dated 12/4/2017, Previous editions are obsolete
Pre-Assessment Materials Preparation
On-Site Configuration Requirements
Personnel Availability
Impact on Assessed Organization
2
Legal Notice and Disclaimer:
Please note that much of this publication is based on prior professional experience and anecdotal evidence. Although the author and organization have made every reasonable attempt to achieve complete accuracy of the content in this guide, they assume no responsibility for errors or omissions. Also, you should use this information in accordance with your existing internal security protocols and practices. Follow these instructions at your own risk. Your particular situation may not be exactly suited to the examples illustrated here as every entity’s network is unique. If you have questions on how to proceed, please contact the CND Engagement Manager for assistance at 916-369-5030.
Any trademarks, service marks, product names or named features are assumed to be the property of their respective owners and are used only for reference. There is no implied endorsement if we use one of these terms.
3
What is the Independent Security Assessment (ISA)?
The Independent Security Assessment (ISA) is required by California Government Code
11549.3 as amended on January 1, 2016. An ISA, sometimes referred to as an AB670
Assessment is an assistance visit, not an audit. The assessment’s goal is to provide a
third party view of the entity’s current cybersecurity state and provide recommendations
for improvement. The assessment analyzes a series of technical controls, as designated by the State
Chief Information Security Office (CISO). These controls change with each iteration of the
assessment. To ensure a smooth process with the least amount of impact to entity staff, a series of
pre-assessment preparation steps are provided within this guide. Due to the constrained timeline for
each ISA, the entity’s overall results can be impacted should the entity be ill prepared. This guide
attempts to mentor entities to the best possible outcomes during the assessment process.
Entities Formally Selected for Assessment
Entities begin the assessment process when they are formally notified by the State Chief
Information Officer (CIO). Once notified, the entity management team must accomplish one of the two
following actions within 10 days of notification:
A) Open a Service Request with California Department of Technology (CDT) to schedule an ISA
(See Appendix B for instructions)
OR
B) Submit an Exemption Request to the Office of Information Security (OIS). Exemptions are used
for two specific purposes:
1) An entity erroneously scheduled separately from their parent Agency for an ISA (see OIS
criteria)
2) An entity approved for an assessment rendered by a commercial third party. For criteria and
required documentation to accompany the request, please see Appendix B
4
Guide Purpose
This guide is designed to help the assessed entity prepare for a successful engagement. It is critical
for this document be disseminated to the responsible individuals within the entity that will be
conducting the required pre-assessment, in-engagement, and post-assessment activities. The entity’s
senior cybersecurity manager should be the person designated responsible to ensure the
organization is ready for their assessment prior to the start date. Delays, missing documentation, or
absent staff prevent the assessment team from rendering a complete assessment in the time frame
allotted and may result in ‘Non-compliance’ findings. Please help the CND help you achieve the most
benefit possible by ensuring your readiness for assessment.
Guide Usage
This guide is divided into three sections based on generally accepted functional roles in a typical
Information Technology organization. The sections are:
• Information Security Management Actions
• Network Administrator Actions
• System Administrator Actions
Can the Organization Be Pre-Assessed or Volunteer for an ISA this Year?
The goal of the assessment process is to help entities understand their current cyber
risks. If an entity would like to perform a pre-assessment or preemptively perform
any portion of the assessment separately, the CND can offer several service options
to meet requirements. All pre-assessment options are provided outside of the ISA
process directly to the entity. For more information, please contact the CND using
the contact information in Appendix A. Entities, once assigned to the 3-Year Cybersecurity Oversight
cycle, must request any changes to their officially designated cycle directly to OIS.
Preparing for Assessment
Every entity will receive a copy of the Phase II assessment criteria. Entities are encouraged to use the
criteria to perform internal self-assessments to identify areas that would benefit from improvement.
The criteria documentation provides the Task, Condition,
and Standard used to determine success. For entities
whom have undergone an ISA in the past, the most
significant change between the previous phase and this
phase is the addition of a Penetration Test.
How will the ISA Impact the Organization and Staff?
The CND recognizes staff time is valuable and constrained. To lower the burden on entity staff, the
CND has developed a streamlined order of execution that is designed to minimize time and impact.
The CND team can conduct most ISAs with minimal staff interaction (typically within 1 to 4 weeks)
depending on the entity’s size, complexity, and readiness. The specific time required to complete
your assessment will be identified during the scheduling process.
5
Assessment / Penetration Testing
Tasks Lists Breakout
Role General Related Tasks Page
Information Security Management • Pre-assessment actions
• Assessment actions
• Post assessment actions
6-8
Network Administrator • Pre-assessment actions
• Assessment actions
9
System Administrator • Pre-assessment actions
• Assessment actions
• Post-assessment actions
10-11
Usage: A requirements breakdown by generally accepted roles is provided to assist the entity in
their preparation for a successful Independent Security Assessment (ISA). This guide is specifically
developed for entities undergoing the Independent Security Assessment conducted by the
California Military Department.
Entities should distribute the tasks lists to their responsible parties for review and
execution at the earliest possible date. It is recommended the CIO/AIO or ISO
understand all task lists as well. Some of the identified tasks require external
coordination or incur additional time to complete.
Requirement: The entity CIO/AIO or ISO (as applicable) is the recommended primary Point of
Contact (POC) for the assessment. Entities are discouraged from delegating this role below these
levels of management. The designated individual is responsible to ensure the successful
coordination of their teams’ efforts throughout the process. The responsible individual should be
prepared to discuss these times and any entity concerns during the In-brief. The entity must
transmit all pre-assessment deliverables 72 hours prior to the pre-assessment In-brief.
The entity will need to assign an Assessment Liaison. The Assessment Liaison is the individual
who will be working directly with the Assessment and Penetration Test Teams during the
assessment period. This person must be technical and have change order oversite.
6
Pre-Assessment Actions (in order of execution)
• Initiate the ISA Service Request (see Appendix B) within 10 days of notification.
• Provide the CND Engagement Manager (see Appendix A) with the following deliverables.
• Provide the ISA Service Request Number received from CDT via email.
• Submit the annotated Entity Asset Count Worksheet (Appendix C). (Not required for the ISA Service Request)
• Coordinate your assessment date with CND Engagement Manager.
• Return the signed CND Cost Estimate/Work Order Authorization form (required prior to work but no lass than 30 days prior to commencement).
• Complete the In/Out-of-Scope Documentation (Appendix D/Phase II Data Call
spreadsheet); submit to the CND Engagement Manager no less than 7 days prior to the
pre-assessment In-brief. Specific concerns should be addressed immediately to the
CND!
• Complete all third party hosted / cloud provider PenTest requests and document approval
(see Appendix E/Phase II Data Call spreadsheet)
• Distribute role-based assessment checklists; breakout pages are listed on page 5
• Review the assessment criteria with entity internal team(s); develop any questions/
concerns prior to the pre-assessment In-brief conference call
• Ensure all pre-assessment actions are completed prior to pre-assessment In-brief
conference call
• Schedule the entity’s pre-assessment In-brief conference call with the CND Engagement
Manager no less than 3 weeks prior to ISA engagement date
• Document the entity’s Points of Contact notification list (Appendix C or on the POC tab of
the Phase II Data Call spreadsheet);
• Ensure a work location for the assessment team has been coordinated. The location must be able to accommodate:
• 6-8 personnel
• 8 dedicated Cat5/6 network data jacks capable of at least 100Mbps each
• 4 ports MUST be in a Management VLAN
• 4 ports MUST be in your busiest User VLAN with normal user traffic
To the lower the burden on the entity, we recommend using a managed switch with
ports assigned logically to those identified VLANs, For additional questions, contact
CND Engagement Manager.
• Where possible, the space should afford privacy from common space (e.g.
Conference Room) and be able to be secure.
• Assign an Assessment Liaison for the duration of the ISA.
Information Security Management (CIO, AIO, ISO)
Provide a copy to designated responsible party
7
• Schedule a conference room for the initial CND team on-site In-brief. This may be the same location as the work space if it will support the number of attendees
• Schedule the assessment on-site In-brief with the appropriate entity staff members and
management team(s) for 9 AM on the first day of assessment. Email the meeting request
to the CND Engagement Manager for distribution to the CND Team
• Prepare the pre-assessment / PenTest documents listed on Appendix F to
be delivered via DVD to the CND team during the on-site In-brief
Phishing Actions:
• There are two types of phishing events that will occur during the assessment window:
• Phishing Susceptibility Test (Assessment)
• Targeted Spear Phishing Campaign (Penetration Test)
• Instructions for Phishing Susceptibility Test: (See Appendix H for Whitelisting Procedures)
• Entity must designate a minimum 100 users or 100% of your user population
whichever is less. The group must include 3 executives, 3 IT administrators, and the
remaining users a mixture from all entity’s business units
• Participants must be provided to the CND via the phishing tab on the Phase II Data
Call worksheet that includes the mandatory fields
• Rules of Engagement Warning: The entity is prohibited from notifying the
Phishing Susceptibility Test participants of the pending phishing exercise.
Notifying users will result in a ‘Non-Compliance’ score for the associated event
• Instructions for the Targeted Spear Phishing Campaign:
• Users for this portion are selected by the Penetration Testing Team Leader. These
participants are identified during the open source data collection phase. As a result,
these users may be a different set from those submitted for the Phishing
Susceptibility Test
• The Targeted Spear Phishing Campaign users may receive specially crafted emails
with a custom payload designed to test the ability of the team to establish a backdoor
into the internal entity network
• The backdoors are designed to test security controls implementation and will be
eliminated upon completion of the test
• The entity may take defensive actions for any target spear phishing campaign
once the Assessment Liaison has confirmed with the CND Team leader or the
CND Engagement Manager
• DO NOT REPORT any ISA related phishing in Cal-CSIRS
Web Assessment Portion:
• Provide the entity’s public-facing website(s) via the Phase II Data Call spreadsheet
• If the site(s) requires credentials for access to any public facing portions, generate a
standard user account in the system for testing with the name starting with “CND_”
provide to the CND Engagement Manager
Reminder: Sites hosted external to the entity (e.g. Agency Data Center, CDT, Third
Party Cloud Provide) must have the third party notification documentation attached
8
• Identify any areas of concern if detected that should result in an immediate notification (e.g.
Ability to extract user SSNs; ability to submit as a different user; etc.)
• Designation of an Assessment Liaison: Identify a single point of contact for coordination
between penetration testing team and the entity security team. Provide 24-hour contact
info
• This individual must be in the notification loop for all firewall, anti-virus, and incident
response operations in entity network
• This individual will be the coordination point for all Penetration Testing
coordination / information exchange actions
Assessment Actions
Coordinate with senior management to ensure all necessary entity personnel are scheduled to be in attendance for the entire assessment period. Absence of key personnel could adversely impact the entities overall score.
• Provide the team members access (badges, parking spaces, etc)
• Act as the facilitator between the CND Team Leader and entity staff
• Facilitate the CND team and entity team introductions
• Ensure the Assessment Liaison immediately notifies the CND Team Leader of any
detected anomalous events (System Anomalies, Rogue Device detection, Phishing
detection). These measures are time sensitive for scoring purposes
Post-Assessment Actions
• Coordinate the entity’s preparation of the CDT Plan of Actions and Milestones (POA&M),
SIMM 5305-C
• Submit to the CDT within 15 days of receipt of the final report
• Update the CDT until all findings on the POA&M have been mitigated; see SIMM
5305 for details
• Remediate Findings.
• Securely retain copies of assessment for audit and inspection purposes.
NOTE: In accordance with AB 670 a copy of your results will be provided to the State CISO and the
Cal-CSIC.
Pre-Assessment Actions
• 8 dedicated Cat5/6 network data jacks capable of at least 100Mbps each
• 4 ports MUST be in a management VLAN and have full WAN/
LAN/VLAN access to all entity IT assets (e.g. workstations,
laptops, servers across all locations and subnets) and there
are no blocking Access Control Lists (ACLs)
• The assessment team requires unrestricted access to ports
22,135,137,139, and 445 for all internal network segments.
• Do not open these ports to untrusted network interfaces
• 4 ports MUST be in your busiest User VLAN, no port access controls applied
• NOTE: If the entity has DHCP with leases greater than 7 days, static IP are not
necessary; otherwise 10 static IP addresses in the appropriate VLAN segments
listed above.
• Prepare the Network Interconnection diagram (See Appendix F)
• Prepare IP address listings as identified in the Phase II Data
Call Spreadsheet
• Identify at the PreAssessment Briefing if the entity has
any hosts that only use IPv6 for their addressing.
• Entities that can not identify host IPs in the /24 format will require intensive IP
scanning. This will cause significant traffic on your network.
Assessment Actions
• Be available for the network portion of the assessment interview process
• Provide troubleshooting assistance for scan related ACL issues (as needed)
• Provide the perimeter firewall configuration files. For specific instructions, please consult
your Assessment Team Leader during the pre-assessment In-brief conference call
Network Administrator (Net-Admin)
Provide a copy to designed responsible party
9
10
Pre-Assessment Actions
Host Access:
• Have any settings disabled that could cause the hosts to sleep or otherwise
disconnect from the network to include Sleep settings during off hours for the duration of
the assessment period. There can be no exceptions to this requirement.
• Domain Systems: Prepare root/domain administrator level credentials for use by the
Assessment team for all directory joined servers,
workstations, and laptops. The credentials provided must
start with “CND_” If more than one domain is present,
prepare this for all domains. These may be existing
credentials provided to the CND Team Leader or manually
entered by the entity Systems Administrator
• Non-Domain Systems: Prepare root/administrator level credentials for use by the
Assessment team for all non-directory joined servers, workstations, laptops, and
appliances. The credentials provided must start with “CND_”. These may be existing
credentials provided to the CND Team Leader or manually entered by the entity Systems
Administrator. The same username/password must work across all such systems
• Ensure the “Server” service is running on all Windows operating system hosts. Ensure the
firewall accepts ports 135,137,139, and 445 requests
• Add exceptions (as required) to any host-based firewall, host-based intrusion prevention
system, or anti-virus protections for these ports to/from the CND IP addresses or white list
the static IP address(es) assigned to these devices (as appropriate)
• Ensure all Linux / Unix / AIX / Macintosh operating systems hosts accept port 22 requests;
add exceptions to/from the CND IP addresses to any host-based firewall and host-based
intrusion prevention protections for this port or white list the static IP address(es) assigned
to these devices (as appropriate)
Host Hardening:
• Identify 3 workstations and 3 laptops that will be made
available for System Hardening scanning. These hosts
must NOT:
• Have users logged on during the hardening test
period (typically 30 minutes); coordinate time with CND Team Leader
• Identify 1 domain controller and 3 application servers for the System Hardening
scan. This scan will take approximately 30 minutes to complete and will add a minor
workload to the host
System Administrator (Windows/Linux)
Provide a copy to designed responsible party
11
Assessment Actions
• Troubleshoot network credential issues/port issues on hosts (as applicable)
• Provide access to the CND Team Leader to run various PowerShell scripts to
validate controls (as required)
• Provide the CND Team Leader access to AD Users and Computers to perform
random sampling selections and validations (as required)
• Be available for the systems portion of the assessment interview process
Post-Assessment Actions
• Coordinate with internal entity management for attendance to the assessment Out brief
• Conduct a mandatory password reset for any users whose passwords were compromised as a
result of the Phishing or Penetration Test events. The CND will formally notify the entity of these
users via separate cover at the conclusion of the event
• Remove any whitelisting, IP reservations, or other measures required for the assessment
• Remove all accounts created for the CND.
• Return systems to normal configurations
• Disable or delete any accounts created for CND use
• Designate the primary and alternate recipients for the final report delivery
• Assist in the preparation of the entity’s Plan of Actions and Milestones (POA&M), SIMM
5305-C, to CDT within 15 days of receipt of the final report
• Update cybersecurity management staff on all related findings and status until all findings on the
POAM have been mitigated; see SIMM 5305 for details
12
Appendix A - Links and Resource Pointers
A. Online resources
* Requires an account to be provisioned by CDT for system access. Please contact your Agency CDT account repre-
sentative for assistance
** Requires user to request access. Access requests are granted to individuals in the State of California
Information Technology community. Please ensure you use your official State of California email address in your
request
B. CND Point of Contact
For all Assessment related coordination and technical questions:
C. CDT Point of Contact
Resource Full Web Address Shortened Link
1 CDT Service Request System * https://cdt.ca.gov/support/ N/A
2 ISA Portal ** https://cacnd.sharepoint.com/sites/public/SitePages/
Independent%20Security%20Assessment%20Program.aspx
https://goo.gl/
UN52F1
3 CDT Assessment Portal https://cdt.ca.gov/security/oversight/#Assessment-
Program N/A
Name Email Phone
Alice Allersmeyer [email protected] (916) 369-5030
Name Email Phone
Helen Woodman [email protected] (916) 431-4698
13
Appendix B - Service Request Procedure
CDT Remedy Service Request:
• Open the Remedy Service Ticket Application (see Appendix A [1])
• Select the Applications Side Tab
• Click on the “Service Request Management Tab
B-1
14
• Professional Services
• Select “Independent Security Assessment (ISA)” option
• Complete the ISA information
Notes:
- The SR is required to be opened within 10 calendar days of ISA notification
- Once opened, submit a completed Category Worksheet to the CND Engagement Manager to
receive a Cost Estimate
- Once the cost estimate is received, update the cost factors on your SR
B-2
15
16
Appendix C - Entity Asset Count Worksheet and Entity POC Worksheet -
Phase II Data Call
17
Appendix D - Entity Penetration Testing In/Out-of-Scopes Documentation
- Phase II Data Call
Example— Penetration Test Scoping Worksheet
D-1
18
D-2
Appendix D - Entity Penetration Testing In/Out-of-Scopes Documentation -
Phase II Data Call
19
D-3
Appendix D - Entity Penetration Testing In/Out-of-Scopes Documentation
20
Appendix E - Pre-Assessment / Penetration Test Documentation
** To be delivered to CND Engagement Manager no less than 7 days prior to pre-assessment In-brief **
Documentation Required Submitted Approved
3rd Party Hosted Penetration Test Notification / Approval
Cloud Hosted Penetration Test Request / Approval Form
Data Center Service Request (Pentest / Scan notification) Form
Entity / 3rd Party Hosted Point of Contact Listing Yes
IP Range(s) {Vulnerability Assessment portion of the ISA} Yes
Entity Nominated Phishing participants in Data Call Yes
Entity Public-facing Primary Web Site Address Yes
10 static assigned IP addresses for use during assessment (If
DHCP Leases are for less that 7 days) Yes
Entity POC roster (Name, Daytime, Evening #) for CIO, AIO or
ISO, Network Manager, Service Manager Yes
Completed forms must be emailed to: Alice Allersmeyer at [email protected], within 7 days of the
scheduled Pre-Assessment In-brief conference call.
I certify I have reviewed the network architecture of this entity and all externally hosted assets, services, (including
those at data centers not directly under my control) have been notified and all required approvals completed.
Printed Name of Entity CIO:__________________________________________________________
Signature: _________________________________________________________ Date:____________________
21
Appendix F - Assessment / Penetration Required Documentation
** To be delivered via DVD to CND Team Leader during on-site In-brief on Day 1 of Assessment **
Documentation Required Submitted Approved
Provide the Network Interconnection Diagram Yes
Firewall Configuration (Replace password hash with 3 Hash Marks
###) in accordance with the instructions provided by the CND
Team Leader
Yes
2 Domain Administrator / Root level user account (Vulnerability
Scanning only) user names and passwords (Must start with
“CND_”)
Yes
1 Standard User-level network account (for credential testing) user
name and password (Must start with “CND_”) Yes
10 Static IP’s assigned to the Assessment team (If DHCP Leases
are for less that 7 days) Yes
Entity IP Address ranges for assessment scan Yes
I certify I have reviewed the network architecture of this entity and all externally hosted assets, services, (including
those at data centers not directly under my control) have been notified and all required approvals completed.
Printed Name of Entity CIO:__________________________________________________________
Signature: _________________________________________________________ Date:____________________
22
Appendix G - Skype Pre/Post Assessment Briefing Instructions
To reduce the impact on supported entities, the CND delivers the pre-assessment briefing via tele-
conference and the post-assessment briefing over video/teleconference. This provides the as-
sessed entity the maximum opportunity for participation by distributed team members. To reduce
complexity of this content delivery, the CND has standardized on Skype as the method for video
conferencing with state entities. This model supports both the state mandated migration to Office
365 and simplifies the installation of tools within supported entity environments. To facilitate your
success, please see the provided information:
Preparing for Meetings (24 hours prior):
1) If you do not have the current Skype client installed on the conference room / desktop
workstation you will be viewing the meeting, please install the client now
2) Test your ability to connect to Skype in advance of the scheduled meeting to ensure con-
nectivity issues are not present (e.g. blocked in entity firewall, etc.). For more infor-
mation, please see: https://support.skype.com/en/faq/FA265/how-do-i-test-my-sound-is-
working-in-skype-make-an-echo-test-call
Note: Viewing Skype from the browser instead of the native client automatically
introduces a 30 second delay in video to the user. This will result in a poor
experience for that user
Attending a Meeting:
1. The entity designated Point of Contact (POC) which is typically the AIO or ISO, will receive an
email invitation to the briefing. The CND requests this POC coordinate the location for their in-
ternal team members attendance (e.g. conference room with computer projection resources)
that will support as many co-located participants per connection as possible. If remote partici-
pants will be included, the CND requests the POC make distribution of the invitation to ensure
only entity designed team members attend
2. Using the invitation, locate and click on the “Join Skype Meeting” link
3. If the Skype client is installed, it will spawn the meeting. If the client is not installed, it will open a
web page asking the user to select the “Skype Meetings Apps plug-in” link; this client has a 30
second delay built-in (see above)
Note: CND Recommends only using the desktop client for Skype
4. Once the install is completed, return to the Skype web page and select the green “Join Skype
Meeting” button as listed in Step 2
5. When the Skype Meetings App opens, please type in your name and click the “Join” button
If you are having trouble connecting, please call the CND Engagement Manager at (916) 369-5030
to assist you in troubleshooting the issue.
23
Appendix H - Phishing Whitelisting Procedures
2. Click on Admin -> Exchange.
Office 365 Whitelist phishing server IP assessment
1. Log into your mail server admin portal and go into the Admin -> Exchange.
24
3. Click on the Connection Filter (beneath protection heading).
4. Click on Connection Filter, then the Pencil icon to edit the default connection filter policy.
Appendix H - Phishing Whitelisting Procedures
25
Appendix H - Phishing Whitelisting Procedures
5. Under the IP Allow list, click the + sign to add an IP address.
6. On the “Add allowed IP address” screen, add the following IP addresses: 52.10.14.222
26
Appendix H - Phishing Whitelisting Procedures
BYPASS CLUTTER AND SPAM FILTERING
7. Go to Admin -> Mail -> Mail flow and create a new rule.
a. Name the rule CND Phishing Bypass clutter & Spam Filtering by IP Address. b. Click on more options. c. Add the condition Apply this rule if… d. Select The sender -> IP address is in any of these ranges or exactly matches.
27
8. Add the following sender IP addresses, then click OK
Appendix H - Phishing Whitelisting Procedures
28
Appendix H - Phishing Whitelisting Procedures
b. Beneath Do the following, click Modify the message properties then Set a Message Header.
29
9. Set the message header to: X-MS-Exchange-Organization-BypassClutter
10. Set the value to: true
NOTE: Both "X-MS-Exchange-Organization-BypassClutter" and "true" are case sensitive.
Appendix H - Phishing Whitelisting Procedures
30
11. Add an additional action beneath Do the following to Modify the message properties. Here click on Set the spam confidence level (SCI) to… and select Bypass Spam Fil-tering.
Appendix H - Phishing Whitelisting Procedures
31
12. Click Save. An example of the complete rule is below.
Appendix H - Phishing Whitelisting Procedures
32
Appendix H - Phishing Whitelisting Procedures
Whitelist Phishing Server in URL filtering appliance
Please whitelist 12.183.171.35 in your URL filtering appliance. This is the IP that the links in the phishing email will resolve to. This will ensure that any links users click on will get through to record the results.
References.
https://whois.arin.net/rest/net/NET-52-0-0-0-1/pft?s=52.10.14.222
https://whois.arin.net/rest/net/NET-12-183-171-32-1/pft?s=12.183.171.35
http://www.thelinuxfix.com/
Additional Information.
The two IP addresses identified in this document are used by the CND as part of its phishing campaign. 52.10.14.22 is an Amazon Web Service (AWS) IP that is used by The Linux Fix hosting provider that we use for hosted DNS/domain presence. 12.183.171.35 is an IP address assigned to us from AT&T for our internet connection. This is IP is used to record the phishing email statistics and is housed on a server in