Final SAR Report PDF

Preview

Summary

This is report captures the findings I got from the security control assessment of anhypothetical system called the Local Doctors Office System for a class assignment ...

Description

Theophilus Offei Management of Information Security Master of Science, Cybersecurity [email protected]

Local Doctor’s Office System (LDOS) Security Assessment Report (SAR) Low System

July 12, 2019 FINAL

1. INTRODUCTION AND PURPOSE This document consists of a Security Assessment Report (SAR) for Local Doctor’s Office System (LDOS) as required by FISMA. This SAR contains the results of the comprehensive security test and evaluation of the LDOS system. This assessment report and the results documented herein are provided in support of Local Doctor’s Office System Security Authorization program goals, efforts, and Assessment activities necessary to achieve compliance with FISMA security requirements. The SAR describes the risks associated with the vulnerabilities identified during the LDOS System security assessment , DISA STIG Vulnerability Assessment, and also serves as the risk summary report as referenced in National Institute of Standards and Technology (NIST) Special Publications (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems. All assessment results have been analyzed to provide both the information System Owner (SO), Local Doctor’s Office, and the Authorizing Officials (AOs) with an assessment of the controls that safeguard the confidentiality, integrity, and availability of data hosted by the system as described in the LDOS System Security Plan (SSP). The Assessment Team conducted a comprehensive-scope assessment of LDOS focusing on all implemented controls under scope. The assessment included the entire LDOS FISMA accreditation boundary. Extensive interviews, document reviews, evidence examinations, manual testing, shoulder surfing and technical testing was conducted which identified the risks inherent with the LDOS. The Assessment Team identified Eight (8) technical findings, and one (1) finding relating to PL-02 control during the assessment. However, these vulnerabilities may pose residual risk to the LDOS application Therefore, the risks associated with these vulnerabilities are detailed as mentioned and are included in Table 1. The LDOS application is assumed to have no existing open Plan of Action & Milestones (POA&M) at the time of the Assessment. 1.1 Synopsis The Assessment Team conducted a comprehensive scope assessment for all the Security controls implemented. The assessment included the entire accreditation boundary not exhibited in this report (not required in the last assignment). The Assessment Team conducted extensive interviews, document reviews, evidence examinations, and execution of custom host scripts. As a result of the assessment, the Assessment Team identified the following risks in the LDOS system, and are summarized below:  The System Security Plan (SSP) does not accurately describe the implementation of all the security controls  The LDOS Privacy Impact Assessment (PIA) document has not been reviewed and updated

 The session lock is not configured to lock a user session after 15 minutes of inactivity  Login warning banner is non-existent, or DOD approved  Running and start up configurations are not synchronized  Operating systems are not at current release level  The console port does not timeout after 10 minutes  Log events does not identify node  The system auditor uses his or her own experience to set auditable events  The firewall does not generate incident alerts  No emergency administration alert, but the system admin told me they have a workaround The application tester also performed manual testing by logging into the application with the given validation URL and exercising the access control and identification and authentication mechanisms present in each component to determine if they correctly implemented security functions. Details of these testing are found are exhibited also in table 1 finding sheets. 1.2 Assessment Overview The Assessment Team was tasked with assessing the LDOS to determine the overall risk the system presents to the Local Doctor’s Office. The assessment was conducted onsite from July 01, 2019 – July 07, 2019. The assessment was conducted with full knowledge of the Local Doctor’s Office Management and supporting infrastructure. This report contains the results of that effort. The Local Doctor’s Office other department, and staff provided the Assessment Team with excellent support during the engagement. Before the commencement of the assessment, The Local Doctor’s Office provided the team with various LDOS system-related documents, including the SSP, Contingency Plan (CP), and Information Security Risk Assessment (ISRA) documents. The following personnel were interviewed, and questions were answered promptly:  Kayleen Amerson – Primary Information System Security Officer (ISSO)  Dora Bryant –Local Doctor’s Office Security Engineer/ Architecture  Barbara Asiedu – Local Doctor’s Office Cyber Risk Adviser  Stephen Jackson – LDOS Developer Maintainer  Kwame Lee – Local Doctor’s Office SQL Server Administrator 1.3 Assessment Methodology The LDOS Assessment Team used the following assessment methodologies: NIST SP 800-53A Rev4 Security Controls Assessment Procedures for L – L – L, Assured Compliance Assessment Solution (ACAS) Vulnerability scan(s): Nessus Scanner and Nessus Network Monitor, Enclave Testing Security Technical Implementation Guide (STIG), Windows 10 STIG, Application Server Security Requirements Guide (SRG), Network Perimeter Router L3 Switch STIG - Ver 8, Rel 32, Network Layer 2 Switch STIG - Ver 8, Rel 27. The LDOS assessment Team analyzed the results from these DISA – STIG vulnerability scanning, conducted traditional security control assessment of all the implemented controls, analyzed results from host-based

scripts and performed manual testing on the LDOS environment. The LDOS assessment Team reviewed documentation that was provided and conducted interviews to help determine the overall security posture of the LDOS application. The purpose of this assessment was to do the following:  Determine if the system adequately implemented the selected controls in the step 2 of the RMF process  Determine if the system is compliant with the FISMA regulation  Determine if the underlying infrastructure was securely implemented  Determine if the application was securely maintained 1.4 Summary of Identified Security Risks or Findings The LDOS Assessment team process facilitates a holistic view of the Local Doctor’s Office organizational and system risk posture by focusing assessment on mature execution of Security controls and DISA STIG vulnerability scanning. The table exhibited below summarizes the identified risks related to each assessed Security control or assets on the Local Doctor’s Office System. Table 1. Summary of Identified Security Risks associated with the LDOS assets

1.5 Summary of Identified Residual/Inherited Security Capability Risks A holistic view of the Local Doctor’s Office organizational and system risk posture includes identification of Inherited Risk and Residual Risk for the system. 1.5.1 Residual Risk Residual risk is the amount of risk, or danger, remaining in the system after identified findings/weaknesses have been reduced/mitigated. Not all mitigated findings/weaknesses result in residual risk. Residual risk is determined by evaluating the security posture of the system after natural or inherent risks have been reduced by risk controls. Residual risk is monitored through ongoing review of the security posture associated with the system in determining if similar or like weaknesses are identified in subsequent risk assessments and can assist in identifying the root causes associated with the weaknesses. The following tables summarize the identified Inherited/Residual risks related to each assessed Security control or asset identified during this assessment. For the sake of this assignment, I would assume there were no residual risk identified during this assessment. 1.5.2 Inherited Risk Inherited risk is the risk assigned against a source that implements security controls on behalf of the system being assessed. Although the responsibility for mitigating the risk does not belong to the system being assessed, it does impact the overall risk posture of the system and must be considered when determining the overall risk to the system and the Local Doctor’s Office. Also, for the sake of this week’s class assignment, it is assumed there were no identified inherited risk, this is because, all the controls were fully implemented by LDOS, and was not inherited from any source. 1.5 Summary of Recommendations Each risk is mapped to one or more findings, and for each finding, the LDOS Assessment Team developed detailed recommendations for improvements that address the finding, the risk, and that strengthen overall Local Doctor’s Office information security. While all risks will need to be addressed, those that represent the highest risk to the Local Doctor’s Office data should be addressed and closed first, or mitigating controls implemented, to reduce the risk exposure to the Local Doctor’s Office. Most of the finding recommendations fall into the following areas:  Update System Documentation: Review and update the LDOS PIA and SSP.  Strengthen User Authentication: Configure session lock for all Windows users to activate after 15 minutes of inactivity. Enable password policy and password expiration for all SQL Authenticate users. Configure the minimum password length for all privilege Windows users to 15 characters.

 Network devices must display the DoD approved logon banner warning: All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts will limit DoD's ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers.  Running and startup configurations should be synchronized: If the running and startup router configurations are not synchronized properly and a router malfunctions, it will not restart with all the recent changes incorporated. If the recent changes were security related, then the routers would be vulnerable to attack.  The network element must be running a current and supported operating system with all IAVMs addressed: Failure to run Network devices on the latest tested and approved versions of software would be vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.  The network element must timeout access to the console port after 10 minutes or less of inactivity: Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components. The firewall must be configured to allow the system administrator to select a subset of DOD-required auditable events: "The generation of logs with a subset of criteria aide the system administrator, maintainers, and auditors when troubleshooting issues or reviewing the log for trends or security breaches. "The firewall must be configured to allow the system administrator to select a subset of DoD-required auditable events. The firewall must generate an alert that can be forwarded to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected: Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.

2. Assessment Scope The LDOS' official accreditation boundary diagram from the System Security Plan (SSP) is shown below:

Note: This accreditation Boundary does not depict the actual accreditation boundary of the Local Doctor’s Office System (LDOS). This is just an illustration for the sake of this assignment. Table 2. LDOS Assessment Scope Quick Reference

Official System Name

Local Doctor's Office System

System Acronym

LDOS

System Type

Major Application (MA)

Sensitivity Level of System

Personal Identifiable Information (PII)

Assessment Type

Comprehensive Assessment

FIPS 199 Security Categorization

Low

FIPs 199 Security Level Rationale

Information about patients

Assessment Environments

LDOS

Environments Hosting Locations

3480 Fenton Avenue, Bronx NY 10469

Applications Servers/ Workstations and Operating Systems

LDOS Main Applications Windows 10 , Server 2012 R2, Firewall, Switches, Router

Required Authentication Method

Username + Password+ Token

Assessment Date

July o7, 2019 - July 14, 2019

Assessment Locations

Onsite

2.1 Controls Assessed All the 17 controls Selected from each control family together with other assets were assessed.

3.0 Detailed Findings This section provides a descriptive analysis of the findings (and associated risks) identified through the assessment process. Each finding is thoroughly explained, specific risks to the continued operations of Local Doctor’s Office information systems are identified, and the impact of each finding is analyzed as a business case. The findings also contain suggested corrective actions for closing or reducing the impact of each vulnerability. 3.1 Findings Management, operational, and technical vulnerabilities representing risks to the secure operation of the LDOS are summarized in table below and detailed in the below. References: Fedramp Templates from https://www.fedramp.gov/templates/ Security Assessment Report, Sensepost from https://www.silabs.com/documents/login/white-papers/SP02508-SigmaDesigns-Security2-CommandClass_v2_Commercial_in_Confidence_Removed.pdf

4. System Plan of Action and Milestones (POA&M) Validation Status The LDOS Assessment Team was tasked with validating the Local Doctor’s Office System POA&Ms. For the sake of this assignment, it is assumed that there were no open poams at the time of the assessment....