National Security Agency

From The Secure Arc Wiki

Jump to: navigation, search

The National Security Agency/Central Security Service (NSA/CSS) is a cryptologic intelligence agency of the United States government, administered as part of the United States Department of Defense. Created on November 4, 1952, it is responsible for the collection and analysis of foreign communications and foreign signals intelligence, which involves a significant amount of cryptanalysis. It is also responsible for protecting U.S. government communications and information systems from similar agencies elsewhere, which involves a significant amount of cryptography. The NSA has recently been directed to help monitor U.S. federal agency computer networks to protect them against attacks.

IAM / IEM were initially started to satisfy Homeland Securities' HSPD-7 requirement for vulnerability assessments of automated information systems that support the U.S. infrastructure. (2003)

The following summary (in italics), is referenced from the book: Network Security Evaluation Using the NSA IEMNetwork Security Evaluation Using the NSA IEM by Russ Rogers, Ed Fuller, Greg Miles, Matthew Hoagberg, Travis Schack, Chuck Little, Ted Dykstra, and Bryan Cunningham.

The National Security Agency (NSA) Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for examining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. Often overlooked are the processes, procedures, documentation, and informal activities that directly impact an organization’s overall security posture but that might not necessarily be technical in nature. The IAM was developed by experienced NSA and commercial INFOSEC assessors and has been in practice within the U.S. government since 1997. It was made available commercially in 2001.

NSA developed the IAM to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assessments as well as provide assessment consumers appropriate information on what to look for in an assessment provider. The IAM is also intended to raise awareness of the need for organizational types of assessment versus the purely technical type of assessment. In addition to assisting the government and private sectors, an important result of supplying baseline standards for INFOSEC assessments is fostering a commitment to improve an organization’s security posture.

The IEM is a follow-on methodology to the NSA IAM. It provides the technical evaluation processes that were intentionally missing from the IAM. The IEM is a hands-on methodology, meaning you'll be actively interacting with the customer's technical environment. As such, the NSA intended for the IAM and IEM processes to work hand in hand.

Whereas the IAM provides us with an understanding of organizational security as it relates to policies and procedures, the IEM offers a comprehensive look into the actual technical security at the organization.

The following information gives a brief account of relevant IAM / IEM standards. Each requirement of the standards are broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.


Standards Outline

IAM Process

1. Pre-Assessment

  • Determine and manage the customer’s expectations
  • Gain an understanding of the organization’s information criticality
  • Determine customer’s goals and objectives\
  • Determine the system boundaries
  • Coordinate with customer
  • Request documentation

2. On-Site Assessment

  • Conduct opening meeting
  • Gather and validate system information (via interview, system demonstration, and document review)
  • Analyze assessment information
  • Develop initial recommendations
  • Present out-brief

3. Post-Assessment

  • Additional review of documentation
  • Additional expertise (get help understanding what you learned)
  • Report coordination (and writing)

NSA IAM emphasizes creating a Technical Assessment Plan (TAP) which includes the following:

  • Point of Contact
  • Mission
  • Organizational Information Criticality
  • System Information Criticality
  • Customer Concerns and Constraints
  • System Configuration
  • Interviews
  • Documents
  • Timeline of Events

IEM Process

1. Pre-Evaluation Phase

  • Pull information from IAM Pre-Assessment
  • Coordination with the customer to determine acceptable Rules of Engagement (ROE)
  • Give the team an understanding of the perceived system components
  • Define customer expectations
  • Define customer constraints or concerns
  • Legal Requirements
  • Develop the Technical Evaluation Plan (TEP)

2. On-Site Evaluation Phases

  • Evaluation In-Brief
  • Tool Introduction and System Evaluation
    • Port Scanning
    • SNMP Scanning
    • Enumeration & Banner Grabbing
    • Wireless Enumeration
    • Vulnerability Scanning
    • Host Evaluation
    • Network Device Analysis
    • Password Compliance Testing
    • Application Specific Scanning
    • Network Sniffing
  • Evaluation Out Brief

3. Post Evaluation Phase

  • Analyze the evaluation raw data
  • Conduct additional vulnerability research
  • If necessary, seek additional expertise
  • Develop recommendations
  • Coordinate final report authoring with team members
  • Deliver final report to customer

Like the IAM's TAP, the IEM directs creation of a Technical Evaluation Plan, or TEP:

1. Points of Contact

2. Methodology Overview

  • Purpose of the IEM
  • Description of the IEM
  • Evaluation Tools to Be Used

3. Criticality Information (Organizational Criticality Matrices and System Criticality Information)

4. Detailed Network Information

5. Customer Concerns

6. Customer Constraints

7. Rules of Engagement

8. Coordination Agreements

  • Level of Detail of Recommendations
  • List of Agreed-On Deliverables
  • The Coordination Agreements Section: A Catchall

9. Letter of Authorization

10. Timeline of Events

Standard Practice

As stated earlier, the methodology was driven by US Homeland Security initiatives; PDD-63 (now HSPD-7)

Licensing and Documentation

Training in this methodology can be organised through Security Horizon. Assessment services are organised through EDS.


Personal tools