Embed Size (px)
Citation preview
GAO's Technical Approach to Assessing Computer Security at Federal Agencies
Naba BarkakatiLon ChinWest CoileUS GAO4/24/09 | Session ID: GPG-401
Insert presenter logo here on slide master 2
Agenda
FISCAM Overview
Challenges of Computer Security Audits
Logical Access Control Assessment Approach
Sample Results, Summary Points, and Q&A
Challenges of Computer Security Audits
Insert presenter logo here on slide master
Computer Security Audit Challenges
4
Lumeta Corporation’sInternet Map
Patent(s) Pending & Copyright (c) Lumeta Corporation2009. All Rights Reserved
Insert presenter logo here on slide master 5
Compliance checklists
Limited scope reviews
Vulnerability scanning
Computer Security Audit Challenges
Networks are becoming more complex, diverse and interconnected
New computing environments limit the effectiveness of the more traditional types of IT audits
FISCAMOverview
Federal Information System Controls Audit Manual
Insert presenter logo here on slide master 7
Presents a methodology for conducting audits of information system controls
FISCAM
Originally issued January 1999Updated February 2009
http://www.gao.gov/new.items/d09232g.pdf
Insert presenter logo here on slide master
FISCAM – General Controls
8
Logical Access Controls Assessment Approach
Insert presenter logo here on slide master 10
Trust but verify
Insert presenter logo here on slide master 11
Methodology
Iterative and HolisticAssessment Approach
Insert presenter logo here on slide master
Network Control Points
12
Controlling and securing network traffic
Segment
LAN
WAN
Internet
Host
Data
Inbound Outbound
Insert presenter logo here on slide master
Host Control Points
13
Access Path
Access Path Access Path
Applications(incl. middle ware, 3rd party, utilities, etc …)
Data Base Mgmt
System
OperatingSystem
Data of Interest
Insert presenter logo here on slide master 14
Logical Access: Control Areas
Insert presenter logo here on slide master
Consider Trust Relationships
15
Insert presenter logo here on slide master
Putting the Pieces Together
16
Vulnerabilities should be assessed in context to the network and the impact on
the organization’s mission.
SampleResults
Insert presenter logo here on slide master
Sample Result 1: Rogue Internet Printer
18
Insert presenter logo here on slide master
Sample Result 2: Layered Insecurity
19
Insert presenter logo here on slide master 20
Ineffective IDSIDS “blind” to encrypted network traffic
Sample Result 3: Mail Attack
Insert presenter logo here on slide master 21
Sample Result 4: Application Password Reset
Insert presenter logo here on slide master
Summary Points
22
Understand the controls environment Select key control points
(considering a holistic approach) Conduct testing & validation Analyze data Identify trust relationships Select additional devices for assessment Analyze results in context to the network and
impact on mission
Insert presenter logo here on slide master
Some Closing Thoughts …
23
It depends …
If then else … (don’t rely only on checklists)
Take a holistic view of the controls environment
Understand & recognize “trust relationships”
Vulnerability scanners are not a silver bullet
Context
Insert presenter logo here on slide master
Questions & Comments
24
