[ISN] ITL Bulletin for February 2003

From: InfoSec News (isnat_private)
Date: Thu Feb 27 2003 - 22:54:54 PST

  • Next message: InfoSec News: "[ISN] Is vigilante hacking legal?"

    ---------- Forwarded message ----------
    Date: Thu, 27 Feb 2003 10:28:56 -0500 (EST)
    From: Elizabeth Lennon <elizabeth.lennonat_private>
    To: Multiple recipients of list <itl-bulletinat_private>
    Subject: ITL Bulletin for February 2003
    
    SECURE INTERCONNECTIONS FOR INFORMATION TECHNOLOGY SYSTEMS
    Shirley Radack, Editor
    Computer Security Division
    Information Technology Laboratory
    National Institute of Standards and Technology
    
    Organizations may decide to interconnect their information technology
    (IT) systems so they can share their data and information resources
    with each other. Benefits that participating organizations may realize
    include reduced operating costs, greater functionality, improved
    efficiency, and centralized access to data. Organizations choose to
    interconnect their IT systems for a variety of reasons, depending on
    their organizational needs or the requirements of Congressional
    mandates or Executive department agreements.
    
    National Institute of Standards and Technology (NIST)  Special
    Publication (SP) 800-47, Security Guide for Interconnecting
    Information Technology Systems, provides guidance for planning,
    establishing, maintaining, and terminating secure yet cost-effective
    interconnections between IT systems that are owned and operated by
    different organizations. This ITL Bulletin summarizes the document,
    which also discusses the benefits of interconnecting IT systems, the
    basic components of an interconnection, the methods and levels of
    interconnectivity, and the potential security risks associated with
    interconnections. Written by Tim Grance, Joan Hash, Steven Peck,
    Jonathan Smith, and Karen Korow-Diks, NIST SP 800-47 is available at
    http://csrc.nist.gov/publications/nistpubs/index.html.
    
    The appendices contain sample documents to help organizations
    interconnect their IT systems, including an Interconnection Security
    Agreement (ISA), which specifies the technical and security
    requirements of the interconnection; a Memorandum of
    Understanding/Agreement (MOU/A), which defines the responsibilities of
    the participating organizations; and a System Interconnection
    Implementation Plan, which defines the process for establishing the
    interconnection. Also included are a glossary, references, and an
    index.
    
    Interconnection Issues
    
    Organizations deciding to interconnect their systems should determine
    the method of interconnection. IT systems can be interconnected by a
    dedicated line that either is owned by one of the organizations or is
    leased from a third party, such as an Integrated Services Digital
    Network (ISDN), a T1, or a T3 line. Dedicated physical lines provide a
    higher level of security for the interconnected systems, because they
    can be breached only through direct physical access to the line.
    However, dedicated lines can be expensive.
    
    A less expensive alternative to the dedicated line is interconnection
    over a public network, using a virtual private network (VPN). A VPN is
    a data network that enables two or more parties to communicate
    securely across a public network by creating a private connection, or
    "tunnel,"  between them. This alternative can be less secure than the
    dedicated line, however, because unauthorized parties could intercept
    unprotected data that is transmitted over the public network.
    
    Interconnected IT systems can expose the participating organizations
    to risks. In planning for interconnected systems, organizations should
    apply risk management procedures. Federal agencies are required to
    protect government information commensurate with the risk and
    magnitude of harm that could result from the loss, misuse,
    unauthorized access, or modification of such information.
    
    If the interconnection is not properly designed, security failures
    could compromise the connected systems and the data they store,
    process, or transmit. In addition, if one of the connected systems is
    compromised, the interconnection could be used to compromise the other
    system and its data. In most cases, the participating organizations
    have little or no control over the operation and management of the
    other party's system.
    
    Therefore, both parties should learn as much as possible about the
    risks associated with the planned or current interconnection and the
    security controls that they can implement to mitigate those risks. A
    written agreement is needed to establish and describe the management,
    operation, and use of the interconnection. The agreement should be
    reviewed and approved by appropriate senior staff from each
    organization.
    
    OMB Circular A-130, Appendix III, requires agencies to obtain written
    management authorization before connecting agency IT systems to other
    systems, based on an acceptable level of risk. The written
    authorization should define the rules of behavior and controls that
    must be maintained for the system interconnection, and it should be
    included in the agencies' system security plans.
    
    Four Phases of the System Interconnection Life Cycle
    
    The NIST SP 800-47 guide recommends a "life-cycle management" approach
    for interconnecting IT systems:
    
    ( planning for the interconnection;
    ( establishing the interconnection;
    ( maintaining the interconnection; and
    ( disconnecting an interconnection.
    
    Planning for the Interconnection.
    
    The planning phase is the first step in establishing an efficient and
    secure interconnection. The participating organizations should examine
    all relevant technical, security, and administrative issues; and form
    an agreement governing the management, operation, and use of the
    interconnection.
    
    A joint planning team should be established by the participating
    organizations, composed of management and technical staff, including
    program managers, security officers, system administrators, network
    administrators, and system architects. The joint planning team should
    coordinate the planning process with the support of senior managers
    and system and data owners. The team would be responsible for
    coordinating all aspects of the planning process and ensuring that it
    had clear direction and sufficient resources. After the initial
    planning phase, the team may remain active to discuss future issues
    involving the interconnection.
    
             The business case for the interconnection should be defined,
    including its purpose and expected benefits, costs for staff and
    equipment, and potential technical, legal, and financial risks.
    Privacy issues and access rules also should be discussed.
    
             Systems to be interconnected should be certified and
    accredited in accordance with federal certification and accreditation
    (C&A) guidelines. Certification involves testing and evaluating the
    technical and nontechnical security features of the system to
    determine the extent to which it meets a set of specified security
    requirements.  Accreditation is the official approval by a Designated
    Approving Authority (DAA) or other authorizing management official
    that the system may operate for a specific purpose using a defined set
    of safeguards at an acceptable level of risk.
    
             The planning team should consider the interconnection
    requirements, including all relevant technical, security,
    administrative, and personnel issues.  This information will be used
    to develop an Interconnection Security Agreement (ISA) and a
    Memorandum of Understanding or Agreement (MOU/A). Further, the
    collected information may be used to develop an implementation plan
    for establishing the interconnection. Issues that should be considered
    include the level and method of the interconnection, impact on
    existing operations, hardware and software requirements, data
    sensitivity, user community, security controls, and rules of behavior,
    among others.
    
             The joint planning team should document an agreement
    governing the interconnection and the terms under which the
    organizations will abide by the agreement, based on the team's review
    of all relevant technical, security, administrative, and personnel
    issues. An ISA should be developed to specify the technical and
    security requirements for establishing, operating, and maintaining the
    interconnection. The MOU/A documents the terms and conditions for
    sharing data and information resources in a secure manner.
    
             The ISA and MOU/A should be reviewed by management officials
    of participating organizations and approved or rejected. Approval of
    the ISA and MOU/A constitutes approval of the interconnection.
    Approval may also be granted on an interim basis. The ISA and MOU/A
    that are developed should be kept in a secure location to protect
    against theft, damage, or destruction. Copies stored electronically
    should be protected from unauthorized disclosure or modification.
    
    Establishing an Interconnection.
    
    The following steps are recommended for establishing a system
    interconnection after it has been planned and approved. The
    participating organizations develop and execute a plan for the
    interconnection, including security controls.
    
    The joint planning team should develop an implementation plan. The
    plan should document all aspects of the interconnection effort and
    clarify how technical requirements specified in the ISA will be
    implemented. The plan should include a description of the IT systems
    to be interconnected, the sensitivity of the data to be exchanged, the
    staff members who will be responsible for the interconnected systems,
    and the security controls, tests, and procedures that will be in
    place.
    
    The implementation plan should be reviewed and approved by the
    planning team. Once approved, the plan may be implemented. Recommended
    steps for establishing the interconnection are described below.
    
    Security controls should be implemented or configured.  These controls
    may include firewalls and intrusion detection systems. Audit logs
    should be installed to record the activities that take place across
    the interconnection and should be appropriately reviewed, protected,
    and maintained. Identification and authentication procedures should be
    established to prevent unauthorized access to the interconnected
    systems. Passwords, biometrics, and smart cards are additional
    measures that may be used.
    
    Logical access controls should be used to designate users who have
    access to system resources and the type of transactions and functions
    that they are permitted to perform. Data passing from one system to
    another should be scanned with antivirus software to detect and
    eliminate malicious code. Antivirus software should be installed on
    all servers and computer workstations linked to the interconnection.
    The software should be automatically updated and maintained with
    current virus definitions.
    
    Encryption can be used to protect the confidentiality and integrity of
    data during transmission and storage, to authenticate users to the
    interconnection and to shared applications, and to provide for
    nonrepudiation of data.
    
    Hardware and software supporting the interconnection should be located
    in a secure location that is protected from unauthorized access,
    interference, or damage.  Interconnections should be protected from
    hazards such as fire, water, and excessive heat and humidity. Computer
    workstations should be in secure areas to protect them from damage,
    loss, theft, or unauthorized physical access.
    
    Hardware and software to establish the interconnection should be
    installed or configured. The hardware and software should be installed
    with proper communications lines, VPN software, routers, and switches.
    Database, web, and application servers should support services
    provided across the interconnection, and needed hubs should be
    installed to join multiple computers into a single network segment.
    Computer workstations should be configured to provide authorized users
    with a link to the interconnection.
    
    Applications or protocols for services that are provided across the
    interconnection should be integrated. These includes word processing,
    database applications, e-mail, web browsers, application servers,
    authentication servers, domain servers, development tools, editing
    programs, and communications programs.
    
    Conduct operational and security testing to ensure equipment operates
    properly and to mitigate or counter the ways for unauthorized users to
    circumvent or defeat security controls. The interface between
    applications should be tested across the interconnection, and security
    controls should be tested under realistic conditions.  Testing should
    be done in an isolated, non-operational environment to avoid
    disturbing the systems. Weaknesses or problems should be corrected,
    and the interconnection retested. Operational and security testing may
    be performed as part of the recertification and reaccreditation
    processes.
    
    Conduct security training and awareness for all authorized personnel
    who will be involved in managing, using, and/or operating the
    interconnection. Ensure that staff members understand the rules and
    that they know how to report suspicious or prohibited activities.
    
    Both organizations should update their system security plans and
    related documents to reflect the changed security environment in which
    their respective systems operate. The MOU/A should address the details
    of conducting a mutual review of the interconnection.
    
    Perform recertification and reaccreditation if significant changes
    have been made to the connected systems.
    
    Activate the interconnection for use by both organizations.  One or
    both organizations should monitor the interconnection for at least
    three months to ensure that it operates properly and securely.
    
    Maintaining the Interconnection.
    
    After it is established, the interconnection must be actively
    maintained for secure operation. The maintenance steps are:
    
             Maintain clear lines of communication to ensure that the
    interconnection is properly maintained and that both sides are
    notified of changes or security incidents.  Communications should be
    conducted between designated personnel using approved procedures.
    
    Authorized personnel should maintain the equipment in accordance with
    the manufacturer's specifications.  Appropriate documentation and
    notification procedures should be used.
    
    User profiles should be managed to assure access to authorized users
    only.  Active management of user profiles helps to prevent intruders
    from using inactive accounts.
    
    Security reviews should be conducted to ensure security controls are
    working properly and providing appropriate levels of protection.
    
    Audit logs should be analyzed at predetermined intervals to detect and
    track unusual or suspicious activities across the interconnection that
    might indicate intrusions or internal misuse.
    
    Security incidents should be reported to participating organizations.
    Both organizations should respond to security incidents by isolating
    systems if necessary and by coordinating their incident response
    activities.
    
    Coordinate contingency planning, training, testing, and exercises to
    minimize the impact of disasters and other contingencies that could
    damage the connected systems or jeopardize the confidentiality and
    integrity of shared data.
    
    Perform change management procedures to ensure that the
    interconnection is properly maintained and secured. A change control
    board should review and approve planned changes for each organization.
    Changes should be based on the security requirements specified in the
    ISA and a determination that the change will not adversely affect the
    interconnection. A joint change control board should review and
    approve changes that affect the interconnection.
    
    Update system security plans and other relevant documentation at least
    annually or whenever there is a significant change to the IT systems
    or to the interconnection.
    
    Disconnecting an Interconnection.
    
    If an interconnection must be terminated, the process should be
    conducted in a methodical manner to avoid disrupting the IT system of
    either organization. The decision to terminate the interconnection
    should be made by the system owner with the advice of appropriate
    managerial and technical staff. Before terminating the
    interconnection, the initiating party should notify the other party in
    writing, and it should receive an acknowledgment in return.
    
    If an organization detects an attack, intrusion attempt, or other
    contingency that exploits or jeopardizes the connected systems or
    data, it may be necessary to abruptly terminate the interconnection
    without written notice to the other party. This is an extraordinary
    measure taken only in extreme circumstances and only after
    consultation with appropriate technical staff and senior management.
    
    Both organizations may choose to restore the system interconnection
    after it has been terminated. The decision to restore the
    interconnection should be based on the cause and duration of the
    disconnection. Both organizations should modify the ISA and MOU/A to
    address issues requiring attention. If the interconnection has been
    terminated for more than 90 days, each party should perform a risk
    assessment on its respective system and reexamine all relevant
    planning and implementation issues, including developing a new ISA and
    MOU/A.
    
    Summary
    
    Interconnecting IT systems can provide significant benefits to
    participating organizations, but can expose both to risks.
    Interconnections must be properly designed, and appropriate security
    controls must be in place to avoid compromise of systems and data.
    Both parties must understand the risks associated with the
    interconnection and the security controls they can implement to
    mitigate those risks. The organizations should establish a formal
    agreement concerning the management, operation, and use of the
    interconnection. The agreement should be reviewed and approved by
    appropriate senior staff from each organization.
    
    Reference List
    
    NIST's Information Technology Laboratory issues publications covering
    research, guidance, standards, and the results of collaborative
    outreach efforts with industry, government, and academic
    organizations. NIST publications dealing with information security
    topics, including archived copies of bulletins, are available in
    electronic format from the NIST Computer Security Resource Center at
    http://csrc.nist.gov/publications/ .
    
    The following NIST Special Publications provide guidance to help
    organizations plan, establish, maintain, and terminate secure IT
    system interconnections:
    
    NIST Special Publication 800-3, Establishing a Computer Security
    Incidence Response Capability (CSIRC), provides information on
    detecting and reporting security incidents.
    
    NIST Special Publication 800-12, An Introduction to Computer Security:
    The NIST Handbook, provides guidance on certification and
    accreditation (C&A), and other security procedures.
    
    NIST Special Publication 800-18, Guide for Developing Security Plans
    for Information Technology Systems, provides details on access control
    issues, and developing and updating security plans.
    
    NIST Special Publication 800-30, Risk Management Guide for Information
    Technology Systems, provides guidance on conducting risk assessments.
    
    NIST Special Publication 800-31, Intrusion Detection Systems (IDS),
    and NIST Special Publication 800-41, Guidelines on Firewalls and
    Firewall Policy, provide information on selection of security
    controls.
    
    NIST Special Publication 800-34, Contingency Planning Guide for
    Information Technology Systems, gives information on coordinating
    contingency planning activities.
    
    Guidance on physical security techniques is included in NIST Special
    Publications 800-12, An Introduction to Computer Security: The NIST
    Handbook; NIST Special Publication 800-27, Engineering Principles for
    Information Technology Security (A Baseline for Achieving Security);  
    and NIST Special Publication 800-30, Risk Management Guide for
    Information Technology Systems.
    
    Details on integrating applications and protocols can be found in NIST
    Special Publication 800-27, Engineering Principles for Information
    Technology Security (A Baseline for Achieving Security); NIST Special
    Publication 800-28, Guidelines on Active Content and Mobile Code; and
    NIST Special Publication 800-33, Underlying Technical Models for
    Information Technology Security.
    
    NIST Special Publication 800-42 (draft), Guidelines on Network
    Security Testing, includes a methodology for using network-based tools
    to test IT systems for vulnerabilities.
    
    Information about Federal Information Processing Standards
    (FIPS)-approved algorithms and cryptographic modules that must be used
    by federal agencies is available at
    http://csrc.nist.gov/publications/fips/index.html.
    
    Disclaimer
    
    Any mention of commercial products or reference to commercial
    organizations is for information only; it does not imply
    recommendation or endorsement by NIST nor does it imply that the
    products mentioned are necessarily the best available for the purpose.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 01:07:18 PST