Autonomic Security Compliance Framework Cihan Tunc and Salim Hariri Cloud and Autonomic Computing Center at The University of Arizona Cloud and Autonomic Computing Center Semi Annual IAB Meeting, April 23-24, 2018 Tucson, Arizona
Project Overview p December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule with the deadline of December 31, 2017 n Implement all of the requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. p Current Supply chain security management techniques are n Manual and labor intensive, and not flexible n Infeasible to create a secure organization boundary [https://www.gpo.gov/fdsys/pkg/FR-2015-12-30/pdf/2015-32869.pdf] 2
Project Overview p Goal: Autonomic security compliance Continuous monitor of computers, systems, devices, q applications, etc. Compliance requirements are met based on NIST SP-800-171 q Create a compliance report and report the critical issues q Suggestions to fix the problems (automated/semi-automated q actions) 3
Autonomic Cyber Security Framework Protecting Controlled Unclassified Server Systems Devices Information in Nonfederal Information Systems and Organizations VM-1 VM-N NIST SP 800-171 Apps Apps vResource vResource The security control Hypervisor Operating requirements System Physical Resource Supply Chain 1 Autonomic Security Compliance Supply Chain 2 Engine 4
Autonomic Cyber Security Framework Company Compliance Configuration Compliance Critical Action Policy Program Report Report Issues NIST SP 800-171 Security Control Metric (0-1) Report NIST SP 800-171 United States Government 3.1 Access Control 0.45 Security controls do not pass ý 3.1.8 Limit unsuccessful logon attempts. 0 Failed the tests Conf. Baseline (USGCB) 1. Access Control Provide privacy and security þ 3.1.9 notices consistent with applicable 0.9 90% of the security tests passed 2. Awareness and Training • Minimum password length (12 CUI rules. 3. Audit and Accountability 3.2 Awareness and Training 1 PASS þ chars) à To make brute force Not all the security controls are 4. Conf. Mng. 3.3 Audit and Accountability 0.6 password guessing attacks effectively applied 5. Identification and 3.3.4 Alert in the event of an audit more difficult. ý 0.3 The tests failed mostly process failure. Authentication 3.4 Configuration Management 0.55 The tests failed ý • Network security: Force logoff 6. Incident Response 3.5 Identification and Authentication 1 PASS ý þ 3.6 Incident Response 0.9 PASS when logon hours expire à To 7. Maintenance ý 3.7 Maintenance 1 PASS prevent users from remaining 8. Media Protection þ 3.8 Media Protection 1 PASS ý 3.9 Personnel Security 0.4 More work is needed connected after their logon 9. Personnel Security 3.10 Physical Protection 1 PASS þ hours have expired. 3.11 Risk Assessment 1 PASS þ 10. Physical Protection þ 3.12 Security Assessment 1 PASS 11. Risk Assessment Not all the security controls are • Inbound connections (Block) 3.13 System and Comm. Protection 0.7 effectively applied 12. Security Assessment à To minimize the risk of Deny network communications 13. System and Comm. traffic by default and allow exploiting a vulnerable 3.13.6 network communications traffic by 0.2 Failed the tests ý Protection application with an inbound exception (i.e. deny all, permit by 14. System & Info. Integrity exception). network port. þ 3.14 System & Info. Integrity 0.95 PASS 5
NIST SP 800-171 * 14 security categories • Access Control • Awareness and Training • Audit and Accountability • Configuration Management • Identification and Authentication • Incident Response • Maintenance • Media Protection • Personnel Security • Physical Protection • Risk Assessment • Security Assessment • System and Communications Protection • System and Information Integrity
Environment Information p 3.1.8 – Limit unsuccessful logon attempts. Script name: check_login_attempts_SP800_171_3.1.8 n Checks the auth.log to see if the number of unsuccessful n attempts are beyond a limit 3.1.6 – Deny network communications traffic by default p and allow network communications traffic by exception (i.e., deny all, permit by exception). Script name: check_open_ports_SP800_171_3.13.6 n Checks the open ports n It uses a given authorized port list to compare the ports n If there are any unauthorized ports, it gives a critical error to n the admin. 7
Environment Information 8
Access Control
Access Control 10
Vulnerability Analysis 11
Deliverables and Benefits p Autonomic security control framework Implementing security controls on individual n systems for supply chain Monitoring the systems 24x7 n Security à Continuous monitoring p Built a proof-of-concept testbed n 12
LIFE Form Input Please take a moment to fill out your L.I.F.E. forms. http://www.iucrc.com Select “Cloud and Autonomic Computing Center” then select “IAB” role. What do you like about this project? What would you change? (Please include all relevant feedback.)
Recommend
More recommend