CyberSecurity Institute

The assessment guidelines, to be released in NIST Special Publication 800-53A early next month, are designed to enable periodic testing and evaluation of the security controls federal agencies need to put in place, said Ron Ross, project leader of NIST’s Federal Information Security Management Act (FISMA) Implementation Project.

The mandatory security rules themselves were released in February in a separate NIST document, called Special Publication 800-53 (download PDF). That document details the baseline security controls for different categories of federal information management systems.

The security rules cover 17 different areas, including access control, incident response, business continuity and disaster recoverability, and will become a required Federal Information Processing Standard by year’s end for all federal systems except those related to national security. The guidelines are designed to allow federal agencies to assess “if mandated controls have been implemented correctly, are operating as intended and are … meeting the organization’s security requirements,” Ross said.

The NIST assessment guidelines are “very closely aligned” to SP 800-53, Ross said.

The first draft will detail assessment procedures for five of the 17 security controls described in the February document but will eventually include guidelines for all the rules. Every security control mandated in SP 800-53 will have an associated assessment method and procedure, Ross said. For example, a security requirement that federal agencies have formal information back-up processes will have an associated procedure describing how compliance can be evaluated, Ross said.

The guide can be used for agency self-assessments, by certification agents and auditors to do independent testing and even by IT systems developers, according to Ross.

“The goal of 800-53A is right on target,” said Alan Paller director of research at the SANS Institute, a Washington-based security information center.

Too often, a lack of clear guidelines leads to situations where mandated security controls are interpreted in different ways, Paller said. “The greatest mistake is when people write what needs to be done but not how it needs to be done,” he said. How effective the guidelines will be depends on how much detail it provides to information security assessors, Paller said. “If it was written by people who have really protected systems and cleaned up after attacks, it is likely to provide what is absolutely needed,” he said.

On the other hand, if the document was crafted by “policy people” with little hands-on experience, it may not be of much practical value, he said. While such assessment guides can be useful, “if a lot of the underpinning details are not addressed it can give a false sense of compliance,” said Will Ozier president of OPA Inc., a Vacaville, Calif.-based risk management consultancy.

http://www.computerworld.com/securitytopics/security/story/0,10801,102409,00.html?source=x73

Companies can now operate a wide range of applications over a single network platform including unified messaging, video conferencing, and flexible remote access. Before the advent of convergence, voice traffic was relatively secure in the protective proprietary operating environment of the customer’s PABX.

Now, however, it is typically just another generic server type platform within a company’s data system and, as such, subject to the same risks that affect the data environment as a whole including worms, viruses and password attacks. With an old-fashioned TDM PBX switch an intruder would typically have to have physical access to the phone line itself in order to attach a bugging device and eavesdrop on calls. Now, just by penetrating the VoIP gateway, he may place the voice conversation itself under threat not just from straightforward listening in, recording and replaying but even in some cases call redirection.

Voice over IP (VoIP) remains a relatively new development, critical security vulnerabilities are being identified all the time, leaving systems at risk from a broad range of potential attacks, leading to possible ‘denial of service’. In spite of these continued threats, there is still some naivety about the sensitivity of the marketplace to voice performance and voice resilience.

Perhaps even more alarmingly the availability of the IP network itself could be at risk, threatening the ability of an organisation to communicate via either voice or data.

And many of the end users to whom they are selling do not have the budget or the in-house resources to manage or even fully understand all the security implications of the growing development of VoIP solutions.

Consequently, there is set to be significant market growth in solutions from the major providers that are designed to protect IP telephony platforms.

In the past, voice networks were generally robust and built on long established and evolved standards. Equally the process of PBX configuration had become almost routine and voice transmission plans, interface and integration processes well rehearsed. Equally, the value of IP telephony security is likely to receive greater recognition and more robust voice security built into the fully converged solutions currently being developed for customers.

If end users are to have full confidence in migrating to VoIP solutions, it is essential that the major providers play a key role in this process.

To understand the nature of this role, you first need to appreciate that VoIP security cannot be seen in isolation. It is just one, albeit critical, part of the complex integration challenge facing providers of converged solutions today.

http://www.ebcvg.com/articles.php?id=761