NIST 800 37 Revision 2 – RMF for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Download the presentation in this Video & Learn more here:

http://securitycompliance.thinktific.com

This is an overview of NIST 800-37 Revision 2. I discuss the changes, the sources and Cybersecurity Framework.

NIST Special Publication 800-37, Revision 2
Risk Management Framework for Security and Privacy
Initial Public Draft: May 2018
Final Public Draft: July 2018
Final Publication: October 2018

NIST 37-800 Rev 2:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

Executive Order:
https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/

OMB:
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf

Cybersecurity Framework:
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

NIST SP 800-53 (Revision 5):
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft

Source of Changes:
President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Office of Management and Budget Memorandum M-17-25 – next-generation Risk Management Framework (RMF) for systems and organizations
NIST SP 800-53 Revision 5 Coordination

Former Pentester of FBI, hacks the FBI

This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures.  In this case, a contracting consultant conducted a penetration test with out getting formal approval.  He expoited the FBI's vulnerabilities to gain elevated privledges.

Joseph Thomas Colon, 28, is a former employee of BAE Systems.  His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.  According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.

However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority. 

Colon's lawyer said in a court filing that his client was hired to work on the FBI's “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI's Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system. 

As a result, Mr. Colon will likely serve about 18 months in prison. :(…

Pentesting and ethical hacking tools and techniques must be dealt with responsibly.  The bureacracies that might allow pentesting must be respected at all costs.  The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.

 

Certified Ethical Hacker Cert and Certified Pen Testing Expert

I'm going to go for the Certified Ethical Hacker Cert and eventually the Certified Pen Testing Expert Certification.  That is the direction that I'd like to go with my Information Security Career. 

As of right now, I have a CISSP.  I do a lot of Security Testing Evaluations and Authorization Agreement, Security Policy type work.  It pays well but I think Pen Testing would be more fun.  After getting the CISSP, I seriously considered going after the ISSEP, Information System Security Engineering Professional cert, which I heard was harder than the CISSP… I don't see how that is possible.

The CEH is a 125 question test that I've heard mixed reviews about.  I've taken the bootcamp and I love the material.  Its all hardcore hacking.  Not simply how to use Cane & Abel or NMap but how to code malware with notepad, methods of SQL injection, and firewall attacks.  I learned a lot.  It also scared the piss out of me.  If your already a hacker or hardcore pent tester than the class would be nothing more than a refresher.  Intermediates with pentesting will have a real treat.  Beginers will be decapitated.

I guess CPTE, Certified Pen Testing Expert is the lastest one.  From what I've read, it looks like it is a step up from the CEH.  Here is some more info on the CPTE.  From what I've read the CPTE is INSANE.  It looks like a practical exam completed in the presents of a pentesting expert.  It includes SQL injections, gathering data, compiling hacker applications, and FRICKING Lockpicking… I AM NOT READY. 

Security Testing on my Window 2000 system

I've surfing on my Windows 2000 system while completely exposed to the Internet on my DMZ.  No firewalls, no anti-virus, not even a pop-up blocker.  The box is exploited immediately. 

Many of the default configuration on a fresh Windows 2000 box are just plain ridiculous.  For example, the C$, and parts of the root are shared out on earlier versions of Windows 2000.  Message services, port 139 and other very easy to exploit applications and services are turned on by default on Windows 2000. 

It is no wonder Windows systems are always getting taken down.  Just turning off some of those services do quite a bit to close some of the holes on Windows boxes.  With broadband getting more popular, the combination of unprotected systems and the viral marketing of malicious code are creating a storm on the Internet.  An unprotected system is rendered completely useless in a matter of weeks (days and hours if you surf porn or serial sites).

Here are some of the vulnerabilities on Windows systems at SANS.org.

In all honesty, if you have a good firewall, virus protection, maybe a pop-up stopper and a good security configuration you could have a Windows 98 machine and NEVER get a virus.