US Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. Build Security In. Setting a higher standard for software assurance.

Navigating the Security Practice Landscape

Published: October 30, 2006 | Last revised: July 02, 2013

Author(s): Julia H. Allen Maturity Levels and Audience Indicators: L4 / L, M SDLC Life Cycles: Deployment Copyright: Copyright © Carnegie Mellon University 2005-2012.

Abstract

This article presents a summary of ten leading sources of security practice definition and implementation guidance. It uses ISO 27002 as a foundation (given its international standard status and broad, installed base) and builds on and augments it with additional source material. A summary of publicly available CERT course materials is presented to aid in practice implementation. The content in this article can be used independently or in concert with the approaches described in the other articles in this content area.

Introduction

Purpose

The intent of this article is to provide a navigational aid through the leading sources of security standards, frameworks, and guidelines, at a more detailed level than the other articles in this content area. We'll look at various standards as well as CERT courseware that can help you better understand how to implement these standards.

You need not read this content from A to Z; instead, you can focus first on those practices or standards that you wish to implement immediately and then later delve into those you might not have considered before. We recommend using this article as a reference and a guide.

Contents

This article

  • describes the benefit of using a defense-in-depth or layered defense approach to deploying and operating security practices
  • presents a summary of the leading sources of security practice definition and implementation guidance
  • uses ISO 27002 [ISO 05A] as a foundation and builds on and augments it with additional source material
  • summarizes publicly available CERT courseware that provides detailed, how-to implementation guidance, including online lectures and labs

Many publicly available and useful frameworks, guidelines, and sets of practices describe actions organizations should take to deploy and operate secure systems and deliver secure services to their customers. These include

Adoption of any of these, in concert with a commitment to continuous improvement, appears, at least anecdotally,1 to achieve and sustain an improved level of operational security.

Defense in Depth

Such a wealth of security practices can be overwhelming to review, understand, and use as a basis for determining what to do. One effective means for navigating the security practices landscape is to implement a layered defense or defense-in-depth strategy (refer to the BSI Defense in Depth principle description).2

NIST Special Publication 800-27

NIST Special Publication 800-27, Engineering Principles for Information Technology Security [Stoneburner 04] states that

Securing information systems against the full spectrum of threats requires the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. This is due to the highly interactive nature of the various systems and networks and the fact that any single system cannot be adequately secured unless all interconnecting systems are also secured.

By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave the system unprotected. Through user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, layered protections enable effective protection of information technology for the purpose of achieving mission objectives.

As part of Principle 8: Implement tailored system security measures to meet organizational security goals, NIST 800-27 states:

Recognizing the uniqueness of each system allows a layered security strategy to be used – implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.

As part of Principle 16: Implement layered security (ensure no single point of vulnerability), NIST 800-27 goes on to state

For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system.

The need for layered protection is especially important when commercial off-the-shelf (COTS) products are used.

Redundancy and Diversity

Two of the key architectural approaches to consider as part of a layered defense are redundancy3 and diversity. “Redundancy says you have more than one of everything, diversity says you have more than one of everything but they're different. If you can do some redundancy and some diversity where, for example, you distribute your infrastructure in multiple physical locations, then the motivated attacker has to think harder about what part of your organization they're going to target” [Lindner 06].

Another example is to operate both Linux and Windows operating systems on critical servers such that if one is attacked, the other is not affected. Clearly there are risks, tradeoffs, and costs to consider in implementing such a strategy. Redundancy and diversity solutions are typically more expensive and require additional staff skill and competence. These costs need to be weighed against the benefit of fewer or less disruptive security breaches and the ease of restoring a system to its production state after it has been compromised.

Plan, Do, Check, Act, Risk-Centered Practices, and Integrating Security and IT provide additional guidance on how to select practices that can aid in implementing a defense-in-depth approach.

Security Practice Categorization

This section presents categories of security practices to consider during deployment and operations. Its intent is to serve as a navigational aid through the leading sources of security practices and frameworks, at a more detailed level than the other articles in this content area.

Given widespread, international use, ISO 27002 Code of practice for information security management [ISO 05a] and ISO 27001 Annex A Information security management systems [ISO 05b] were used to build the initial master list of practices categories. Categories were then expanded and updated based on the additional sources described below.

Some of the practice categories (such as managing human resources and managing the physical environment for security) are well beyond the scope of deployment and operations. They are included here for completeness; several (such as acquire and develop secure systems) are addressed in much greater detail in other BSI content areas.

The practice categories are as follows. Table 1 (available at the end of this article) identifies subpractices within these categories and sources that provide further details, including guidance for practice implementation in support of secure deployment and operations.

  • Assess, manage, and mitigate security risk.
  • Develop, review, and maintain a useful security policy.
  • Develop, review, and maintain a useful security plan.
  • Manage the organization to operate securely, including both internal operations and relationships with external parties.
  • Adequately protect organizational assets that have security requirements and affect the security of the enterprise.
  • Manage human resources for security prior to employment, during employment, and following changes in assignment or termination.
  • Manage the physical environment to meet security requirements and mitigate risk.
  • Ensure the correct and secure operation of systems and software. This includes a wide range of practices such as change management, configuration management, third party service delivery, system planning, dealing with malicious code, backup, network security, and all forms of monitoring and security assessment.
  • Control access to all classes of assets in support of business requirements.
  • Acquire, develop, and maintain secure systems. For the purposes of deployment and operations, this includes vulnerability management and change management.
  • Report and manage security incidents.
  • Ensure business continuity.
  • Comply with legal requirements and other sources of security requirements.

Sources Used to Identify Practice Categories

The following sources were used in constructing the security practice categories described above and expanded in Table 1. They contain security practice definitions and system- and software-neutral implementation guidance:

ISO/IEC 27002

Code of practice for information security management [ISO 05a] describes 11 security domains and addresses compliance with these domains at managerial, organization, legal, operational, and technical levels. The eleven domains include

  • security policy
  • organization of information security
  • asset management
  • human resources security
  • physical and environmental security
  • communications and operations management
  • access control
  • information systems acquisition, development, and maintenance
  • information security incident management
  • business continuity management
  • compliance

ISO/IEC 27001

Information security management systems [ISO 05b] describes a model for developing and managing an effective Information Security Management System (ISMS). This model is based on the Plan-Do-Check-Act (PDCA) approach commonly used in other quality models. This standard defines the certification requirements for demonstrating compliance with ISO 27002 and comprises both documentation and implementation audits. More information on this standard is available in Plan, Do, Check, Act.

COBIT®

Control Objectives for Information and related Technologies [ITGI 07a]4 describes a framework for IT governance. It is intended to ensure the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information and the systems used to process information. COBIT is organized into

  • four domains (planning and organization; acquisition and implementation; delivery and support; and monitoring)
  • 34 high-level control objectives
  • 318 detailed control objectives

Refer to Integrating Security and IT for more details on COBIT.

Corporate Information Security Working Group

The Corporate Information Security Working Group (CISWG) was convened by Representative Adam Putnam (R-FL) and met from November 2003 through November 2004. The CISWG Phase II Best Practices and Metrics Team had as its goal to “develop a resource that would help Board members, managers, and technical staff establish their own comprehensive structure of principles, policies, processes, controls, and performance metrics to support the people, process, and technology aspects of information security” [CISWG 04].

Information Security Program Elements

This team’s Phase II report gives detailed descriptions of Information Security Program Elements (ISPE) for governance, management, and technical operations. While these elements define security metrics, each metric relies on the presence of one or more security practices against which measures are collected, analyzed, and reported. The report defines 99 metrics. Appendices describe a baseline set of 65 that organizations can use to get started and a smaller subset of 40 for small and medium enterprises.

Governance ISPEs are discussed in the BSI Governance & Management content area. Management and Technical ISPEs are relevant to deployment and operations and are listed in Table 2. Refer to the report for a detailed description of each of these elements.

Table 2. CISWG Information Security Program Elements

Management

  • ISPE8 Establish Information Security Management Policies and Controls and Monitor Compliance
  • ISPE9 Assign Information Security Roles, Responsibilities, and Required Skills, and Enforce Role-based Information Access Privileges
  • ISPE10 Assess Information Risks, Establish Risk Thresholds, and Actively Manage Risk Mitigation
  • ISPE11 Ensure Implementation of Information Security Requirements for Strategic Partners and Other Third Parties
  • ISPE12 Identify and Classify Information Assets
  • ISPE13 Implement and Test Business Continuity Plans
  • ISPE14 Approve Information Systems Architecture During Acquisition, Development, Operations, and Maintenance
  • ISPE15 Protect the Physical Environment
  • ISPE16 Ensure Internal and External Audits of the Information Security Program with Timely Follow-up
  • ISPE17 Collaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management

Technical

  • ISPE18 User Identification and Authentication
  • ISPE19 User Account Management
  • ISPE20 User Privileges
  • ISPE21 Configuration Management
  • ISPE22 Event and Activity Logging and Monitoring
  • ISPE23 Communications, Email, and Remote Access Security
  • ISPE24 Malicious Code Protection, Including Viruses, Worms, and Trojans
  • ISPE25 Software Change Management, including Patches
  • ISPE26 Firewalls
  • ISPE27 Data Encryption
  • ISPE28 Backup and Recovery
  • ISPE29 Incident and Vulnerability Detection and Response
  • ISPE30 Collaborate with Management to Specify the Technical Metrics to be Reported to Management

Information Security Forum

The Information Security Forum is an international association of over 280 organizations (including 50 per cent of Fortune 100 companies) that fund and cooperate in conducting practical research in information security.

The ISF’s Standard of Good Practice for Information Security [ISF 07] provides “a set of high-level principles and objectives for information security together with associated statements of good practice.” This guideline is organized into six aspects, each of which covers a particular type of operational environment. These include

  • security management
  • critical business applications
  • computer installations
  • networks
  • systems development
  • end user environment

Computer installations and networks provide the underlying infrastructure on which the critical business applications run. The end user environment covers the arrangements associated with protecting corporate and desktop applications, which are used by individuals to process information, and support business processes. Systems development deals with how new applications are created and security management addresses high-level direction and control” [ISF 07].

Each aspect comprises multiple areas (36 in all) as shown in Table 3. Each area comprises multiple sections (166 in all). Each section is described by a principle, an objective, and multiple practices.

Table 3. ISF aspects and areas

SM Security Management

SM1 high level direction

SM2 security organization

SM3 security requirements

SM4 secure environment

SM5 malicious attack

SM6 special topics

SM7 management review

CB Critical Business Applications

CB1 business requirements for security

CB2 application management

CB3 user environment

CB4 system management

CB5 local security management

CB6 special topics

CI Computer Installations

CI1 installation management

CI2 live environment

CI3 system operation

CI4 access control

CI5 local security management

CI6 service continuity

NW Networks

NW1 network management

NW2 traffic management

NW3 network operations

NW4 local security management

NW5 voice networks

SD Systems Development

SD1 development management

SD2 local security management

SD3 business requirements

SD4 design and build

SD5 testing

SD6 implementation

UE End User Environment

UE1 local security management

UE2 corporate business applications

UE3 desktop applications

UE4 computing devices

UE5 electronic communications

UE6 environment management

The Topics Matrix of this Standard provides a list of topics that cut across and map to the aspects, areas, and sections. Ten pages of topics are listed in alphabetical order, including acquisition, application controls, change management, development methodologies and environment, malware protection, patch management, resilience, security architecture, security audit/review, specification of requirements, and system design and build.

ITIL

The current version of ITIL (version 3) consists of a set of five core publications, each defined as a set of processes and functions that include high-level overviews as well as detailed definitions of the steps in each process. These are as follows [itSMF 07]:

  • Service Strategy Processes: strategy generation, financial management, service portfolio management, demand management
  • Service Design Processes: service catalogue management, service level management, capacity management, availability management, IT service continuity management, information security management, supplier management
  • Service Transition Processes: change management, service asset and configuration management, knowledge management, transition planning and support, release and deployment management, service validation and testing, evaluation
  • Service Operation
    • Processes: event management, incident management, request fulfillment, access management, problem management
    • Functions: service desk, technical management, application management, IT operations management
  • Continual Service Improvement Processes: define what you should measure, define what you can measure, gather the data, process the data, analyze the data, present and use the information, implement corrective action; service measurement, service reporting

ITIL process definitions describe the service management process as defined in ISO/IEC 20000 Information technology – Service management [ISO 05c] and as depicted in Integrating Security and IT.

NIST Special Publication 800-27

Engineering Principles for Information Technology Security [Stoneburner 04] identifies 33 “system-level security principles to be considered in the design, development, and operation of an information system. These principles are also helpful in affirming and confirming the security posture of an already deployed information system.” Nineteen of these are essential to achieving and sustaining the desired security posture during deployment and operations. The 800-27 principle numbers are retained here for ease of traceability:

  • Principle 2: Treat security as an integral part of the overall system design.
  • Principle 5: Reduce risk to an acceptable level. (See Risk-Centered Practices.)
  • Principle 6: Assume that external systems are insecure.
  • Principle 7: Identify potential tradeoffs between reducing risk, increased costs, and decreased operational effectiveness (reworded to be more clear).
  • Principle 8: Implement tailored system security measures to meet organizational security goals.
  • Principle 9: Protect information while being processed, in transit, and in storage.
  • Principle 13: Use common language in developing security requirements. (This principle is necessary for evaluating and comparing security products, features, and their performance.) (See BSI Requirements Engineering content area.)
  • Principle 14: Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
  • Principle 15: Strive for operational ease of use.
  • Principle 16: Implement layered security (ensure no single point of vulnerability).
  • Principle 17: Design and operate an IT system to limit damage and to be resilient in response.
  • Principle 18: Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
  • Principle 21: Use boundary mechanisms to separate computing systems and network infrastructures.
  • Principle 23: Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
  • Principle 24: Strive for simplicity.
  • Principle 25: Minimize the system elements to be trusted.
  • Principle 26: Implement least privilege.
  • Principle 32: Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
  • Principle 33: Use unique identities to ensure accountability.

NIST Special Publication 800-53

Recommended Security Controls for Federal Information Systems [Ross 07b] “provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. It applies to all components of an information system that process, store, or transmit federal information.”

Categories of Security Controls

This guideline identifies management, operational, and technical classes of controls in the following categories. The numbers in parentheses are the number of specific controls in each category.

  • AC access control (20)
  • AT awareness and training (5)
  • AU audit and accountability (11)
  • CA certification, accreditation, and security assessments (7)
  • CM configuration management (8)
  • CP contingency planning (10)
  • IA identification and authentication (7)
  • IR incident response (7)
  • MA maintenance (6)
  • MP media protection (6)
  • PE physical and environmental protection (19)
  • PL planning (6) 
  • PS personnel security (8)
  • RA risk assessment (5)
  • SA system and services acquisition (11)
  • SC system and communications protection (23)
  • SI system and information integrity (12)

Mappings to Other Standards

Appendix G Security Control Mappings provides a detailed mapping of 800-53 controls to ISO 17799 (27002) paragraphs.

Appendix H Standards and Guidance Mappings provides a detailed mapping of 800-53 controls to all other relevant NIST Special and FIPS publications.

NIST 800-53 “associates recommended minimum security controls with FIPS 199 [NIST 04] low-impact, moderate-impact, and high-impact security categories” [Ross 07b]. Annex 1 of this publication describes a baseline set of minimum security controls for low-impact information systems, Annex 2 for moderate, and Annex 3 for high.

NIST Special Publication 800-64

The intent of Security Considerations in the Information System Development Life Cycle [Kissel 08] is to assist organizations “in integrating essential information technology (IT) security steps into their established IT system development life cycle.” While this publication covers all life cycle phases, the practices relevant to operations and maintenance include

  • Review operational readiness: When a system goes into production, unplanned modifications to software applications can occur. Selected security controls, such as configurations, may need to be retested.
  • Manage security control configuration due to system changes: Changes to system hardware, software, and firmware can have a significant security impact. Assessing the impact of all changes on the system security state is essential.
  • Monitor security controls continuously: Continuous monitoring is required to ensure that security controls continue to be effective and perform as expected in light of changes to the system and its operational environment. Monitoring practices include security reviews, self assessments, vulnerability scans, patch management, and other forms of security testing.
  • Conduct re-authorization: For systems that require certification and accreditation to operate, re- authorization is an opportunity to conduct a full and comprehensive review based on significant changes or the passage of a specific time period. Re-authorization may also be triggered by a monitoring event.

Enhancing the Development Life Cycle to Produce Secure Software

Enhancing the Development Life Cycle to Produce Secure Software [Goertzel 08] ”arms developers, integrators, and testers with the information they need to incorporate security considerations and principles into the practices and processes they use to produce software, and thereby increase the likelihood that the resulting software will be secure.” With respect to deployment and operations, this report recommends the following practices, using the names Secure Distribution, Deployment, and Sustainment for these life cycle phases:

  • Prepare for secure distribution
    • Distribute all software in a default configuration that is as secure and restrictive as possible
    • Deliver all default passwords in encrypted form separate from the software delivery
    • Provide an automated installation tool that sets OS directory privileges as restrictively as possible
    • Review and sanitize all user-viewable source code including sensitive comments, pathname references, debug information, hard-coded credentials, and data-collecting trapdoors
  • Secure distribution
    • For online software distribution, implement trusted distribution techniques (such as code signatures or authentication of download links) to prevent or make evident tampering with distributed code.
    • For offline distribution, use a storage medium that is non-rewritable and apply a digital code signature
  • Secure installation and configuration: Provide instructions for
    • Configuring restrictive file system access controls for initialization files and target directories
    • Validating install-time security assumptions such as expected access controls for all source code and library routines, and that the software is being installed on the anticipated execution environment
    • Removing all unused and unreferenced files
    • Changing passwords and account names on default accounts
    • Deleting unused default accounts
    • Other necessary lockdown procedures such as disabling all non-essential services and any non-secure protocols
  • Secure sustainment
    • Perform impact assessments and address unacceptable impacts for all patches, updates, and maintenance changes before distribution. Update appropriate system and software documentation.
    • Review findings of regularly scheduled security audits, vulnerability scans, and penetration tests. Upon review and approval, take action on findings that affect the systems’ secure posture.
    • Study the results of forensic analysis of security incidents to use as one basis for identifying new security requirements for future software releases.
    • Use software rejuvenation and reconfiguration techniques to prevent vulnerabilities that emerge due to software aging.

Visa U.S.A. Payment Application Best Practices

In addition to the Payment Card Industry Data Security Standard [PCI 08] discussed in Plan, Do, Check, Act, Visa has developed a set of payment application best practices [Visa 07]. The purpose of these practices is to assist software vendors of payment applications to develop and deploy products that are more secure and are compliant with the PCI standard.

The following practices are relevant to deploying and operating secure software. Each practice description includes detailed subpractices and testing procedures for verifying that the practice is in place.

  • Practice 3: Provide secure password features.
  • Practice 4: Log application activity.
  • Practice 5: Develop secure applications.
  • Practice 6: Protect wireless transmissions.
  • Practice 7: Test applications to address vulnerabilities.
  • Practice 8: Facilitate secure network implementation.
  • Practice 10: Facilitate secure remote software updates.
  • Practice 11: Facilitate secure remote access to applications.
  • Practice 12: Encrypt sensitive traffic over public networks.
  • Practice 13: Encrypt all non-console administrative access.

CERT Courseware

Author: Stephanie Losi

This section describes three CERT courses that focus on information assurance:

Defense-in-Depth: Foundations for Secure and Resilient IT Enterprises

The Defense-in-Depth Foundational Curriculum [May 06] can bring a big-picture perspective to the often detail-focused world of computer and network security, while reinforcing concepts with some implementation details.

Target Audience

The curriculum is designed for students, ranging from system administrators to CIOs, who have some technical understanding of security and want to better understand how security issues affect their entire organization. It can be useful for system administrators and IT security personnel who would like to step up to the management level. It also can provide a refresher for IT managers and executives who want to stay up-to-date on the latest technological threats facing their enterprise.

Instructors should be familiar with both the technical and managerial aspects of security and should have significant real-world experience so they can relate anecdotes as well as present curriculum material. Students should be familiar with basic computer networking and should have an interest not only in learning technological details but also in placing those details within a larger business context.

Curriculum Content

The curriculum consists of eight modules plus an introduction called “Foundations of Information Assurance.” This introduction focuses on how addressing the overarching concepts of confidentiality, integrity, and availability can lead to a comprehensive security strategy.

The eight modules in the curriculum are

  1. Compliance Management
  2. Risk Management
  3. Identity Management
  4. Authorization Management
  5. Accountability Management
  6. Availability Management
  7. Configuration Management
  8. Incident Management

The Compliance Management and Risk Management modules are presented at a fairly conceptual level; the remaining modules are presented at a more detailed level, while still preserving the big picture.

Module Descriptions

Each module is divided into several subsections.

Compliance Management is presented as “the lynchpin of security.” This section discusses U.S. laws, the need for executive-level support for security efforts, best practices for writing policies, and methods for increasing awareness of security policies throughout the organization. The Sample Policies section provides a pointer to examples and discusses techniques for creating effective policies.

Risk Management defines the concept of an asset and discusses how organizations can identify, categorize, and protect their assets using a defined process. Risks to assets must be identified and then ranked so that mitigation strategies can be put in place in a way that makes sense and supports the business mission.

Identity Management begins by defining various methods of user and computer identification as well as methods of authentication. It then moves on to discuss methods for protecting identity and privacy.

Authorization Management discusses the pros, cons, and best practices of file-system access control and network-traffic access controls. It also covers application-layer access controls, such as TCP wrappers and proxy servers.

Accountability Management defines accountability as a goal that is achieved through logging and auditing, network monitoring, and intrusion detection. Some of the subtopics discussed include automated availability checking, traffic monitoring and sniffing, antivirus, and integrity monitoring.

Availability Management presents the concepts of reliability, redundancy, failover, and fault tolerance, and then discusses various levels of availability that may be considered acceptable by organizations. Single points of failure are discussed, along with ways to mitigate them and ensure availability and business continuity.

Configuration Management details four methods of managing IT configurations: software update process, inventory control, configuration change management, and internal system assessments (such as penetration testing). Pros and cons and best practices are discussed.

Incident Management takes a process-based approach and covers planning and practice exercises, disaster and recovery preparation, and security incident handling and response.

Survivability and Information Assurance Curriculum

The SIA Curriculum [CERT 05] is useful if your organization approaches IT issues in a technology-centered way but would like to take a more process-centered approach. It helps organize system administration activities, going from a tactical, fire-fighting approach to a long-term, strategic approach.

The material contained in the SIA curriculum can be applied to sharpen system administrators’ enterprise-level perspective and help system administrators and managers speak each other’s language. As such, the SIA curriculum can be a useful tool for bridging the gap that often exists between technology-centered and process-centered approaches to IT.

Target Audience

Students are expected to have at least one to two years of experience in a system administration or closely related role. Instructors are intended to be experienced system administrators or managers of system administrators so that they can refer to real-world anecdotes as well as provided course materials.

Curriculum Description

The key foundations of the SIA curriculum are

  1. Use the 10 Principles of Survivability and Information Assurance (listed below).
  2. Understand that the network supports the core business mission—it is not technology for technology’s sake.
  3. Consider implementing Survivable Functional Units (explained below) to reduce network complexity and increase modularity.
  4. Learn to build on existing enterprise networks.
  5. Challenge assumptions.

Three courses form the curriculum.

  1. The first course focuses on the 10 Principles of Survivability and Information Assurance and is designed so that system administrators and their immediate managers can attend together.
  2. The second course, “Information Assurance Networking Fundamentals,” applies the 10 principles from Course 1 to the inner workings of the TCP/IP suite. It is geared toward experienced system administrators.
  3. The third and last course is titled “Sustaining, Improving, and Building Survivable Functional Units (SFUs).” It is designed to integrate all of the information learned in the previous two courses.

Course 1: 10 Principles of Survivability and Information Assurance

This course is taught at a relatively high level but requires some competence with system administration tasks on any operating system. The course itself uses Red Hat Linux 9. There are discussions and a lab. The 10 Principles [Rogers 04] covered in the class are

  1. Survivability is an enterprise-wide concern.
  2. Everything is data.
  3. Not all data is of equal value to an enterprise; risk must be managed.
  4. Information assurance policy governs actions.
  5. Identification of users, computer systems, and network infrastructure components is critical.
  6. Survivable Functional Units (SFUs) are a helpful way to think about an enterprise’s networks.
  7. Security Knowledge in Practice (SKiP) provides a structured approach.
  8. The road map guides implementation choices (all technology is not equal).
  9. Challenge assumptions to understand risk.
  10. Communication skill is critical to reach all constituencies.

The goal of the course is to apply these 10 principles to understand and solve system administration problems.

Course 2: Information Assurance Networking Fundamentals

Students review TCP/IP networking fundamentals outside of class using the book TCP/IP Illustrated, Volume 1 – The Protocols [Stevens 93]. In class, students

  • take quizzes on the readings,
  • participate in a lab exercise, and
  • discuss the TCP/IP suite, taking a view that challenges assumptions about networking features and attempts to identify the real-world limitations of the protocols.

The goal is to teach students to think like hackers but not act like them.

Course 3: Sustaining, Improving, and Building Survivable Functional Units (SFUs)

The premise is that students

  • individually analyze artifacts on an existing network to determine its components
  • work in teams to reengineer an existing functional unit of that network, based on the lessons learned in the first two courses
  • give a class presentation to explain how they made the functional unit more survivable

Lastly, in an optional third section of the course, teams of students design, build, and graft a new SFU onto an existing enterprise network in a lab environment. This is a situation that many system and network administrators will encounter in their working lives.

The lab for this portion of the curriculum is currently theoretical, but organizations that think this course could serve their needs are encouraged to use the detailed design document provided along with the faculty course materials to build a lab environment.

Course Materials

Course materials, including 2800+ pages of student workbook content, can be downloaded from the curriculum web site.

Virtual Training Environment

CERT’s Virtual Training Environment (VTE), as presented to the public, is a broad collection of more than 1800 modules. Modules may be documents, demonstrations with voiceovers, lecture videos with accompanying slides and notes, or labs.

Many topics are covered within VTE, and content is updated quarterly, so the best approach is to browse the site for the most current offerings. VTE is self-guided, so students who find the content to be of use can continue to explore various areas to gain additional knowledge.

Key goals of the VTE environment are to

  • improve information security awareness worldwide
  • provide a globally available training platform that improves the efficacy of online training efforts in information, computer, network, and system security
Target Audience

The VTE target audience is information security professionals who are seeking a reference library to acquire new knowledge, refresh on past knowledge, and prepare for certification examinations. They have technical backgrounds but likely possess varying degrees of security knowledge in topics such as forensics, incident handling, TCP/IP, and firewalls.

Instructors looking for material to supplement the courses they teach also may find VTE of value.

Regardless of their job role, students should have some knowledge of computer and networking technologies on Windows and/or Linux, a healthy curiosity about how security technologies work, and a willingness to use the VTE material as a jumping-off point for further study. Simply pointing and clicking through the labs may be instructive, but the best results will be obtained by in-depth, authorized practice of the skills taught.

VTE Modules

This is a sampling of VTE content modules:

  • Basics of Router Administration
  • SSL and TLS
  • Introduction to Log File Analysis Using SWATCH
  • Steganography
  • Compliance Management

Lab modules require a VTE subscription, but all other content is available to the public at no cost. To view audiovisual content, students will need the Adobe Flash plug-in.

CERT Course Material Available Via VTE

Some of the modules within the main VTE list are part of larger courses and are prefaced by various tags. These are the larger courses, along with a sampling of their associated modules:

  • ISFTS - Information Security for Technical Staff
    • Policy Formulation and Implementation
    • Securing Network Infrastructure
    • TCP/IP Security
    • Asset and Risk Management
  • AISFTS - Advanced Information Security for Technical Staff
    • Synchronization and Remote Logging
    • Host System Hardening
    • Intrusion Detection
    • Firewalls and Access Controls
  • FRGCF - First Responder's Guide to Computer Forensics
    • Cyber Law
    • File Systems/First Responder’s Toolkit
    • Collecting Volatile Data
    • Collecting Persistent Data
  • ADVFOR - Advanced Forensics
    • Capturing a Running Process
    • Configuration and Setup of Online DFS
    • Logfile Analysis Using Microsoft Log Parser
    • Bookmarking with EnCase

Lastly, with a training subscription, organizations are able to combine material from the VTE platform with material from their own repositories to generate customized training courses.

Conclusion

The intent of this article has been to serve as a navigational aid through the wide range of available security standards, guidelines, and frameworks. We presented categories of security practices to consider during deployment and operations, drawing from leading sources. The content in this article can be used independently or in concert with the approaches described in the other articles in this content area.

Table 1: Security Practice Categories

Given their widespread, international use, ISO 27002 Code of practice for information security management [ISO 05a] and ISO 27001 Annex A Information security management systems [ISO 05b], described above, were used to build the initial master list of practices categories in Table 1. Table entries were then expanded and updated based on additional sources, which are also described in more detail above.

Table 1. Security practice categories

Practice Category

Subpractice

Source

Assess, manage, and mitigate security risk.

Assess, manage

  • Risk-Centered Practices article
  • NIST 800-27 Engineering Principles for Information Technology Security [Stoneburner 04], Principles 5, 7
  • NIST 800-53 Recommended Security Controls for Federal Information Systems [Ross 07b], RA (risk assessment)
  • “Report of the Best Practices and Metrics Teams”, ISPE10 (assess risks) [CISWG 04]
  • COBIT 4.1, PO9 (assess, manage IT risks) [ITGI 07a, ITGI 07b]
  • The Standard of Good Practice for Information Security SM3 (security requirements) [ISF 07]
 

Mitigate

  • BSI principles Defense in Depth, Failing Securely, Securing the Weakest Link
  • NIST 800-27, Principle 16 (defense in depth), 18 (resilience)
  • CISWG ISPE10 (manage risk mitigation)
  • COBIT DS5 (ensure systems security)
  • ISF CB4 (application resilience), CI2 (computer installation resilience), NW1 (network resilience)

Develop, review, and maintain a useful security policy.

 
  • NIST 800-27, Principles 2, 8
  • NIST 800-53 (all)
  • CISWG ISPE8 (establish policy)
  • ISF SM1 (high level direction)

Develop, review, and maintain a useful security plan.

 
  • COBIT PO1 (define strategic IT plan), PO5 (manage IT investment), DS1 (define, manage service levels), DS5 (ensure systems security)
  • ITIL (service level, financial management)

Manage the organization to operate securely.

Management commitment to security

  • ISF SM1 (high level direction)
 

Internal organization

  • NIST 800-27, Principles 2, 8, 15
  • NIST 800-53 (all)
  • CISWG ISPE9 (assign roles, determine skills)
  • COBIT PO4 (define IT processes), PO6 (communicate), PO10 (manage projects)
  • ISF SM2 (security organization)
 

External parties

  • NIST 800-27, Principles 13, 15
  • NIST 800-53 RA (risk assessment)
  • ISF SM6 (third party access, outsourcing)

Adequately protect organizational assets.

Assign responsibility and ownership

  • NIST 800-53 RA (risk assessment)
  • CISWG ISPE12 (identify, classify assets)
  • COBIT PO2 (define the information architecture), DS9 (manage the configuration)
  • ITIL (configuration, asset management) [ITIL 99]
  • ISF SM3 (security requirements), SM4 (asset management)
 

Classify assets

  • BSI Principle Promoting Privacy
  • NIST 800-27, Principle 9
  • FIPS 199 Security Categorization of Federal Information and Information Systems [NIST 04]
  • CISWG ISPE12 (identify, classify assets)
  • COBIT PO2 (define the information architecture)
  • ITIL (configuration, asset management)
  • ISF SM3 (security requirements), SM4 (privacy, asset management)

Manage human resources for security.

Prior to employment

  • NIST 800-53, PS (personnel security)
  • COBIT PO7 (manage IT human resources)
  • ISF SM1 (high level direction)
 

During employment

  • NIST 800-27, Principle 15
  • NIST 800-53, AT (awareness, training)
  • COBIT PO7 (manage IT human resources), DS7 (educate, train users)
  • ISF SM2 (security organization)
 

Termination or change

  • NIST 800-53, PS (personnel security)

Manage the physical environment to meet security requirements and mitigate risk.

Secure areas

  • NIST 800-53, PE (physical, environmental protection)
  • CISWG ISPE15 (protect physical environment)
  • COBIT DS12 (manage the physical environment)
  • ISF SM4 (physical protection)
 

Equipment

  • NIST 800-53, CP (contingency planning), PE (physical, environmental protection)
  • CISWG ISPE15 (protect physical environment)
  • COBIT DS12 (manage physical environment)
  • ISF SM6 (equipment for remote use)

Ensure the correct and secure operation of systems and software.

Operational procedures (change management; segregation of duties, facilities)

  • NIST 800-53, CM (configuration management), MA (maintenance)
  • COBIT AI4 (enable operation, use), AI6 (manage changes), DS13 (manage operations)
  • ITIL (configuration, change, release management)
  • CISWG ISPE21 (configuration management), ISPE 22 (communications, email, remote access), ISPE25 (change management)
  • Visa U.S.A. Payment Application Best Practices, Practice 10 (secure remote software updates) [Visa 07]
  • ISF SM5 (patch management)
 

Third party service delivery

  • NIST 800-27, Principle 13
  • NIST 800-53, CM (configuration management), SA (system, services acquisition)
  • CISWG ISPE11 (security requirements for third parties)
  • COBIT DS1 (define, manage services levels), DS2 (manage third party services)
  • ITIL (service level management)
 

System planning (capacity management, system acceptance)

  • NIST 800-27, Principle 14, 15
  • NIST 800-53, CP (contingency planning), PL (planning), SC (system and communication protection)
  • COBIT AI7 (accredit solutions and changes), DS3 (manage performance, capacity)
  • ITIL (capacity management)
  • ISF CI2 (installation design)
 

Malicious and mobile code (such as automated tools)

  • NIST 800-53, SC system and communications protection), SI (system and information integrity)
  • COBIT DS5 (ensure systems security)
  • CISWG ISPE24 (malicious code)
  • ISF SM5 (malicious code)
 

Back-up

  • NIST 800-53, CP (contingency planning)
  • COBIT DS4 (ensure continuous service), DS11 (manage data)
  • ITIL (availability, service continuity management)
  • CISWG ISPE28 (backup, recovery)
 

Network security, including wireless

 

Media handling

  • BSI Principle Promoting Privacy
  • NIST 800-27, Principle 9
  • NIST 800-53, MP (media protection)
  • ISF SM4 (privacy)
 

Exchange of information (includes instant messaging)

  • BSI Principle Promoting Privacy
  • NIST 800-27, Principle 9
  • NIST 800-53, MP (media protection), SC (system and communications protection)
  • COBIT PO8 (manage quality), DS5 (ensure systems security)
  • ISF SM4 (privacy), SM6 (instant messaging)
 

Electronic commerce

  • BSI Principle Promoting Privacy
  • NIST 800-27, Principles 9, 17, 32
  • NIST 800-53, SC (system and communications protection)
  • COBIT AI4 (enable operation and use)
  • ISF SM6 (e-commerce)
 

Monitoring, reporting

  • BSI principle Never Assuming that Your Secrets Are Safe, Reluctance to Trust
  • NIST 800-27, Principles 6, 18
  • NIST 800-53, AU audit and accountability), CA (certification, accreditation, and security assessments)
  • COBIT DS5 (ensure systems security), ME1 (monitor and evaluate IT performance)
  • ITIL (capacity, performance management)
  • CISWG ISPE17 (report management metrics), ISPE30 (report technical metrics), ISPE22 (logging, monitoring)
  • Visa Practice 4 (application logging)
  • ISF SM5 (intrusion detection), SM7 (monitor, review)

Control access to all classes of assets in support of business requirements.

 
 

Business requirements

  • NIST 800-27, Principle 26
  • NIST 800-53, AC (access control)
 

User access

  • NIST 800-27, Principles 26, 32, 33
  • NIST 800-53, AC (access control), IA (identification and authentication), PS (personnel security)
  • CISWG ISPE18 (user identification, authentication), ISPE19 (user account management), ISPE20 (user privileges)
 

User responsibilities

  • NIST 800-53, AC (access control)
 

Network access, including remote, wireless access

  • NIST 800-27, Principles 6, 21, 25, 32
  • NIST 800-53, AC (access control), CA (certification, accreditation, and security assessments)
  • ISF SM6 (remote access), NW2 (wireless access)
 

Operating system access

  • NIST 800-27, Principles 32, 33
  • NIST 800-53, AC (access control), IA (identification and authentication)
 

Application, information access

  • NIST 800-27, Principle 25
  • NIST 800-53, CM (configuration management)
  • Visa Practice 3 (application passwords), Practice 11 (secure remote access to applications)
 

Mobile computing

  • NIST 800-27, Principles 6, 32, 33
  • NIST 800-53, AC (access control), PE (physical and environmental protection)

Acquire, develop, and maintain secure systems. (This topic is treated more comprehensively in other BSI content areas.)

 
  • CISWG ISPE14 (approve systems architecture, full life cycle)
  • COBIT PO8 (manage quality), AI2 (acquire, maintain application software), AI3 (acquire, maintain technologies), AI5 (procure IT resources)
  • Enhancing the Development Lifecycle [Goertzel 08]
  • ISF SM4 (security architecture)
  • ISF SD1 (development management), SD2 (security management), SD3 (business requirements), SD4 (design, build), SD5 (test), SD6 (implement)
  • Visa Practice 5 (develop secure applications)
 

Security requirements

  • BSI Requirements Engineering content area
  • NIST 800-27, Principles 2, 13
  • NIST 800-53, SA (system and services acquisition)
  • COBIT PO1 (define IT strategic plan), PO2 (define information architecture), AI1 (identify automated solutions)
 

Correct processing in applications

 

Cryptographic controls

  • NIST 800-27, Principles 32, 33
  • NIST 800-53, SC (system and communications protection)
  • COBIT DS5 (ensure systems security)
  • CISWG ISPE27 (data encryption)
  • Visa Practice 12 (encrypt sensitive traffic over public networks), Practice 13 (encrypt all non-console administrative access)
  • ISF SM6 (cryptography, public key infrastructure)
 

Security of system files

  • NIST 800-27, Principles 14, 32
  • NIST 800-53, CM (configuration management)
  • COBIT DS9 (manage the configuration)
  • ITIL (configuration management)
 

Security in development, support processes

  • NIST 800-27, Principles 2, 14
  • NIST 800-53, CM (configuration management), SA (system and services acquisition), SI (system and information integrity)
 

Vulnerability management

 

Application is able to operate in a secure environment

  • Visa Practice 8 (secure network implementation)

Report and manage security incidents.

Report

  • BSI Incident Management content area
  • NIST 800-53, IR (incident response)
  • COBIT DS4 (ensure continuous service), DS5 (ensure systems security), DS8 (manage service desk, incidents), DS10 (manage problems)
  • ITIL (incident, problem management)
  • CISGW ISPE29 (incident response)
 

Manage

  • BSI Incident Management content area
  • BSI principle Failing Securely
  • NIST 800-27, Principles 17, 18
  • NIST 800-53, AU (audit and accountability), IR (incident response)
  • COBIT DS4 (ensure continuous service), DS5 (ensure systems security), DS8 (manage service desk, incidents), DS10 (manage problems)
  • ITIL (incident, problem management)
  • CISGW ISPE29 (incident response)
  • ISF SM5 (emergency response)
 

Forensic investigations

  • ISF SM5 (forensics)

Ensure business continuity.

 
  • BSI principle Failing Securely
  • NIST 800-27, Principles 17, 18, 23
  • BSI Governance & Management content area
  • CERT's Resiliency Engineering Framework
  • NIST 800-53, CP (contingency planning), IR (incident response), RA (risk assessment)
  • CISWG ISPE13 (implement, test business continuity plans)
  • COBIT DS4 (ensure continuous service)
  • ITIL (service continuity, availability management)
  • ISF SM4 (business continuity), CI6, NW3 (service continuity)

Comply with security requirements.

With legal requirements

  • BSI Principle Promoting Privacy
  • NIST 800-27, Principle 9
  • NIST 800-53, AU (audit and accountability), CA (certification, accreditation, and security assessments), (all policy sections)
  • CISWG ISPE8 (monitor compliance)
  • BSI Governance & Management content area
  • COBIT ME3 (ensure regulatory compliance), DS9 (manage the configuration)
  • ISF SM4 (privacy)
 

With security policies, standards

  • ensure compliance with all BSI principles
  • NIST 800-27, Principle 18
  • NIST 800-53, CA (certification, accreditation, and security assessments)
  • CISWG ISPE8 (monitor compliance)
  • COBIT ME2 (monitor and evaluate internal control)
 

Audit

  • NIST 800-27, Principle 18
  • NIST 800-53 AU (audit and accountability), PL (planning)
  • CISWG ISPE16 (ensure audits)
  • COBIT ME1 (monitor and evaluate IT performance), ME2 (monitor and evaluate internal control), ME3 (ensure regulatory compliance)
  • ISF SM6 (audit)

Terms of Use

Responsible Care® Program is registered in the U.S. Patent and Trademark office by the American Chemistry Council.

CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

COBIT® is registered in the U.S. Patent and Trademark office by the Information Systems Audit and Control Association and by the IT Governance Institute.

The IT Infrastructure Library® and ITIL® are registered trademarks of the British Office of Government Commerce (OGC). ITIL was developed in conjunction with the British Standards Institute and is overseen by The IT Service Management Forum (itSMF).

OCTAVE® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM is a service mark of Carnegie Mellon University.

SKiPSM is a service mark of Carnegie Mellon University.

  • 1. Refer to the websites noted above. For a description of additional security-related standards, visit the "Other Security Standards" page on the IsecT Ltd. website [IsecT 06].
  • 2. See also [NSA] and [Hazlewood 06].
  • 3. “Defense-in-depth may mean an engineering solution which emphasizes redundancy—a system that keeps working even when a single component fails—over attempts to design components that will not fail in the first place” [Lindner 06]. For more information, see the Defense-in-depth wikipedia entry [DiD 08].
  • 4. See also the COBIT entry in Wikipedia [COBIT 2008].

Back to Top