yber Defense Analysis

System Security Plan (SSP) Guideline for CMI Presentation

Most of the guidance for creating a System Security Plan is aimed at large Federal Government organizations and

contractors. These publications include the FEDRAMP Cloud SSP Guide, NIST Special Publications 800-18 r1, and 800-

1711

. But this guidance may also be used by the private sector and a smaller organization such as CMI. In fact, the

majority of materials downloaded from NIST are from private sector requestors. But a full SSP process can be quite

laborious. It involves;

1. Listing a large volume of basic organizational information such as authorization, contacts, mission, and

applicable law & regulation,

2. Determining of the boundaries of the information technology system including applications, technical operating

environment [hardware, software, data & communications], interconnections, information sharing, physical

locations & containment, personnel involved, and processes for use,

3. System Categorization, i.e. determining levels of confidentiality, integrity, & availability (CI&A) for the system

using [low, moderate, high] labels, and

4. Applying a specific set of controls, i.e. defensive measures, termed Low, Moderate or High, for the set of CI&A.

These controls are set by NIST and listed separately for systems classified as Low, Moderate, or High. Federal

government organizations must comply with applying those specific types of controls to those systems.

5. A Plan of Action and Milestones to assure that the organization is brought up to required levels of security and

maintained at those levels.

Modified Approach for CMI

With CMI, a moderate sized commercial organization, a modified approach is justified. Such an approach would include

a;

A. Brief Description of the organization

B. Brief Description of the system(s) or technology(s) under review and their requirements in CI&A.

C. Summary of Systems Threat, Vulnerability, Impact and Likelihood (TVIL) findings,

D. Selection of Controls to be applied to their systems for CI&A given their TVIL, and

E. Brief outlook on expected implementation timetable and resources for maintaining assurance.

An SSP writer should attempt to incorporate organizational activities supporting cyber security explored thus far in the

course into the plan. Figure 1 below demonstrates this. More detail requirements follow the figure.

Figure 1- Integration of Previous Assignments into an SSP

1

a. FEDRAMP SSP Moderate Baseline for Cloud Template https://www.fedramp.gov/assets/resources/templates…

b. For a government SSP: NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistsp…

c. For a contractor SSP: NIST SP 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

https://nvlpubs.nist.gov/nistpubs/SpecialPublicati…

Your presentation should be structured similarly to the outline above.

Viewpoint

In presenting this report you should take a specific viewpoint toward the SSP’s area of concern, choosing any one of the

following:

1. Selection of a specific technology area, e.g. Wireless, with its TVIL findings and CI&A requirements, and then the

expected effects of applying security controls across selected application systems using wireless technology.

2. Selection of a specific functional area, e.g., Accounting, Personnel or Marketing, then outlining the requirements

and effects of applying security controls across all of the applications & technology in use in that area.

3. A complete CMI cross cut of security application on all systems, infrastructure, TVIL and Controls across the

entire organization given findings and CI&A requirements.

You will need to specify this up front in your Executive Summary along with the Organization level material.

Determining/ Describing system boundaries

Most organizations employ many different automated information technology systems composed of people, processes,

and technology for accomplishing their goals. So an organization will have, for example, a payroll system, an accounting

system, a product inventory system, and a sales recording system. These systems may be housed in different locations,

on different internal or external vendor hardware, in clouds, or on mobile devices. There are many potential system and

sub-system variations. For example within a sales department they may be operating a scheduling app with customers,

traditional productivity apps – word processing, spreadsheets etc, a travel app, perhaps a web based app like Salesforce,

and coordinating content for advertising,

For CMI you should specify 1) the applications they are running and 2) the infrastructure on which it operates.

Confidentiality, integrity, & availability

For CMI the current environment is less complex. From a network viewpoint it may be seen as one system. However,

from an audit standpoint, transactions in the accounting function would be viewed differently from transactions in the

customer service or credit departments. Each will employ different applications and likely be operating on different

hardware processors. This must be considered when determining what controls should be applied. Typically,

confidentiality is more often an issue with personnel records, integrity with financial records, and availability with

customer service. Controls that might be applied tend to fall within categories such as the following:

 Confidentiality: Encryption, Access Control

 Integrity: Certificates, Hashing, Audit

 Availability: Network up time, Backups

Keep this in mind as criteria when selecting controls.

Systems Threat, Vulnerability, Impact and Likelihood (TVIL) Findings

A good part of this course was spent examining vehicles for discovery of threats & vulnerabilities. Controls should be

identified that will mitigate the specific TVIL identified.

 nMap: port issues, Unidentified Devices on the Network

 Nessus: Software Vulnerabilities

 Wireshark: Potentially Malicious Network traffic

 Penetration Testing Discoveries using specialized query tools, audit and social engineering

 Risk Assessment Discoveries

 Your presentation should include a summary of the threats & vulnerabilities discovered or hypothesized for CMI.

Determining & Applying Defensive Controls

For most security shortfalls there is a solution. These solutions fall into the general categories of people, process, and

technology. Yu 2 and others have formulated a Matrix approach, called the Cyber Defense Matrix (CDM) toward

mapping the controls to the area of challenge. It utilizes the common elements of Information Systems [Devices, Data,

2 Yu, S. (2019) The Better Cyber Defense Matrix. RSAConference. https://published-

prd.lanyonevents.com/published/rsaus19/sessionsFiles/14226/STR-T09-Cyber-Defense-Matrix-Reloaded_POSTABLE_VERSION.pdf

etc.] along with the functions of cybersecurity [Identify Protect Detect Respond Recover] as defined in the Cyber Security

Framework3

.

Figure 2, below, from Yu (2019) illustrates this concept. So for a network that is prone to malicious activity, a

requirement exists to detect malicious activity on devices and in the network. Examining the matrix below we see

Endpoint Detection & Response, along with DDOS mitigation as suggested defensive measures.

Figure 2 Mapping of Cyber Solutions in a Cyber Defense Matrix (CDM). Source: Yu, S. 2019

In his presentation Yu outlines a number of other uses for the matrix. One of those extensions is the use of the CIS Top

20 within the CDM framework. See it applied in Figure 3, below. For network detection we see controls 6.1-8 apply as

well as 11.3, 12.2 etc. As an example, CIS 6.1 is:

6.1

Utilize Three Synchronized

Time Sources

Use at least three synchronized time sources from which all servers and network devices

retrieve time information on a regular basis so that timestamps in logs are consistent.

One hundred seventy specific numbered defenses may be found in a spreadsheet “CIS Top 20 Cybersecurity Controls

Detail.xlsx” located in Modules 8 on the Google Drive. You should download the spreadsheet and examine the controls.

Figure 3- Cyber Defense Matrix for CIS Top 20 Security Controls

Many of your module readings were Lecturettes and associated articles on a variety of challenges in cybersecurity

including Wireless, Web, Authentication, Malware Analysis, etc. In each of these lecturettes, solutions to these

challenges were discussed and could be applied to the issues facing CMI. There are many sources for controls. Do not

feel constrained to explore other options.

 Use the controls you found relevant in your Risk Assessment, along with those outlined in the Lecturettes, in the

articles and finally also those that may be found in the CIS Top 20. Optionally you may locate specific vendors by

3 NIST Cyber Security Framework (2018). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.0…

referring to the TAG Group’s Vendor List4

that is located on the Google drive under Module 8, or by performing an

online search.

Presentation

 Your 10-20 PowerPoint slides should follow the organization/sections of the SSP in Figure 1, above. It should be

amalgamated with an oral addition using PowerPoint, Voice Thread or any other video & oral capture

application that places it into a common format such as wmv, wmf or mp4.

 The presentation should be deposited into the Grade Book with a link to the full audio/video if deposited in

some other location.

 The PowerPoint presentation must be supplemented by annotation for each slide, i.e. notes that support or

explain the slide as if a non-hearing person wished to capture the speaker’s thoughts or a non-sighted person

could follow along