DISCUSSION

Executive Summary

The annual security controls assessment (SCA) was conducted between April 9, 2018, and June 8, 2018, in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Of the 144 security controls required to be implemented and are identified in the System Security Plan (SSP), 113 (78%) were re-assessed as:

· Satisfied: A finding of satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result.

· Other-than-Satisfied: A finding of Other-than-Satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization. A finding of Other-than-Satisfied may also indicate that for reasons specified in the assessment report, the assessor was unable to obtain sufficient information to make the particular determination called for in the determination statemen

The security controls assessment (SCA) detailed in this report was conducted using the methodology based on National Institute of Standards and Technology (NIST) Special Publications (SP). Risk is re-assessed annually, in accordance with organization’s IT Security Program Policy using one or more of the following:

• Continuous Monitoring activities that produce the annual SCA Report

• Quarterly vulnerability scan reports and supporting documentation.

The purpose of this report is to provide recommendations for improving the security controls implementation of the organization physical and IT assets which includes physical security, network security, cybersecurity and personnel. The report enables the system owners to determine the extent to which the security controls are:

• Implemented correctly

• Operating as intended

• Producing the desired outcome with respect to meeting the system security requirements

In addition, the report documents the SAT recommendations for correcting deficiencies in the security controls and reducing or eliminating identified vulnerabilities.

The Security Control Assessment (SCA) team will conduct the assessment of the organization system, a High-impact system primarily located in Laurel, MD. The assessment will consist of an examination of management, operational, technical, and privacy security controls using the assessment procedures identified in the organization’s Security Controls Assessment template, which follows the approach of examining, interview, and test as recommended in NIST SP 800-53A, Revision 4.

The results of Nessus vulnerability scanning, documentation examinations, interviews, and other tests will be documented in the Security Assessment Report (SAR). The assessment will identify areas of concern, needs for improvement, control implementation deficiencies, or vulnerabilities using procedures recommended by NIST SP 800-53A, Revision 4. The assessment will follow a risk-based approach, focusing on a more rigorous assessment of controls associated with systems that process sensitive information, and utilizing sampling to optimize the use of limited resources, although the use of sampling may result in overlooking vulnerabilities in components that are not included in the sample tested.

The Security Plan Assessment will provide the CISO and the management a determination whether the system continues to be adequately secured in its operational environment.

This section discusses the threats identified for the systems. A threat is the potential for a particular threat-source to exercise a particular vulnerability successfully. A vulnerability is a weakness that can be accidentally triggered or intentionally exploited by a threat. A threat-source does not present a risk when there is no vulnerability that can be exercised. In determining the likelihood of a threat, one must consider a threat- sources, potential vulnerabilities, and existing controls. During the vulnerability assessment, we reviewed the system-specific threat sources, technical threats, human threats and nature and environmental threats. These threats were identified from interviews with the SCA team and system administrators as well as through reviews of reference and system documentation. The table below lists the threats applicable discovered during the assessment.

Threat-Sources

The analysis of the risk to an IT system must include an analysis of the vulnerabilities associated with the system environment. The goal of this step was to develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by the potential threat-sources. The vulnerabilities identified were determined from the documents and detailed briefings provided to the assessment team in support of the risk assessment process. Vulnerabilities were initially evaluated based on their impact after existing controls assumptions are applied. If, after considering the existing control, the assessment team believed the vulnerability’s impact should be further reduced, the team considered other possible controls and compiled a list of recommended additional controls. Impact is a rating of the damage that could occur if a particular vulnerability is exploited. Ratings assigned to the vulnerabilities are qualitative. To facilitate risk computation, a numeric value has been assigned to each rating.

Vulnerabilities were rated as High, Moderate or Low according to table below:

Vulnerability Rating

Vulnerability Sources

The technical and non-technical vulnerabilities associated with an IT system’s processing environment were identified through interviews, document review, and/or the use of automated scanning tools Nessus. A review of other industry sources (e.g., vendor Web pages that identify system bugs and flaws) was useful in preparing for the interviews and in identifying vulnerabilities specifically applicable to the components.

An independent SCA in accordance with NIST SP 800-53A Revision 4 was performed. Overall, of 144 required controls in the system requirements baseline using NIST SP 800-53A Revision 4. To achieve the goal of 100 percent coverage, the Security Assessment Team (SAT) analyzed multiple vulnerability scans of the networks found within the system boundary. Using the Tenable Nessus security scan tool, the SAT formed comprehensive scans of each device using authenticated scans, where applicable.

During a typical vulnerability scanning cycle, the SAT finds discrepancies between the asset inventory and the results of the scan, which result in the SAT and system administrators attempting to locate and document missing and extra devices. Once scans were complete, the SAT began the analysis phase. The SAT generated statistics and comparisons using various available and internally developed tools, assisting in the confirmation of scan coverage and determinations concerning use of scanner authentication and analysis of vulnerability findings.

The SCA concluded that 96 (67% of the 144 required) controls were Satisfied. Prior SCA results were evaluated and re-used in the risk update and results of FY2017 continuous monitoring activities were reviewed (such as quarterly vulnerability scanning). Of the total 144 required controls, 48 (33%) were assessed as Other-Than- Satisfied (OTS). It was discovered that most vulnerable hosts had High-severity and Medium-severity vulnerabilities. Furthermore, the SAT identified 1,341 unique security items of which 186 were Critical vulnerabilities, 731 were High-severity vulnerabilities, 393 were Medium-severity vulnerabilities, and 31 were Low-severity vulnerabilities. After analyzing the provided Nessus scans, the SAT concluded that IT team should work on improving vulnerability management methodologies in order to reduce the overall number of vulnerabilities affecting the system.

The purpose of this document is to capture the Security Assessment lessons learned in a formal document for use in impending projects. This document can be used planning of a new project similar to it, to determine what problems occurred during the assessment and how they can be avoided in a future project. The lesson learned document can also have a list of the SAT; this information may be used in future to determine who the project team members were in order to request feedback and/or help for planning future assessment. .

The assessment team analyzed the results of the examinations and tests and found that of the 144 required controls, weaknesses existed in three of the three control classes which include management, operational, and technical. Also, analysis of the Nessus vulnerability scans identified 1,341 unique security items of which 186 were Critical vulnerabilities, 731 were High-severity vulnerabilities, 393 were Medium-severity vulnerabilities, and 31 were Low-severity vulnerabilities.

While these best practices are not all-inclusive, they can significantly improve an organization’s security posture. Prior independent assessments performed were evaluated and re-used if determined current and based on the control implementation as described in the SSP. Also, the team provided a report that:

· Identifies all software and hardware components that were tested;

· Provides the methodology and rationale for any devices that were not directly tested;

· Documents the results of the assessment of applicable information security controls;

· Provides a summary and risk analysis of the assessment results and recommends mitigations; and

· Provides a recommendation on whether or not to authorize operation of the system

In addition, there are a few lessons learned discovered during the assessment.

· Continue to scan all components on a quarterly basis, ensuring that at least 95 percent of all components are scanned for vulnerabilities and CIS compliance

· Improve access control and account management practices by ensuring all passwords comply with organization password requirements and all components are configured to display approved warning banner.

· Improve patch management practices in order to remediate non-exempt vulnerabilities

· Improve inventory management practices by ensuring all system components are documented and the inventory include hardware and software specifications as required by the organization IT Security Manual

· Improve audit logging, and system monitoring by ensuring all applicable hosts are configured with Tripwire Enterprise and McAfee ePO and reporting to Tripwire Log Center.

· Reduce the inadequacies in system security policies and procedures by updating system documentation to improve implementation descriptions.

There are several vulnerability assessment tools available in the market. Most of them have the similar purpose of evaluating the system of an organization with numerous malicious techniques. The vulnerability assessment tool that would be perfect for the vulnerability assessment is Tenable Network Security’s Nessus Vulnerability Scanner. Nessus offers the ability to categorize hosts by their locations, to detect a wide-range list of vulnerabilities. It is a remote security scanning tool, which scans a computer and raises an alert when malicious vulnerabilities are discovered. (Wendlandt, n.d.).

Nessus also scans for vulnerabilities that would allow a remote hacker to control or access any and all sensitive data on our systems. After which, it scans for misconfiguration which would open mail relay or missing patches. Nessus verifies vulnerabilities for a denial of service against the TCP/IP stack, and it accomplishes this by malformed packets. During the security assessment, we scanned systems for default passwords, common passwords, and blank/absent passwords on the system's accounts. Nessus scanning tool performed this process effectively.

Another reason we opted for Nessus scanning tool is, unlike other scanners, Nessus does not make assumptions about server configuration (such as assuming that port 80 must be the only web server) that can cause other scanners to miss real vulnerabilities. The Nessus team ensure the tool is updated with new vulnerabilities and attacks by providing continuous patching assistance to the vendor and developing new plug-ins when new vulnerabilities are discovered. Nessus also offer methods to analyze the result after a scan is performed. It lists each vulnerability found, gauging its level of severity and suggesting to the user how this problem could be fixed.

Nessus uses a client-server based architecture; the main server is Unix-based. However, Nessus client is available for UNIX, Linux, and Windows. The Windows version also sports NASL (the Nessus vulnerability description language), which allows the software to be considerably faster and more efficient. Nessus scanning tool uses plug-ins to handle the vulnerability checks it conducts. These plugins operate as separate files; they are easy to install.

One of the most important features of Nessus is the ability to offer real-time scan results; it gives administrators ability to monitor scan results as they are generated.  It contains an audit trail feature which enables administrators to find out why a plugin is not listed in the results, providing better visibility on how plugins are executed. Nessus provides an enormous amount of functionality in one tool.