Friday, April 26, 2019

Vulnerability Analyzers

Vulnerability assessment products and services"
  • Assured Compliance Assessment Solution (ACAS).
  • Evident.io.
  • Nessus.
  • Qmulos.
  • Qualys. https://vimeo.com/162448482​. ​

Thursday, April 25, 2019

Cloud Migration Strategies

The migration process consists of choosing a strategy ("6 R's") and executing a 5 phase plan. The 5 phases are:  Opportunity Evaluation, Portfolio Discovery and Planning, Application Design, Migration & Validation, and Operate.

Phase 1:  Opportunity Evaluation. What is the business case or compelling event that will drive your migration to the cloud? Examples:  data center lease expiration, policy (e.g. FDCCI, DCOI, ADDCP), access to services or features, reduction of expense (increased opex is more beneficial than initial and recurring capex), developer productivity (e.g. reduced wait time for infrastructure provisioning and access to services that don't need to be built), availability, content caching, backups, disaster recovery.

Phase 2:  Portfolio Discovery and Planning. What's in your environment, what are the interdependencies, what will you migrate first, and how will you migrate it? Inspect your configuration management database (CMDB), institutional knowledge, and/or deploy tools (e.g. AWS Discovery Service or RISC Networks). Understand licensing arrangements. For security and costing purposes, it's useful to know:

  • What information type(s) are going to be received, processed, stored, transmitted, and/or displayed in the cloud? Refer to NIST SP 800-60 Volume II for guidance.
  • What is the footprint for applications that will be re-hosted or re-platformed? This information can be used for cost estimation.
  • Are performance metrics available? This information can be used to right-size the environment. Because the cloud has a pay-as-you-go model, there's no need to over provision resources. The architecture can be designed to support the minimal performance requirements and expanded as additional resources are required.
  • Consider data gravity. What data belongs with what application? Where the data lives will drive where the application lives and/or how that application access the data. If a large data set is going to be used to perform sporadic analysis work in the cloud (by spinning up 100s of instances), then analyze whether it makes sense to store this data permanently in the cloud, or move it in/out over the wire or via Snowball. If you don't have the bandwidth and the volume is large, the copy/mail (Snowball) approach will be more efficient than a wire transfer.
  • What volume of data needs to be transferred into our out of the cloud? This information is needed to design data transfer solutions (e.g. over the wire or out-of-band using Snowball) and also estimate costs for data egress.

Phase 3 and 4:  Designing, Migrating, and Validating Applications. Each application is designed, migrated, and validated using one of the 6 migration strategies. Common infrastructure and security solutions should be design and used, for example identify management (e.g. Active Directory), log collection, configuration management, backups. Low-complexity, low-interdependency applications should migrate first. Have the application owner monitor the migration and validate the results while monitoring costs.

Phase 5:  Modern Operating Model. As applications are migrated, iterate on your process(es) and foundation, decommission old systems, and continue to look for opportunities to achieve efficiencies and/or improvements in cost, labor, and security.

This article has a nice graphic showing 6 migration strategies (although 2 don't count):
  • ​​Re-host (lift-and-shift​)
  • ​Re-platform (lift-and-reshape)
  • ​​​Re​-purchase (replace-drop & shop)​​
  • Re-architect (​re-writing/decoupling applications)
  • ​Retire/decommission
  • ​Revisit/retain
References:

Identity and Access Management (IdAM) (draft)

Identify and Access Management (IdAM or IAM) is the mechanism used to authenticate an entity and authorize them to access a resource.

Several well-known services exist for authentication, including Active Directory, lightweight directory access protocol (LDAP), Remote Authentication Dial-In User Service (RADIUS), Internet Authentication Service (IAS) (Microsoft's implementation of RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+) (Cisco-developed authentication, access, and accounting solution for networking devices), and Network Information Service (NIS). With the proliferation of cloud-based services, cloud service providers are providing identity and access services that are highly-scalable, robust, and secure. Examples include Amazon Web Services (AWS) Identify and Access Management (IAM) and several choices for implementation of Active Directory:  AD Connector, Simple AD, Microsoft AD. Rackspace has a good article which compares the different directory service offerings. Some things to consider in implementing authentication services:

  • Managing multiple services is an administrative burden and is not an efficient use of resources. Building a robust service (e.g. Active Directory) and configuring applications to use that service is easier to manage than setting up separate authentication realms. This approach is known as single sign on (SSO) - using one credential to access many services.
  • There are several methods to authenticate an entity, such as username/password, smartcard, challenge questions, one-time token, biometric, etc. Use of multifactor authentication (MFA) is highly recommended, which requires something a user knows (e.g. password) and something the user has (e.g. smartcard) or is (e.g. fingerprint).
  • Implement a lockout policy and recovery mechanism for lost or forgotten passwords. Examples of solutions for this are:  SysOp Tools Password Reset Pro. For hosted services (e.g. Office 365), use the administrative tools to configure a policy to do this.
  • Implement a logging and audit policy to review authentication events. For example, use of privileged accounts, failed access, anomalies in access times and/or geographic location (e.g. a user attempting to login from the US and then 10 seconds later from the UK).

Access management concerns governing permissions and rights to resources once the identity of an entity is verified via the authentication service described above. This is implemented by file system permissions and role definitions and assignment.

Per Department of the Army Pamphlet (PAM) 25-2-7 Information Management:  Army Cybersecurity Army Information System Privileged Access:  DA Form 7789 (Privileged Access Agreement and Acknowledgment of Responsibilities) is required after 4 May 2019. Individuals requiring elevated access to system control, monitoring, administration, criminal investigation, and/or compliance functions must sign a Privileged Access Agreement (PAA). Individuals seeking privileged access must complete and sign a PAA. Categories and specialties within the cybersecurity workforce that require a PAA include:   1) those requiring modification access to the configuration control functions of the IS/network and administration (e.g. user account management), 2) those with access to change control parameters (e.g. routing tables, path priorities, addresses of routers, multiplexers, and other key IS/network equipment or software), 3) those with the ability and authority to control and change program files, and other users' access to data, 4) those with direct access to operating-system-level functions that could permit system controls to be bypassed or changed, 5) those with access and authority to install, configure, monitor, and/or troubleshoot the security monitoring functions of IS/networks, or in the performance of cyber/network defense operations.

PAM, Privileged Access Management (sometimes Privileged Account Management), refers to the oversight of privileged user access to critical data and systems. PAM solutions implement features such as:  access manager (point of entry which facilitates user requests and the administrators' ability to grant and revoke access), password manager (protect, store, and rotate passwords, eliminating the need for users to have direct access to sensitive resources), session manager (trace and monitor privileged activity, automatically or manually terminate and report suspicious activity).

Authentication

  • Password policy
  • Multi-factor Authentication (MFA)
  • Single Sign On (SSO). Minimize the number of credentials needed, authentication realms to manage. Diligently audit in one place. SSO can support MFA for applications that don't.
Authorization

Authorization is the concept controlling what a user is allowed (or not allowed) to do once they
are authenticated. In IAM terms, authentication + authorization = access. 

Governance is the concept of periodically attesting to the appropriateness (or correctness) of user authorizations.

Identity analytics is an emerging discipline of IAM that evaluates the permissions, rights and
entitlements of individuals – and detects anomalies. Identity analytics is an effective way to uncover
errors in provisioning (we’ll call it over-provisioning) and to discover purposeful rights escalation
activities. It can prevent the activities of external bad actors and detect internal risks before they can
become a threat.
  • Provisioning. Defining and assign the user to the correct role(s) that provide the necessary rights for them to do their job.
  • Deprovisioning. Removing those rights.

Identity Solution Providers.
  • Auth0. Role-based access control. "Organizations" - allows clients to manage roles. Developer friendly. Note Auth0 was acquired by Okta.
PAM:
  • CyberArk.
  • Thycotic..
  • BeyondTrust. Call 7/26/2021. Nick Shaw, Anthony White (DoD and DHA), Steven Schullo (Solutions Engineer). Endpoint Privilege Management (agent-based. Windows, Mac, Unix. licensed by asset. Number of users doesn't matter. Allows access to privileged functions - process gets elevated vice the user). BeyondInsight (command and control/management auditing), can also control through ePO as well as GPO, can be run on-premise or SaaS in Azure, AWS, GCP, working on FedRAMP ATO, look for BeyondTrust in CSP marketplace). Whitelist, blacklist, and Assistance Required (need code from Service Desk). Only responsible for compute cost., Credentials Required (provide credential as well as reason). Password Safe. Cloud Privilege Broker (coming this summer).
  • Wallix
Identity Governance
​Resources:
Additional References:
  • ​​NIST SP 800-53 AC Control Family​​
Relevant Articles:

Monday, April 22, 2019

Information Assurance/Cyber Security Resources

DoD
Army
Navy
  • DIACAP Knowledge Service
​Certification and Training

Wednesday, April 3, 2019

Preventive Maintenance Program for IT

Preventative maintenance is performed on IT systems in order to resolve issues prior to failure and thus impacting operations. By identifying problems early and conducting periodic repairs and upgrades, savings in cost and labor are realized by avoiding corrective/reactive maintenance activities.

Preventive maintenance is performed regularly on a scheduled basis in order to minimize the chance that a certain piece of IT equipment will fail and cause unscheduled downtime. A bi-weekly after hours maintenance window is established to perform compliance, corrective/repair, and preventive maintenance on IT equipment. Prior to entering the maintenance window, the Operations Lead
prepares a list of activities to be performed during the maintenance window and obtains approval for execution from the Operations Manager. The plan for each maintenance window includes an estimation of time required to performed the planned actions and is prioritized with emphasis on corrective/repair and compliance activities. If the time allocated for the maintenance window does not allow preventive maintenance activities to be performed, our Operations Lead coordinates with the Operations Manager to set a aside a supplemental maintenance period or the actions are planned so as to not disrupt ongoing operations (e.g. replacing failed drives in a RAID that will not require any downtime). We develop the planned list of preventive maintenance activities to be performed during a given maintenance window using:
- Lifecycle Management (LCM) reports are produced weekly. Equipment with an end of support (EOS) or end of life (EOL) date within six months of the current date are flagged for replacement and a determination is made to sustain or retire the equipment or capability. If the equipment is to be retired, we follow a decommissioning process. If the equipment or capability is to be sustained, our engineering team evaluates replacement solutions and prepares an acquisition request which includes budgetary pricing, justification, and implementation plan. 
- Network and system monitoring tools (e.g. SolarWinds) are used to query and log capacity utilization for server CPU, memory, disk, and network resources. For CPU and memory components, additional resources are provisioned if utilization exceeds 70% over a prolonged interval (e.g. not an abnormal spike due to a surge in use). For disk resources, capacity or quota is increased by 20% when a volume reaches 80%. For physical systems, an acquisition request is made for additional hardware required. For virtual systems, hypervisor capacity is analyzed to verify additional resources can be provisioned.
- For systems configured to retain local log files, utilization of local storage is inspected weekly. When utilization exceeds 90%, the oldest events are deleted after verification that logs are being successfully delivered to the security information and event management (SIEM) system.
- SAN and NAS health is analyzed weekly by examining the management interface, logs, and/or alerts. Any disks flagged as failed or failing by the SAN or NAS are replaced. An acquisition is initiated for additional storage when capacity reaches 80%, with the amount of capacity increase determined by analysis of the growth rate and any projections provided by information owners.
- Tier 3 System Administrators, Network Engineers, and Database Administrators monitor vendor web sites and/or newsfeeds to maintain awareness of updates and/or manufacturer recommendations for periodic maintenance for systems they manage Operating system, application, SAN or NAS, switch, router, firewall, or other IT system updates are applied when enhancements to features, stability, and/or performance can be achieved.
- Security Information and Event Management (SIEM) logs and alerts are reviewed to identify indications of potential failures. These could include:  network interface errors indicative of failing hardware, loose connections, or wiring damage, warnings for PKI certificate expiration, equipment temperature or power fluctuations which could indicate failing fans or power supplies. Testing (e.g. wiring) or replacement of components is performed during the scheduled maintenance window.

During the maintenance window, the planned and approved preventive maintenance actions are performed. At the conclusion of the maintenance, the Operations Lead provides a report to the Operations Manager which indicates what activities were successful.

A computerized maintenance management system (CMSS) is recommendation to implement this preventive maintenance program.

Monday, April 1, 2019

Testing Web Server PKI Certificates

Qualys https://www.ssllabs.com will check certificate validity, encryption and hashing algorithms supported, TLS protocols, etc. and assign a grade to a PKI-enabled web server. Use Nartac Software IIS Crypto to configure your server to get an "A"!

References: