Access Controls in Baselines - Cup of Cyber

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] good morning happy happy monday happy monday to you got the live livestream rolling it is going out over over the interwebs oh guys i put the slide deck together for today and i was like man i'm so glad so glad we thought to turn things around to look to focus to laser focus on the low the moderate the high controls and those things that affect privacy i hope you have you your cup of coffee you're ready to go we're going to talk about one of the controls in this control set ac4 in flow enforcement it's an important control you know how do we keep the information that we're responsible for uh contained how do we make sure it doesn't go places it's not supposed to go that's what's all this control is all about so we we talk about it within uh the bounds of our control our bounds our scope of control our span of control where we can work where we can control how this information goes this can this this control is all about keeping stuff you know where it's supposed to be information flow control is important it's an important control we'll change things up a little bit so we'll walk through the slide deck this morning see we got a few people coming in uh mike bravo's gonna get things going he's gonna uh submit resumes tell his fingers bleed that's the way that's a monday for you right there if i ever saw one um hopefully everything's going good hopefully it's all going the way it's supposed to go hopefully it's a productive move you're going for mike i hope that's all all that's about let's jump in let's do the morning intro and then let's jump into the slide deck [Music] i do have a new uh set up i'm trying some new things so i got to kind of move around a little bit it's not ideal here because i did a lot of organizing over the weekend i told you this is the year to get organized so right now this surface right here if you could see it it's all junked up it's got everything that i pulled from other places that needs a home that is kind of over here in this area things like patch panels for explaining how to do things patch panels we're going to talk about today because there's a lot of stuff we're talking about today that goes over the network uh controlling things as they flow over the network that's a big part of today's control so let's jump into the slide deck and let's kind of walk through this thing so we're talking about this morning we're talking about uh nist special publication 853 revision five the newest revision talking baseline act baselines and the access control controls that fall in the low moderate high baseline as well as those things that impact privacy today we're talking about ac4 and the enhancements that fall in the baselines information flow enforcements remember we look back at all of the access control family and all of the controls that follow in any of the baselines or are impacted by privacy so this is one we're looking at today we see there's a control and a single enhancement so ac4 and ac4 enhancement 4 these fall under ac4 help falls under if you have a moderate or high baseline and then enhancement for falls under if you have a high baseline so one thing you'll notice down in the lower left corner you'll see like a little grid now grid is important i thought i'd throw this in here it's right down here guys this this is our key each of the slides will have this key or there's another one we'll look at a little bit later when we talk about assessment this is going to tell you if this control falls under a privacy control or the low moderate or high baseline and you see under this one we've got it highlighted under moderate and high because this control obviously is under the moderate and high baseline it's it's required as a baseline control it can be tailored out if you need to but that's that's the important part so that part down there we see um so we started out the discussion on this one kind of long so we broke it up and and made it hopefully kind of makes sense so uh this is the discussion around ac4 now information flow control regulates where information can travel within a system and between systems and that's in contrast to who is allowed access to the information so a lot a lot of the access control controls we've talked about up to this point have been who can access the information this control is more in line with where it can travel and that's inside the system like if you have multiple components of the system and sometimes even within a computer itself and also outside the system if you're leaving the bounds of your control that's with regard to the subsequent access to that information who can access that information where that information can go after it leaves your system so flow control restrictions include blocking external traffic that claims claims to be coming from with the within the organization try that again flow control restrictions include blocking external traffic that claims to be from within the organization a lot of folks do this on their firewall they have what's called a bargains list and it says block anything coming from the external side of the external connection of the firewall that says it's from our internal network so if we have an internal network and there's a connection coming from outside we know it's coming from outside we know it can't be an internal address so that's what someone trying to spoof an ip address trying to get inside so we want a control on that firewall that says hey if that ip's coming from the external environment trying to come in and it's got one of our ip addresses stop it and that's what this is saying you know blocking external traffic that claims to be from within the organization ip addresses are the big thing we talk about here there could be other ways to do this as well also keeping export controlled information from being transmitted in the clear to the internet so there are some things like cryptographic keying information and things like that that are under export control restrictions so there's certain things we can't export to some country some some other countries so this we're saying here we know we have some things that are restricted from export it's our responsibility to make sure they don't get exported in the clear to the internet and then restricting web requests that are not from the internal web proxy server so maybe restricting those things if they're not coming from the proxy server we need to put some restrictions in place so if we have a proxy in place that should be the thing that's going out and asking for web addresses so we want to make sure that people aren't bypass bypassing our web proxy so we re restrict web requests that are not from the internal web proxy so if everybody is supposed to go like through something like a blue coat a web proxy it's going to have specific ip addresses that we know should be coming from that proxy those things should be allowed to query the internet if we have other ip addresses querying the internet we should be concerned about that we should limit that and they should be controlled by some type of access control board or change configuration management board something like that and limiting the information transfers between organizations based on data structures and content right so we're kind of restricting where the information can flow to what in what systems it can flow where it can go that kind of stuff right so we want to have something in place that's going to block that data from going places it's not supposed to go so we talked about a lot of things folks on the outside claiming to be from the inside people trying to bypass a web proxy whether intentional or unintentional making sure that if there's something we have that is is controlled and is not supposed to be exported we are responsible for making sure we put controls in place that it doesn't get exported and then having some limitations between organization based on data structures and content that's normally something like a dlp solution so it queries the information and make sure that things like social security numbers pii classified information is not traversing that so that's first part of this control second part of control we want to make sure that we're if we're transferring information between organizations that may require an agreement specifying how the flow is enforced and that's covered a little bit more in ca 3. good another control and then another part of this we've got transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies so to illustrate that maybe we have a confidential environment that could be government confidential or maybe trade secrets or something like that within a private organization and maybe they're on the same network how do we make sure that this confidential information this sensitive information doesn't travel over to systems that are not certified to handle that type of information right so we want to put some type of control in between these two types of domains that keeps the data from flowing from one side to the other there's a lot of different ways excuse me a lot of different ways we can do that so make sure that if there's things that will be violating rules we want to make sure we put some type of control device in between those uh types of networks to keep that from from happening right such situations information owners or stewards provide guidance at designated policy enforcement points between the connected systems so if i'm the the data owner for this confidential information i may tell the system owner this this data can never traverse over to the public network all right so then the system owner or the organization responsible for that network is gonna be responsible to make sure there's a block in place that keeps that information from flowing to the public network right so organizations consider mandating specific architectural solutions to enforce specific security and privacy policies enforcement includes prohibiting information transfers between connected systems allowing access only verifying right permissions before accepting information from other security or privacy domains or connected systems employing employing hardware mechanisms to enforce one-way information flows and implementing trustworthiness regarding mechanisms to reassign security and privacy attributes and labels i'm talking a lot about a lot of stuff in this part of the control right prohibiting information transfers uh between systems maybe there there's access only work where we are prohibiting um that that transfer of information between maybe allowing us to review it only or verifying right permissions who can write to another system before we allow that right to be fully committed right another thing we talk about is something called kind of a one-way transfer so in this situation maybe we can say information can go from the public systems to the confidential systems but information should not flow the other way it shouldn't go from the confidential system back to the public that's a one-way transfer it can only go up it can only go from public to confidential that makes sense because it's a higher classification level in most cases so we want to make sure that yeah we want to get information maybe from the internet once we vet it it goes up to the confidential system but we should never want the higher domain to come down right so we don't want that confidential information coming back down it's a lot of stuff in that part of the control we're rolling down to the to the end of this thing right organizationally organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and designations within a system and between connected systems all right so we're just saying yeah this is this control is within a system or between systems uh that's where we put the stuff in place flow control is based on the characteristics of the information or the information path right so what it could be characteristics maybe we have tagging going on maybe we're doing dlp solutions where we're looking for specific patterns of information and maybe we know that this this path this path between this system and this other system is traversing from a higher security domain to a lower security domain so maybe that information path is something we know about it's going between maybe where we're doing our research and development and the public public networks we want to make sure that those paths we keep track of right enforcement and curious for example in boundary protection devices that employ rule sets or establish configuration settings that restrict system services provide a packet filtering capability based on header information or provide a message filtering capability based on message content we're talking about all kinds of things like firewalls and layer 7 firewalls things that are looking at the packet they're looking at the tags they're looking at the type of information maybe a dlp solution at the border generally talking about perimeter devices here but it could be between security domains again could be you know it's very common to have external perimeter firewalls and then we'll have firewalls between sensitive domains like payroll hr research and development things like that a lot of times we'll have another layer of firewalls that further protect that information that's what we're saying with this part of it right the important part organizations also can consider the trustworthiness of the filtering or inspect inspection mechanisms hardware firmware software components that are critical to flow enforcement so if we have a device there that's providing this protection between the top secret and the secret environment or between research and development and public or whatever we want to verify that that device we're buying is it doesn't have any malicious code in it we don't want to buy stuff from unknown vendors this is part part of what we call third-party supply chain management and we want to make sure that if we're buying devices we're buying devices especially security devices like this that they're coming from a reputable source and we want to make sure that that device is trustworthy and that trustworthiness has to be determined by our organization do we trust a device that is a uh and i'll say just a chinese knockoff of maybe a cisco device or do we need to make sure validate that we're getting a true cisco device or a foundry device or whatever network components we have right the second half of this this part of the control really talks about in government generally in government environments we talk about cross domain solutions that doesn't mean they can only exist in government organizations but that's generally where we see cross-domain solutions and that's where we allow traffic between a network like top secret and secret that's that cross-domain solution right so that's what the second part here goes on to talk about it says the control enhancements number enhancement 3 through 32 a lot of enhancements here primarily address cross-domain solution needs that focus on more advanced filtering techniques in-depth analysis stronger flow enforcement mechanisms implanted implemented in cross-domain products such as high assurance guards such capabilities are generally not available in the commercial off-the-shelf off-the-shelf products information flow enforcement also implode apply that try it again i need more coffee i think information flow enforcement also applies to the control plane traffic now routing and ds dns talk about the control plane even even the control plane in like a firewall uh in a multi-purpose security device we're gonna have that control plane in the back um traffic's gonna be flowing there as well so we have to think consider all types of traffic especially we're thinking about these systems that would need something like cross-domain solution cross-domain solutions are generally put in place with those different security domains that the government has confidential secret top secret those kind of things we put them in place so that's the second part obviously i'm not going to talk about a lot about that obviously the other control enhancement we talked about is four which falls in that realm which we'll be talking about that's the only other control we'll talk about a bunch of related controls i'll leave them on the screen here for a second for you to look at a bunch in ac the audit ca the pm sa sc families obviously we can go if we can't fully employ implement this control then we'll go to look at these other controls to see how we can reinforce or supplement ac4 so here's the actual control itself right enforce the approved authorizations for controlling the flow of information within the system and between the system connects between connected systems based on what right and that's that's something we have to define in my fictitious system i said the organization's access control standard so we have to look at the standard and it's going to define how information flow can be managed where we have the firewalls at where we have cross domain solutions where we have devices that are going to look for filtering you know that could be a layer 7 firewall that could be a dlp solution something like that we could have in place and that's going to be defined in access control standards so if you've been following along you know there's a lot of things we have to be adding to the access control standard uh yet another thing we have to add is the information we're talking about here so the other thing we're gonna see i you know the lower left hand corner now the icon has changed down there so you look down here now we've got it's eit and that's just determining is this control examine interview or test and in this case we see it is all three we have examine interview and test and we're going to do is as an assessor we're going to determine if the organization defines the information flow control policies for the control control the flow of information within the system and between interconnected systems right so that's the first part does the organization define that means we're documenting somewhere do they document it and that's going to be in in our case that's going to be in the uh access control standard so as an assessor that's part of the thing i'm going to examine right examine access control policy information flow policies procedures addressing uh information flow enforcement information system design documents information system configuration settings and associated documents information system baseline configuration list of information flow authorizations that's something we have in our standard information system audit records who's looked at this before and other relevant documents we're always going to see that other relevant documents that gives the assessor a lot of leeway to go out and find out what they're going to use i can interview system and network administrators organizational personnel with information security responsibility system developers and i can test the mechanisms make sure they work right and that's what we're going to do in the second part of this assessment the information make sure determine if the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on these organizationally defined information flow control policies so as an assessor to do that maybe i would say you've got a dlp solution or you've got some kind of filtering solution set up that's supposed to catch information going from this domain that has pii in it to this public domain okay maybe i'll create a message or create a document with a fake social security number in it don't don't use real stuff in these tests i always say don't use the real stuff because you don't want a a breach of information you want don't want to spill so you create create a document with a fake social security number and try to pass it on try to send it from system a to system b does the solution catch it does it stop it from going where it's supposed to go right maybe i'm going to try to connect to the web the internet by bypassing the proxy right whatever the restrictions are that are defined in that first part whatever's defined the standard i'm going to go ahead and see if i can break it that's part of being an assessor right so the other thing we have in one of the base lines is enhancement four so ac4 enhancement four if you see in the bottom left corner this is only in the high baseline that's where we started with and the the discussion around this one's much shorter right flow control it's not easier to say though so flow control mechanisms include content checking security policy policy filters uh data type identifiers right they also go on to say the term encryption is extended to cover uh encoded data not recognizing by not rec wow the term encryption is extended to cover encoded data not recognized by filtering mechanisms obviously related control here is si4 so we've got is we've got our filtering solution right and it should be checking for different things like secret information pii trade secrets you should be keeping that stuff from going across if it can go across that's fine right so so we know that that's that's cool we kind of talked about that already we haven't talked about if data is encrypted right if it's encrypted we shouldn't allow that to go across the device if we can't somehow decrypt it right so we want to make sure that we're filtering four things we're filtering for that pii we're filting for that secret information we're filtering for things that shouldn't be going from system a to system b one of the ways someone could try to bypass that system is they could take that secret information encrypt it and then send it across the wire if our device can't decrypt it we have to determine what we're going to do with it and that's what this controls all about once it's encrypted what happens what happens at that device right so this one is generally most of this control is organizationally defined variables and that's kind of makes some of the controls are hard when it gets like this right so forget prevent encrypted information from bypassing then the first part of there is an assignment organizationally defined information flow control mechanisms right by and then there's a selection one or more of the following decrypting the information blocking the flow of encrypted information terminating communication sessions attempting to pass encrypted information so we have to design decide from those what we're going to do and then we're going to assign something and that's going to be the organizationally defined procedure or method so in my fake system here's what i said prevent encrypted information from bypassing the organizational ids ips and dlp systems by decrypting the information if we can or blocking the flow of encrypted information as required by the access control standard so we go the access control standard and we re read more about that when can we encrypt it or when can we decrypt it and when do we block it right so essentially it's going to be in my case it would be hey if i can't decrypt it and read it i'm going to block it that's going to be the rules that i put in place right so again at the bottom here we have our eit our exit model says we do have examine interview and test kind of looking at the same documents same documents we do for for ac4 we're going to look at the same thing for ac4 enhancement for to include testing the system right can i encrypt a document and get it to go through the to go through the tunnel to the other destination right so i'm going to determine determine if the organization defines a procedure or method to employ be employed to prevent encrypted information for bypassing content checking mechanisms do i need to define it that's always the first part define it that's in the document do we define it and the second part is does the system do it right if the determine if the information system prevents encrypted information from bypassing content checking mechanisms by doing one or more the following does it decrypt the information does it block the flow of encrypted information does it terminate the communication session attempting to pass encrypted information or does it do something else right and in our case we want to say okay the document's going to define when it decrypts and when it blocks right so those two things i'm going to check as an assessor i will try to pass some encrypted information and i'll try to pass in those two two realms possibly when it can decrypt it maybe it'll let it go through if it's clear and if it's decrypted and it or it can't be if it can't be decrypted then it should block the session right so that's that's all of ac4 we need to cover and as we said a lot of this is covered by cross domain solutions that are really used in those high trust situations within the government that's where we have confidential information top secret information compartmented information sap solutions things like that we're going to put those cross domain solutions in so for a normal system it's going to be ac4 and ac4 enhancement 4. those are in the baselines remember ac4 you're only going to have it in the moderate and high systems and then enhancement four is only in the high systems alone hopefully that helps you get through this control i see a bunch of folks joined in um rainier is here morning good morning rainier loomis here uh richard's here as well paul paul is doing well help hopefully uh oh late late in the evening or late early in the evening scotland i think maybe maybe afternoon i guess and sam is here paul i guess it was what you seven hours ahead it's 8 27 here in the east coast so um good morning everyone it's good to see you here hopefully you like likes this new format this is the new format we're gonna go forward with um really laser focusing down i still don't know who contacted me on the web to talk about this it's a web it was a visitor 79 i can't i don't know who it was i asked who it was don't know who it was this is going to really laser focus in we're going to get in there we're going to go in more detail on these controls and we'll be able to really focus and hopefully expand on it hopefully this helps you let me know in the comments let me know in the comments if this is helping you or not paul says early afternoon scotland good deal beth is here uncomfortable look oh closed captioning i wish we do it live closed captioning it'll be there later beth uh the system it automatically does it later i wish it closed captain closed caption and uh 1330 in scotland that's 1 30 if you're civilian so hopefully your day is going well hopefully hopefully you've got a productive week i know mike bravo's doing resumes tell us fingers bleed um i've got a lot going on this week as well um finish up that az900 class for st louis university st louis university if you guys think they do a great program over there in uh cloud they're doing a bunch of cloud stuff at slu so good things going on over there um works going like crazy and this you guys you guys keep me going in the morning get me up get me going um always always always take your friends family co-work take care of each other mike mike's gonna say go get some i'm gonna say just just be good go do do productive stuff this week be productive i'm gonna start throwing some information about organizational tips that i've found that may help you in your career but uh if you could if you could share with your friends if you have people that are going through this want to know this stuff the more the merrier different viewpoints can definitely help i've got my viewpoint you def you guys definitely throw your viewpoint in love to see it it always helps get up in the morning share a cup of coffee you can watch this later in the day obviously you can listen to it later it'll be on the podcast later and if you could if you haven't yet subscribe to the channel it helps me helps me get where i need to go uh doesn't cost you a dime i can like the video you can like the channel you can comment i'd love to hear what you got to say about access control this new format access control uh four flow controls even cross domain solutions if you want to throw some unclassified information stuff that's not going to get anybody in trouble what do you know about cross-domain solutions i know a couple couple devices i've looked at one-way transfers and things like that in the past but i'd love to hear what you guys to say that being said we're running rent on time 8 30. that's gonna wrap it up and for you guys be good out there go take care of each other uh good luck uh with the bunch a bunch of resumes if anybody um knows anything mike mike wants to i don't know what you want to do mike um let us know and tomorrow morning we'll see we'll talk about the next control in line tomorrow morning 8 o'clock so you guys be good out there we'll see you then

Info

Channel: Cyber-Recon

Views: 117

Rating: 5 out of 5

Keywords: RMF, Risk Management Framework, NIST Controls, Controls, Security Controls, Privacy Controls, SP 800-53, SP 800-53 R5, SP 800-37 R2, 800-37, Access Control Policy, Access Control Policy and Procedures, Policy, Procedures, Policy and Procedures, AC-2, Account Management

Id: gIKGn3-G6-U

Channel Id: undefined

Length: 31min 3sec (1863 seconds)

Published: Mon Jun 14 2021