CYBER SECURITY THREATS

Document Sample
CYBER SECURITY THREATS Powered By Docstoc
					Cyber Security Risk:
Assessment and Mitigation

August 1, 2011




                                                           Official Use Only
                                      Contains information which may be exempt from public
                                      release under the Freedom of Information Act (5 U.S.C.
                                      552) exemption number(s) 7 –Law Enforcement.
                                      Approval by the Department of Energy prior to public
                                      release is required.
                                      Reviewed by:
                                      Date:




                  Official Use Only
Contents
 1. INTRODUCTION ...................................................................................................................... 4
 1.1        Purpose .............................................................................................................................. 4
 1.2        Scope of this risk assessment ............................................................................................ 4
 2         RISK ASSESSMENT APPROACH................................................................................... 5
 3         SYSTEM CHARACTERIZATION ................................................................................... 7
 3.1        Science and Technology .................................................................................................... 7
 3.2        Technical and Administrative Services ............................................................................. 7
 3.3        System Characterization .................................................................................................... 7
 4         VULNERABILITY STATEMENT.................................................................................... 8
 5         THREAT-SOURCE STATEMENT ................................................................................... 8
 5.1        Environmental Threats ...................................................................................................... 9
 5.1.1       Impact Analysis ............................................................................................................. 10
 5.1.2       Risk Analysis ................................................................................................................. 10
 5.1.3       Risk Mitigation and Residual Risk ................................................................................ 11
 5.2        Natural Threats ................................................................................................................ 12
 5.2.1       Impact Analysis ............................................................................................................. 12
 5.2.2       Risk Analysis ................................................................................................................. 12
 5.2.3       Risk Mitigation and Residual Risk ................................................................................ 13
 5.3        Human Threats of lower concern .................................................................................... 13
 5.3.1       Human – Operational ..................................................................................................... 14
 5.3.2       Human – Physical .......................................................................................................... 16
 5.3.3       Human – Personnel ........................................................................................................ 19
 5.3.4       Human – Technical ........................................................................................................ 21
 5.4        Threats of Elevated concern ............................................................................................ 23
 5.4.1       Personally Identifiable Information (PII)....................................................................... 23
 5.4.2       External Attacks ............................................................................................................. 24
 5.4.3       Dialup Access ................................................................................................................ 25
 5.4.4       DNS Queries .................................................................................................................. 25
 5.4.5       Internal scans or exploits ............................................................................................... 26
 5.4.6       Malicious Code .............................................................................................................. 26
 5.4.7       Visitor Access ................................................................................................................ 27
 5.4.8       Local System Administrative Rights ............................................................................. 27
 5.4.9       Peer to Peer services ...................................................................................................... 28
 5.4.10      Remote Access ............................................................................................................... 29
 5.4.11      Clear text passwords ...................................................................................................... 30
 5.4.12      Staff awareness .............................................................................................................. 30
 5.4.13      Information remnants ..................................................................................................... 31
 5.4.14      Wireless networking ...................................................................................................... 31
 5.4.15      Unauthorized Wireless Access ...................................................................................... 32
 5.4.16      Weak passwords............................................................................................................. 32
5.4.17     Compromised Credentials .............................................................................................. 33
5.4.18     Administrative/Business (HP3000) Account Management .......................................... 34
5.4.19     Administrative/Business (HP3000) Clear text traffic. ................................................... 34
6        SUMMARY STATEMENT ............................................................................................. 36
6.1       Acceptance of Residual Risk ........................................................................................... 36
1. INTRODUCTION

Ames Laboratory was founded at Iowa State University in 1947 following work on the Manhattan
Project. The lab conducts “basic and applied research in the chemical, materials, mathematical,
engineering and environmental sciences, and physics”. The Ames Site Office, housed in Chicago,
Illinois, provides government management and oversight to the lab and its cyber security program.
Ames Laboratory shares a close working relationship with Iowa State University's academic departments
and especially with the Institute for Physical Research and Technology, or IPRT, a network of scientific
research centers at Iowa State University, Ames, Iowa. Many of the Laboratory's scientists and
researchers hold split appointments as faculty members in departments that correspond with their
scientific disciplines.

Employees can be employed:
          exclusively by the Laboratory (66% of the staff)
          by Ames Laboratory and another ISU department, including IPRT centers (34% of the staff).
The laboratory has 850 employees, including 400 scientists, researchers and graduate students, 200
support staff, and 250 associates from other departments at Iowa State University. The employees
represent a broad array of skills and capabilities spread across the fundamental sciences, mathematics,
computation and engineering, and administrative functions. Associates do not receive any type of pay or
financial compensation from the Laboratory but work within Laboratory space.

This risk assessment provides a resource for examining the information and information systems
at Ames Laboratory and assessing those risks that may result in damage or loss of those assets.
1.1       PURPOSE

The purpose of this risk assessment is to examine the information and information systems used
at Ames Laboratory and to assess the risk to the continued operations and access to these assets.
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce it to
an acceptable level. This risk assessment provides a foundation for developing an effective risk-
management program. It encompasses the General Support Systems (GSS) and Major
Applications that comprise the Ames Laboratory network. The assessment also covers the
equipment making up the network’s infrastructure, as well as workstations and servers that are
considered “minor applications” or simply equipment that is not accounted for in capital
planning documents. The systems included are all considered unclassified; however, some may
contain or process information that may require some additional security controls, e.g. personally
identifiable information (PII) and CRADA data.




1.2       SCOPE OF THIS RISK ASSESSMENT

This risk assessment covers all information and information systems managed by Ames
Laboratory. From a physical perspective this risk assessment includes all devices that are
connected to the Ames Laboratory network inside the border router. Logically risks are
considered for all information that is stored, processed, transmitted or received once the
information enters the border router. This assessment also includes the wired/wireless visitor
network provided by Ames Laboratory.

There are areas where the physical and information security requirements interact. This risk
assessment is focused on information and information security and those areas that fall within the
responsibilities of the Facilities Services Group. Those risks will be mentioned herein simply to
acknowledge their existence, however appropriate security controls and the operations and
maintenance of those controls fall within the responsibilities of the Facilities Services Group..

2   RISK ASSESSMENT APPROACH

The baseline for the Risk Assessment is the Cyber Threats & Vulnerabilities document that
describes the myriad environmental, natural, and cyber threats to which the information
infrastructure on campus is exposed. Ames Laboratory followed the guidance of NIST SP 800-
30 in establishing the risk-assessment process. Accordingly, that document was used to provide
structure to the analysis. Other documents that supported the process included the following:
     SSA and CIO findings of vulnerabilities
     GAO reports of vulnerabilities across governmental agencies
     Reports of vulnerabilities detected through self-assessments.
     FIPS 199 for categorizing risk for information systems
     NIST SP 800-60 for developing potential risks for specific types of information systems

The assessment was conducted via interviews with system owners, network engineers, and senior
management personnel who are responsible for protecting the information and information
systems at Ames Laboratory. Below is a partial list of personnel involved in this work.

            Person                       Title
            B. Harmon                    Deputy Lab Director
            Cynthia Baebler              DOE Site Manager, AO
            Diane Den Adel               Manager, IS
            Bill Sears                   Cyber Security Manager
            Other members of Cyber
            Security Team
            Many other staff
            members based upon
            subject area

As a precursor to the risk analysis, all “systems” at Ames Laboratory were assessed according to
FIPS 199. Attachment 1 of the Common Controls Cyber Security Program Plan (CSPP),
Systems List and Enclave Grouping, contains the findings of the FIPS 199 assessment. To
determine the relative risk for a specific vulnerability posed by a specific attack, Ames
Laboratory uses the methodology in NIST SP 800-30. This methodology defines risk as a
product of the likelihood of attack by a threat source, and the attack’s impact on confidentiality,
integrity, and/or availability. Since it is extremely difficult to quantify the likelihood of an
attack, a qualitative assessment is made of these probabilities. The analysis reveals what
additional measures should be implemented, if any, in order to reduce the overall risk. Figure 1
provides a definition of the likelihoods used in the assessment. Likelihoods are qualitative in
nature, and generally do not correlate between physical, environmental, and human threats. For
example, the likelihood of an earthquake may be considered medium in some environments since
earthquakes do occur in that area of the country. Software bugs may also be considered medium,
since they are not uncommon. However, the absolute likelihood of an earthquake might be once
every 10 years and software bugs may be seen hundreds of times per year. Likelihood
assessments in the risk tables should only be viewed as a relative measure of the probability of
that event occurring as compared to other events in the same family.


 Likelihood       Likelihood Definition

                  Threat-source is highly motivated and sufficiently capable and/or the
 High             vulnerability is readily exercised or exploited. For physical threats, the
                  event is a common occurrence.

                  The threat-source is motivated and capable, and/or the vulnerability is
 Medium           somewhat difficult to exercise or exploit. For physical threats, the event
 (Med)            occurs generally infrequently, but has been seen or observed in the recent
                  past.

                  The threat-source lacks motivation or capability, and/or the vulnerability
 Low              is difficult to exercise or exploit. For physical threats, the event occurs
                  very rarely.

     Figure 1: Likelihood of Exploitation by a Threat (adapted from NIST SP 800-30)

Figure 2 provides similar definitions for impact if the threat is exploited. By examining each
threat through a qualitative assessment of the likelihood-impact pair the unmitigated risk can be
defined. This is the risk for the associated event prior to the application of security controls to
mitigate the risk. Management, operational, and/or technical controls can be applied to reduce
the risk.

 Magnitude of     Impact Definition
 Impact
                  The loss of confidentiality, integrity, or availability could be expected to
                  have a severe or catastrophic adverse effect on organizational operations,
 High
                  organizational assets, or individuals.

                  The loss of confidentiality, integrity, or availability could be expected to
 Medium           have a serious adverse effect on organizational operations, organizational
 (Med)            assets, or individuals.

                  The loss of confidentiality, integrity, or availability could be expected to
                  have a limited adverse effect on organizational operations, organizational
 Low
                  assets, or individuals.

           Figure 2: Magnitude of Impact if Exploited (adapted from NIST SP 800-30)
Risk mitigation techniques vary by site and preference for each organization. Organizations
should select cost effective controls that mitigate the risk to the maximum extent possible. Once
the controls have been put in place there will be residual risk. That residual risk must be
described and accepted by the Authorizing Official (OA).

3     SYSTEM CHARACTERIZATION
Ames Laboratory is divided into two divisions, Scientific and Administrative, as shown at
http://www.ameslab.gov/files/Ames%20Lab%20Org%20Chart%207-1-11.pdf. The Technical
and Administrative Services Division includes responsibility for information systems, as well as
facilities, HR, engineering, and other administrative functions. The Science and Technology
Division houses those organizations that are directly participating in research.
3.1 SCIENCE AND TECHNOLOGY
This division contains the actual research organizations at Ames Laboratory. It includes most of
the computers that directly contribute to research, including the computing clusters. Computers
in this division may be monitored by the IS office, however they are normally managed by users
and/or groups in the division.
3.2 TECHNICAL AND ADMINISTRATIVE SERVICES
This division contains the “overhead” functions of the laboratory, including facilities,
engineering, HR, budgeting and accounting, and information systems. The computers in this
division support the mission of the laboratory as a whole, and are centrally managed by the IS
office.
3.3   SYSTEM CHARACTERIZATION

All information systems are controlled and maintained either by the respective departmental manager or
by IS. The actual control and maintenance of devices in each enclave will be discussed more fully in the
respective enclave supplements. A complete inventory of systems was collected to facilitate the
placement of systems into enclaves. While many of the information systems are detailed in the Capital
Planning and Investment Control (CPIC) documents, many are not covered by the programs contained
therein. The systems covered by this CSPP are contained in Attachment 1, Systems List and Enclave
Grouping. Based upon an analysis of this system list Ames Laboratory established the following two
enclaves.
       Low Enclave.
      Many of the computers in this enclave directly support the research mission of Ames Laboratory.
      Workstations and servers used by researchers performing non-moderate research are located in this
      enclave. Users and machines in this enclave are monitored by IS and the machines used by
      scientific personnel may be managed by the research organization. Those systems which are not
      centrally managed are required to maintain the same security controls defined in these documents.
      Configuration management and maintenance of controls is accomplished through the use of central
      configuration management software, regular system scanning, and annual reviews.
      Remote access servers and publicly available web servers are located in this enclave. Wireless
      networking is available. Strong authentication and encryption are used. A baseline set of
      configuration settings were established for all devices on the network and are operational on all
      systems, including those managed by the researchers. This enclave is classed as Low/Low/Low as
      determined b FIPS 199.
         Moderate Enclave
        This enclave contains most of the general purpose (MS Windows) administrative and business
        information systems within Ames Laboratory, including desktops, file servers, backup systems and
        storage devices. Systems that process administrative information are located in this enclave. The
        administrative computers in this enclave are centrally managed by IS. Personally Identifiable
        Information (PII) and medical data are located in this enclave. CRADA, Work for Others and other
        moderate research data are located in this enclave. IS manages the desktops and servers and
        controls their operation. Approved standard configuration settings are implemented for all servers
        and desktops. It is important to emphasize no employee Social Security Numbers (SSN) are stored
        on Ames Laboratory servers. Salary data for Ames Laboratory staff are public information and
        printed in a book located at the Iowa State University Library and from various online sources.
        This enclave incorporates moderate baseline and compensatory controls to protect the information
        and information systems. These systems conform to Moderate/Moderate/Low for
        confidentiality/integrity/availability (CIA), respectively, as determined by FIPS 199.
All systems at Ames Laboratory will conform to the management and operational controls specified in
NIST SP 800-53 Rev 3 for the appropriate level of CIA related risk required to protect the information
and information system.
The following support services are provided to all enclaves:
         Computing services support, such as Help Desk support, administrative applications, central
          servers, and network infrastructure.
         Incident response and cyber security management , including antivirus, gateway and firewall
          management and monitoring, central logging, and intrusion detection and response capability.An
          official Notice for Outage and Maintenance process to notify key persons and system
          administrators, via e mail, of enterprise actions that may have a local impact, and to report on
          local actions that may impact the enterprise.
Program Directors and Office Managers are responsible for overseeing the cyber security process
within their research programs and offices, coordinating requirements to accomplish enterprise
wide Cyber Security goals, and assisting their ACPM and Group Administrators with cyber
security to assure that computer operations are secure.


4   VULNERABILITY STATEMENT

The vulnerabilities for Ames Laboratory have been included within the Threat and Vulnerability
Analysis. This document provides a compilation of the identified threats and vulnerabilities for
the Ames Laboratory infrastructure as a whole. In addition, any system with additional or
unique threats or vulnerabilities is identified. For example, the protection of privacy or
personally identifiable information (PII) and potentially some CRADA data has been given
additional consideration as part of this analysis. For a detailed description of the threats and
vulnerabilities refer to that document.



5   THREAT-SOURCE STATEMENT

The threat –source analysis is divided into two major sections. The first portion of the
assessment deals with standard environmental, natural and human threats that exist in most
organizations. The second portion of the analysis discusses specific threats based upon the
operational characteristics of Ames Laboratory information and information systems.
5.1 ENVIRONMENTAL THREATS
Environmental Threats are often a general threat to the facility as opposed to an IT threat per se.
For example, a fire may result in damage to an entire building or it may only damage a data
center. Environmental threats are primarily the responsibility of the Ames Laboratory Facilities
Services, except where they may have a direct IT impact. The following environmental threats
are considered in the context that they directly impact IT or scientific operations at Ames. In
most cases mitigation of these threats is the responsibility the Ames Laboratory Facilities
Services.

Transportation Infrastructure – Ames Laboratory is located on a college campus, with
significant traffic through the area. In addition, there is a major rail line within a few hundred
yards of the Ames Laboratory facility. These thoroughfares create a threat to Ames Laboratory
because they may carry traffic moving hazardous or explosive content. For example, a railway
accident involving a fuel car or other toxic material could result in the release of toxic fumes or
liquids. Should the nearby highways suffer a major failure (such as a massive traffic accident, or
a fuel spill) there are sufficient alternate roads to reach the campus. A considerable number of
scientists conduct their research remotely and would not be affected. Scientists and many staff
have home computers that also can remotely access Ames Laboratory systems. Furthermore,
should emergency personnel need to stay onsite to support the cyber environment; there is
housing available on campus.

Fire – The risk of fire caused by electrical or heat is currently mitigated by fire/smoke sensors in
all buildings. In many cases, these sensors automatically trigger the fire alarm. Some buildings,
of lower “value,” do not have such automatic sensors but rely on manual intervention.
Computing centers are protected with fire alarms and sprinkler systems. Ames Laboratory
utilizes the City of Ames Fire Department. It is manned at all times and able to respond to an
alarm anywhere on campus within 5 minutes. These controls are considered sufficient to keep
the overall risk of fire damage to low.

HVAC – All computer facilities have temperature sensors that monitor temperature. Data center
operators check the sensors displays and take corrective action when the environment exceeds
the recommended limits. If the situation is not corrected in a timely manner administrators near
the data centers can use their defined processes to systematically shut systems down before they
are damaged by the excessive heat. This arrangement permits the facilities’ management to
determine the cause of the problem and correct the issue prior to bringing the systems back
online. This control is considered sufficient to maintain the overall risk of damage from loss of
HVAC to low.

Power loss – All primary computer facilities have Uninterruptible Power Supplies (UPS) that
provides adequate time for a structured shutdown. This ensures that critical data is not lost when
systems experience an unexpected loss of power. Data stored on home directories is protected
from power loss through the UPS and generator facilities. In addition, all servers are on a
scheduled back-up process that negates most of the impact of sudden power loss. The
Laboratory has a backup generator that can supply power for a limited period in the event of a
total power loss. For workstations it is recommended that users implement the autosave
capability of applications, e.g., MS Office, to minimize loss. These controls are considered
sufficient to maintain the overall risk of damage from loss of power at low.

Water loss –Water loss may require evacuating the building. However, this disruption should
only occur for a single shift and the loss in staff time is considered low. Water is also used for
cooling, but only to replace that water lost in the evaporative chillers. Loss of water would
eventually result in a loss of air conditioning, which could render some buildings uninhabitable
and may cause computer equipment to overheat.

HAZMAT – The Ames Laboratory has many plans, procedures and manuals in place for
purchasing, handling, storing and disposing of the Laboratory's hazardous materials. Chemical
purchases are reviewed by ESH&A for health, safety and disposal requirements, chemical
inventories are collected annually and reviewed for reporting purposes. The Laboratory's
Readiness Review Procedure reviews activities for the proper handling, storage and disposal of
hazardous materials. The Laboratory's Waste Management Program Manual deals with the
proper collection, storage and disposal of hazardous waste. The Laboratory's Emergency Plan
contains procedures in the event of a hazardous materials spill or release. In addition to the
Laboratory's plans, procedures and manuals the Laboratory requires employees to complete the
appropriate institutional training based on their activities (i.e. hazardous waste generator,
cylinder safety, chemical hazard communication).
5.1.1 Impact Analysis
Impact, as defined in Figure 2, provides a qualitative assessment of the damage that may occur if
the event happens. For environmental threats, both the cyber impact (the effect on information
systems) and the physical impact (the effect on the physical environment at Ames Laboratory)
are considered; the total impact is the greater of the two. This impact is before the effects of
likelihood are considered (therefore, a major HAZMAT spill may have a very large physical
impact) as well as before mitigation efforts. The impact analysis for environmental threats is
provided below:

Environmental Threats            Cyber Impact       Physical         Total Impact
                                                    Impact
Transportation infrastructure    Low                Medium           Medium
Fire (electrical origin)         Medium             Medium           Medium
Heating, Ventilation Air-        Medium             Medium           Medium
Conditioning (HVAC) failure
Power outage/failure             Medium             Medium           Medium
Loss of water                    Medium             Medium           Medium
Hazardous material incidents     Low                Medium           Medium


5.1.2 Risk Analysis
The risk analysis for environmental threats is provided below. This table considers the total
impact of the event, then applies the likelihood of occurrence to determine the risk before any
mitigation efforts are applied.

Environmental Threats           Impact          Likelihood of    Unmitigated
                                                Occurrence       Risk
Transportation infrastructure   Medium            Low            Low
Fire (electrical origin)        Medium            Medium         Medium
Heating, Ventilation Air-       Medium            Medium         Medium
Conditioning (HVAC)
failure
Power outage/failure            Medium            Medium         Medium
Loss of water                   Medium            Medium         Medium
Hazardous material incidents    Medium            Low            Low


5.1.3   Risk Mitigation and Residual Risk
The risk mitigation techniques and residual risk levels are provided below:
Environmental Threats           Risk Mitigation                       Residual
                                                                      Risk
Transportation infrastructureThreats assessed and no additional       Low
                             action is required. There are no
                             cost-effective measures that would
                             appreciably reduce the risk below
                             what is already present.
Fire (electrical origin)     Alarms and sprinklers in all data        Low
                             centers. Personnel trained on
                             actions to take in case of fire.
Heating, Ventilation Air-    Facilities understands the               Low
Conditioning (HVAC)          importance of air conditioning in
failure                      data centers. If temperature rises
                             because of loss of HVAC, system
                             administrators will shut down the
                             server.
Power outage/failure         A single source feeds Ames               Low
                             Laboratory from two directions.
Loss of water                City provides water. Loss of water       Low
                             is relatively infrequent, and can be
                             mitigated through the HVAC
                             controls previously mentioned.
Hazardous material incidents Local fire department and other          Low
                             appropriate personnel have
                             received necessary training to
                             address hazardous materials in
                             research and support areas.

The following residual risk remains:

[Low] If multiple fires broke out at Ames Laboratory or in the nearby area the local fire
department may not be able to handle the situation because of their limited resources. If this
occurs other resources would be called upon for assistance.
[Low] If personnel are offsite they may not be able to contact the site or return quickly enough to
shut down the servers with the loss of HVAC. The potential of this has been mitigated by having
multiple people with the authority to shut down the data centers. In a worst case scenario the
facilities personnel could cut power to the facilities.
5.2   NATURAL THREATS

Natural threats are considered as the category in which the “source” reflects the physical location
of the target. For example, California experiences earthquakes and range fires, the southeast has
hurricanes and floods, while the northeast is subject to severe ice- and snow-storms. As with
environmental threats, natural threats are a threat to the entire facility as opposed to an IT
specific threat. Natural threats, except where they may directly impact IT, are primarily the
responsibility of the Ames Laboratory Facilities Services.

Ames Laboratory is susceptible to winter storms that could prevent personnel from coming into
work. These are not uncommon during winter months, but all ISU facilities (including Ames)
have procedures in place for notification of personnel and for emergency access to buildings in
the event of a severe storm.

Ames Laboratory is not subject to flooding, other than the risk of local flooding due to burst
water pipes. Wildfires or prairie fires normally do not occur in the area.
5.2.1 Impact Analysis
The impact analysis for natural threats is provided below. As stated above, these impacts are
before the effects of likelihood and mitigation are considered. Therefore, while the likelihood of
a flood may be low, it may still have a severe impact.

Natural Threats                  Cyber Impact       Physical         Total Impact
                                                    Impact
Earthquake                       Low                High             High
Floods (flash or tsunami)        Low                Medium           Medium
Extreme temperatures             Low                Low              Low
Hurricanes or Tornadoes          Low                High             High
Drought                          Low                Low              Low
Lightning                        Medium             Low              Medium
Wildfires                        Low                Medium           Low
Severe storms                    Low                Low              Low


5.2.2 Risk Analysis
The risk analysis for natural threats is provided below:

Natural Threats                 Impact          Likelihood of    Unmitigated
                                                Occurrence       Risk
Earthquake                      High            Low              Low
Floods (flash or tsunami)       Medium          Low              Low
Extreme temperatures            Low             Low              Low
Hurricanes or Tornadoes         High            Medium           Medium
Drought                        Low               Low            Low
Lightning                      Medium            Medium         Medium
Wildfires                      Low               Low            Low
Severe storms                  Low               Medium         Low


5.2.3    Risk Mitigation and Residual Risk
The risk mitigation techniques and residual risk levels are provided below:
Natural Threats                Risk Mitigation                        Residual
                                                                      Risk
Earthquake                     Earthquakes at Ames Laboratory         Low
                               are extremely rare. There are no
                               cost-effective mitigations that
                               would further reduce the risk.
Floods (flash or tsunami)      The physical location of the Ames      Low
                               Laboratory facilities makes
                               flooding extremely unlikely.
Extreme temperatures           Although Ames Laboratory may be        Low
                               vulnerable to temperature extremes,
                               normal HVAC equipment fully
                               mitigates this risk.
Hurricanes or Tornadoes        The area is vulnerable to tornadoes,   Low
                               but has procedures for personnel
                               notification and evacuation.
Drought                        Drought has minimal impact on          Low
                               Ames Laboratory other than
                               increasing the risk of range fires.
Lightning                      Storms with dangerous or severe        Low
                               lightning occur, but facilities are
                               protected by lightning rods.
Wildfires                      This is not an issue for Ames.         Low
Severe storms                  The area does get severe winter        Low
                               storms, but has procedures for
                               personnel notification and
                               evacuation.

The following residual risk remains:

[Low] There may be a limited loss of data between the period when backup tapes are taken
offsite and an event occurs. It is assumed that this work could be recreated if necessary.
5.3     HUMAN THREATS OF LOWER CONCERN

For the laboratory, the greatest danger is in the area of human threats. The review of human
threats conducted has been extensive. Human threats have been broken into two major
categories. These categories are lower and elevated concern. Lower concern human threats are
those that may have been addressed by the laboratory and are in a watch status. Elevated
concerns are those that, based upon current events or environmental issues, need to receive
additional attention. For this reason each of these threats, the current and planned controls, and
the residual risk will be described in detail in the next section. Human based operational,
physical, personnel and technical threats, along with related mitigation strategies, are discussed
below.
5.3.1 Human – Operational
Operational vulnerabilities result from the way organizations and people conduct their daily
business. Attackers look at the way work is accomplished and they devise ways to defeat the
control mechanisms.

User awareness – People must understand the intent of common security practices such as
passwords, locks and appropriately protecting information. What may be considered common
sense to a security professional is not to other professions. Common sense comes with common
knowledge of the reasons behind required actions. The open exchange of information is critical
to effective information security. For personnel to act appropriately they must have adequate
information. At Ames Laboratory the management works very hard to ensure that appropriate
information is shared with all personnel to allow them to support the lab’s activities. Insufficient
information or asking people to complete activities based upon insufficient information is
avoided to the maximum extent possible, especially since the labs are an open science
environment.

Social engineering – Social engineering plays upon basic human weaknesses. Individuals want
to be helpful. By manipulating people, significant and important information could be disclosed
by the unsuspecting individual. Users must understand the types and kinds of information that
will and will not be asked by support personnel or others over the phone. They should feel
empowered to ask for identification when they are asked to provide sensitive information. Just
as most people will not freely give out banking information after many well publicized thefts,
people should not disclose passwords or other information to unknown individuals.

Accidents and carelessness – Everyone makes mistakes. People must understand that a mistake
is not fatal as long as it is disclosed quickly. By not trying to cover up mistakes but openly
exposing them the vulnerability will be short lived and other controls will frequently compensate
for the vulnerability.

Policies and procedures – Having documented and available policies and procedures is
critically important to an effective security program. One of the best solutions to accidents and
carelessness issues is policies and procedures that are implemented. Users must understand both
what is expected of them, what to do, and what to expect. Procedures should be established and
everyone in the organization should understand that these procedures are in place to protect
them. Procedures that are not practiced and reinforced are of little value. Procedures must be
integrated into the way the organization accomplishes their day-to-day activities.

Internet usage – A clear, written and user acknowledged Internet usage policy is very important.
Users must not place the organization at risk through negligence or just poor actions that could
result in significant legal action or embarrassment to the organization. Maintaining a good
organizational image is critical to the laboratories and every member of the staff should
understand this issue. Visitors and anyone using laboratory resources must be briefed and agree
to Ames Laboratory policies prior to being granted access to information or information systems.

Poor incident reporting procedures – One of the keys to limiting the impact of any incident is
rapid detection and isolation. Ames Laboratory has a monitoring and reporting program for all
actual incidents. Any suspected incidents are thoroughly investigated by a trained team. Reports
and lessons learned are shared with appropriate personnel.

Contractual relationships – Maintenance contracts and contractors for the information systems
are negotiated and monitored very closely. Maintenance personnel are carefully screened prior
to being provided access to any systems. During their visit they are monitored. Sub-contractors
understand the limits of their activities under their contract with Ames.

5.3.1.1 Impact Analysis
The impact analysis for human threats is provided below. For human threats, the impact
considered will be cyber only; physical impact is generally not considered a major threat in this
category, other than the risk of a physical attack on the facility (for example, by a terrorist
organization).

Operational                     Impact
User awareness                  Low
Social engineering              Medium
Accidents and carelessness      Medium
Policies and procedures         Medium
Internet usage                  Medium
Poor incident reporting         Medium
procedures
Contractual relationships       Low

5.3.1.2 Risk Analysis
The risk analysis for human threats is provided below:

Operational                    Impact           Likelihood of    Unmitigated
                                                Occurrence       Risk
User awareness                 Low              Medium           Medium
Social engineering             Medium           Low              Low
Accidents and carelessness     Medium           Medium           Low
Policies and procedures        Medium           Medium           Medium
Internet usage                 Medium           Low              Low
Poor incident reporting        Medium           Low              Low
procedures
Contractual relationships      Low              Low              Low

5.3.1.3 Risk Mitigation and Residual Risk
The risk mitigation techniques and residual risk levels are provided below:
Operational                     Risk Mitigation                         Residual
                                                                        Risk
User awareness                  Lab has multiple methods of             Low
                                providing information to staff and
                                visitors.
Social engineering              Included within awareness training.     Low
Accidents and carelessness      Extensive training to limit             Low
                                accidents.
Policies and procedures         Writing and updating policies,          Low
                                Procedures in place and active.
Internet usage                  Usage is monitored.                     Low
Poor incident reporting         Training has been provided and          Low
procedures                      Ames Laboratory does extensive
                                monitoring to ensure incidents are
                                located and mitigated. Procedures
                                in place for reporting.
Contractual relationships       All contracts and contractors are       Low
                                monitored.

The following residual risk remains:

[Low] Ames Laboratory is in the process of updating their documentation to current policies and
procedures which are being practiced within the environment. With good procedures and strong
user awareness training, the impact of nefarious activities is minimized.

[Low] Illegal or illicit use of the Internet could occur. The number of visitors and proximity of
University students does elevate this risk. Acceptable use policies are enforced and any
personnel found violating this are referred to HR.
5.3.2 Human – Physical
Physical security is often thought of as guns, gates and guards. In reality it is much more
inclusive and there are many things to consider when developing physical security controls
related to normal day-to-day operations related to information security. Some of the concerns
and issues in this area are discussed below.

Apathetic or poorly informed guards – The guards are members of the Safeguards and
Security Program. The Information Systems office has no control over the guards. They are
relied upon to watch the facilities and to report any suspicious activity. In addition, they are
trusted to make initial assessments of potential security violations during off-hours.

Poor physical access controls – Facilities Services is responsible for maintaining access to most
controlled areas such as telephone closets. Telephone closets and other areas with local network
equipment (i.e. switches or firewalls) are locked to control access. Data centers utilize door
alarms for access control during off hours. During normal work hours, access is limited to
authorized personnel.

Portable storage – CDs, thumb drives, and other small electronic storage devices provide
tremendous flexibility and security concerns for Ames. Personnel that have access to any
sensitive information or PII have been trained on properly protecting this information especially
when stored on external media.

Travelers with systems – Personnel that travel are routinely briefed when their travel activities
might include destinations that include sensitive countries. Their IT resources are checked to
validate that they have not been compromised.

Equipment portability – Ames Laboratory is an open science environment, and shares data
with other researchers and labs. The analysis and work of specific scientists, on the other hand,
is more sensitive. It is the researcher’s responsibility to protect his or her work pending
publication. The primary threat in this area is the loss of equipment because of its small size and
portability. Users of this type of equipment are reminded to keep close track of these items.

Poor inventory tracking – Ames Laboratory addresses this vulnerability in two ways. First
systems must be registered by the appropriate DNS system administrator. Secondly, an annual
physical inventory for sensitive devices and a biennial physical inventory on capital equipment
items are conducted. This allows Ames Laboratory to maintain control of all lab assets.

Computers not logged out – Users are trained to log out their systems prior to leaving for the
evening. In addition, systems are required have a screen saver active and the screen is blanked
out after the prescribed time. An ID and password is required to deactivate the screen saver.

Passwords written down – Users are trained to use a variety of techniques to create passwords
that comply with DOE standards . As part of the user training they are instructed on the proper
handling and security of their passwords, including not writing them down.

Lack of locks and their use – Network equipment, filing cabinets with sensitive information
(i.e. PII), and other areas that provide access to significant quantities of information are protected
with locks to limit access.

5.3.2.1 Impact Analysis
The impact analysis for Human physical threats is provided below.

Physical                         Cyber Impact        Physical          Total Impact
                                                     Impact
Apathetic or poorly informed     Low                 Low               Low
guards
Poor physical access controls    Medium              Low               Medium
Portable storage                 Medium              Low               Medium
Travelers with systems           Medium              Low               Medium
Equipment portability            Medium              Low               Medium
Poor inventory tracking          Low                 Low               Low
Computers not logged out         Low                 Low               Low
Passwords written down           Medium              Low               Medium
Lack of locks and their use      Medium              Low               Medium
5.3.2.2 Risk Analysis
The risk analysis for human physical threats is provided below. Again, the likelihood of this
event occurring is before any mitigation factors are considered.

Physical                       Impact            Likelihood of   Unmitigated
                                                 Occurrence      Risk
Apathetic or poorly            Low               Low             Low
informed guards
Poor physical access           Medium            Low             Low
controls
Portable storage               Medium            Low             Low
Travelers with systems         Medium            Low             Low
Equipment portability          Medium            Low             Low
Poor inventory tracking        Low               Low             Low
Computers not logged out       Low               Low             Low
Passwords written down         Medium            Medium          Medium
Lack of locks and their use    Medium            Low             Low


5.3.2.3 Risk Mitigation and Residual Risk
The risk mitigation techniques and residual risk levels are provided below:
Physical                       Risk Mitigation                         Residual
                                                                       Risk
Apathetic or poorly            Safeguards and Security Program         Low
informed guards                responsibility.
Poor physical access           Current procedures secure physical      Low
controls                       facilities appropriately.
Portable storage               Users are trained to properly           Low
                               protect information. All
                               information at Ames Laboratory is
                               unclassified.
Travelers with systems         Travelers are briefed by Counter        Low
                               Intelligence (CI) on threat.
                               Computers can be checked by
                               Information Systems prior to
                               departure and upon return.
Equipment portability          This issue is included in the           Low
                               awareness training to keep control
                               of assets.
Poor inventory tracking        Annual physical inventories for         Low
                               sensitive devices and biennial
                               physical inventories for capital
                               equipment are completed. Logical
                               inventory is maintained to identify
                               any new devices and appropriately
                               track.
Computers not logged out        Log outs are monitored and            Low
                                systems left operating are reviewed.
Passwords written down          Password policy prohibits this and    Low
                                users are trained on creating and
                                maintaining their passwords.
Lack of locks and their use     All buildings are locked after hours. Low
                                Data centers and access to network
                                devices is controlled to the
                                maximum extent possible.

The following residual risk remains:
5.3.3 Human – Personnel
Personnel vulnerabilities deal with both the effective processing of newly hired personnel and
those that depart. In addition, the effective management of current employees is important.

Failure to validate claimed backgrounds – HR policy includes the verification of resources.
As part of their responsibility they conduct reviews of new hire backgrounds to verify they have
provided accurate information.

Weak management – The high education level and professionalism of the lab staff minimizes
this threat. Managers are promoted based upon achieving goals and objectives. Personnel work
together as a team in many cases which limits this threat.

Poor separation procedures – Processes and procedures have been developed in the appropriate
areas to make sure that access to any sensitive information is appropriately controlled. In all
cases, access to or modification of access rights will normally involve at least two individuals
and in some cases more. Reviews are held to ensure that all actions where separation of duties is
appropriate have been implemented.

Isolation of human resources – Any system or element handling sensitive information are
trained to appropriately protect that data. HR is in a separate area and anyone in that area is
limited to accessing information on those individuals that may be necessary.

User rights – Users should have only those rights that are required for the normal
accomplishment of their responsibilities. Infrequent or one time needs should not be used to
justify the assignment of excess rights. Administrative rights should be used only when
completing administrative functions. At all other times the user should be using normal user
rights accounts.

Personal hardships – The lab is essentially a large family. Individuals with personal crisis are
treated with respect and provided with time to address their issue. Through this supportive
environment Ames Laboratory minimizes this threat.

5.3.3.1 Impact Analysis
The impact analysis for human personal threats is provided below:
Personnel                       Cyber Impact        Physical         Total Impact
                                                    Impact
Failure to validate             Low                 Low              Low
backgrounds
Weak management                 Low                 Low              Low
Poor separation procedures      Medium              Low              Medium
Isolation of human resources    Medium              Low              Low
User Rights                     Medium              Low              Medium
Personal hardships              Medium              Low              Medium

5.3.3.2 Risk Analysis
The risk analysis for human personal threats is provided below:

Personnel                      Impact            Likelihood of    Unmitigated
                                                 Occurrence       Risk
Failure to validate            Low               Low              Low
backgrounds
Weak management                Low               Low              Low
Poor separation procedures     Medium            Low              Low
Isolation of human resources   Low               Low              Low
User Rights                    Medium            Medium           Medium
Personal hardships             Medium            Low              Low

5.3.3.3 Risk Mitigation and Residual Risk
The risk mitigation techniques and residual risk levels are provided below:
Personnel                      Risk Mitigation                         Residual
                                                                       Risk
Failure to validate            ISU requires hiring managers to         Low
backgrounds                    validate references. US law and
                               DOE policy requires verification of
                               employment status for all personnel
                               (U.S. and foreign nationals).
Weak management                Ames Laboratory has a strong           Low
                               management structure that supports
                               information security principles.
Poor separation procedures     Due to the small size of the           Low
                               Laboratory and minimal staffing for
                               administrative functions, Ames
                               Laboratory is somewhat limited in
                               its ability to separate all functions.
                               DOE and Ames Laboratory
                               perform regular reviews of existing
                               controls.
Isolation of human resources   Due to the small size of the HR        Low
                               department, it is either staffed or
                               locked at all times.
User Rights                     When possible, user rights are       Low
                                restricted. Ames Laboratory
                                provides additional training to
                                administrators. Administrative
                                division users must work through
                                their ACPM or the IS office for
                                administrative tasks. Researchers
                                are provided the option to have
                                administrative credentials, however
                                these are separate from their normal
                                credentials.
Personal hardships              Ames Laboratory and ISU provide Low
                                counseling and intervention
                                services.


The following residual risk remains:

[Low] Persons with administrative or elevated privileges may make configuration changes
inadvertently or may download or receive malicious software that can increase the risk to their
system.

[Low] The staff working on PII and CRADA is limited in number. They have multiple
personnel that have overlapping responsibilities. This threat is mitigated because of the small
group and multiple people working on most projects which would require collusion to implement
code that may cause problems.
5.3.4 Human – Technical
Listed below are some of the more common technical threats that have been considered as part of
this threat analysis.

Software bugs – All software, including the applications and operating systems used by the lab
are subject to bugs. Patches and patching policy have been implemented to minimize the threats
from software bugs.

Configuration errors – Ames Laboratory has implemented a configuration management
process. Applications and systems are configured to minimize their threat to the operations.

Difficult to detect system modifications – Ames Laboratory has a scanning program that
monitors systems for specific configuration items that may present a threat to the lab. Any
system found to be out of compliance is either corrected or removed from the network. Users
with the rights to adjust systems have been trained in the appropriate settings for their system
types.

Poor or no passwords – Devices on the Ames Laboratory network use ID and password as the
default method of access control. Any device that is operating without a password will generally
not be located on the network and will be an embedded system or controller. The AO will be
informed of any computer without password protection to ensure that they do not present an
unnecessary risk to the enclave or lab.

Data transmission – Sensitive information (such as PII or CRADA data) is protected during
transmission through the use of encryption or other appropriate techniques. Personnel that
handle sensitive information are trained on appropriate transmission techniques.

Data Storage – User data is stored on central servers that are backed up to tape as appropriate
for the information. Users are instructed on proper techniques for clearing their systes of any
sensitive information if they deal with that information.

Client Side Exploits - Modern web browsers have become more complex and in doing so have
introduced various scripting and obfuscation methods that can be used maliciously.
Additionally, the prevalence of online advertising provides a convenient hiding place for
malicious code.


5.3.4.1 Impact Analysis
The impact analysis for human technical threats is provided below:

Technical                       Impact
Software bugs                   Medium
Configuration errors            Medium
Difficult to detect system      Medium
modifications
Poor or no passwords            Medium
Data transmission               Medium
Data storage                    Medium
Client side exploit             Medium

5.3.4.2 Risk Analysis
The risk analysis for human technical threats is provided below:

Technical                      Impact          Likelihood of       Unmitigated
                                               Occurrence          Risk
Software bugs                  Medium          Medium              Medium
Configuration errors           Medium          Medium              Medium
Difficult to detect system     Medium          Low                 Low
modifications
Poor or no passwords           Medium          Medium              Low
Data transmission              Medium          Low                 Low
Data storage                   Medium          Low                 Low
Client side exploit            Medium          Medium              Medium

5.3.4.3 Risk Mitigation and Residual Risk
The risk mitigation techniques and residual risk levels are provided below:
Technical                        Risk Mitigation                         Residual
                                                                         Risk
Software bugs                    Ames Laboratory has a patch             Low
                                 management program to limit
                                 vulnerabilities from software bugs.
Configuration errors             Ames Laboratory uses standard           Low
                                 configuration guidelines to enhance
                                 workstation security.
Difficult to detect system       Internal and COTS scanning tools        Low
modifications                    detect system modifications that
                                 change lab standard settings only
                                 when system credentials are known
                                 or when an SMS agent is installed.
Poor or no passwords             Passwords are required and verified     Low
                                 on all systems.
Data transmission                Usage is monitored.                     Low
Data storage                     Users are encouraged to store data      Low
                                 on fileservers that are backed up.
                                 This limits impacts of any loss
                                 related to storage media failure.
Client side exploit              HTTP Internet access is filtered by     Low
                                 a web proxy. Browser
                                 recommendations include
                                 advertisement filtering.

The following residual risk remains:

[Low] Some experimental system devices may not support strong security controls because of
legacy operating systems or software. These devices are limited in number and their use is
tracked and monitored closely. These systems are isolated from the rest of the Ames Laboratory
network.
5.4     THREATS OF ELEVATED CONCERN
Based upon the knowledge and experience of the reviewers the following threats were
considered to be of elevated concern. Therefore, these threats were afforded additional analysis
to validate and verify they were being addressed in a comprehensive manner. The results of the
analysis are provided below.
5.4.1    Personally Identifiable Information (PII)
Unauthorized disclosure of PII through unauthorized storage, transportation, and access to this
information.
         Likelihood: High – Access to PII information is provided to numerous people for
         accomplishment of their duties as managers at Ames. This includes access to information for
         performance evaluations, pay and promotion decisions and other common activities completed by
         managers.
        Impact: High – These exploits could expose information concerning individuals that would lead
        to identity theft and disclosure of information, such as credit card number , that is business
        confidential.

        Unmitigated Risk Level: High

        Mitigation: Ames Laboratory has put in place limitations on the access by managers and their
        ability to download PII data to their workstations. In addition Ames has put in place training for
        all personnel with access to or who use PII information. This training includes …..

               Definition of Personally Identifiable Information.
               Understanding individual responsibility.
               Federal Security Rule general requirements.
               Consequences of security violations.
               Good computing practices.

        Residual Risk: The following residual risks remain:

        [Low] Ames has put in place management and operational controls that limits the potential of
        compromise of PII data. Even though these controls are in place the potential for misplacement
        of printed PII matter or files, such as downloads that are imported into MS Excel, does exist.

        [Low] Personnel may have PII data stored on their desktops or portable systems without
        understanding that the data is PII. This PII data may be exposed to outside attackers because it is
        not stored in an encrypted format as required by DOE.

    SUMMARY OF RESIDUAL RISK – LOW.


5.4.2   External Attacks
Potentially dangerous external activities (scans/exploits) are launched against Ames Laboratory from the
Internet.

        Likelihood: High – Thousands of scans/exploits are launched against the Ames Laboratory
        network daily.

        Impact: High – These exploits could impact programs by loss or corruption of intellectual,
        confidential, or propriety information, and loss of machine resources.

        Unmitigated Risk Level: High

        Mitigation: Ames Laboratory has firewalls and routers configured to limit access to the internal
        network. The access control lists are closely monitored. Devices must register in order to
        receive an IP address. In addition, any unknown device or application conducting scanning
        activities on internal devices is quickly identified and removed through the use of sensors, IDS,
        and scanners. The most effective defense against external scanning and exploitation of
        vulnerabilities is to remediate and remove those vulnerabilities as rapidly as possible. Ames
        Laboratory has implemented a patching program that identifies vulnerabilities. System
        Administrators are notified of high and medium vulnerabilities on external devices within 24-72
        hours. For systems participating in the central patch management services, internal devices are
        remediated within 10 days of the release of a patch. Most patches are installed within hours of
        availability. In addition Ames Laboratory has a configuration management program that further
        limits the potential for an attacker. Cyber Security staff conduct external vulnerability scans
        multiple times per week.

        Residual Risk: The following residual risks remain:

        [Low] An attack could be mounted that has no associated IDS signature or which resembles
        normal traffic and would be missed. The IDS itself could be compromised.

        [Low] Stealth attacks may evade the IDS and other detection systems that have been deployed.

   SUMMARY OF RESIDUAL RISK – LOW
5.4.3   Dialup Access
Dial-up remote access could be exploited when interior network systems are equipped with dial-up auto-
answering modems.

        Likelihood: Medium – This is a well-known and common technique.

        Impact: Medium – While only an answering host may be initially compromised, the attack then
        may be extended to involve additional systems causing damage that may require corrective
        action.

        Unmitigated Risk Level: Medium.

        Mitigation: An automated dialing program is run quarterly to detect answering modems in the
        Ames Laboratory block of telephone numbers. Auto-answering systems are disabled. System
        support staff are aware of the danger and are alert for any modems that are installed in their area
        to ensure the auto answer function is disabled.

        Residual Risk: The following residual risks remain:

        [Low] Modems installed between scans could be at risk of having ineffective access protection.

        [Low] The access controls for approved modems could be breached.

   SUMMARY OF RESIDUAL RISK - LOW.
5.4.4   DNS Queries
Domain Name Service (DNS) queries can reveal structure of a network, thereby affording information to
a potential threat agent in mounting attacks against the network.

        Likelihood: High – DNS queries are commonly used to map network structures before
        attempting to exploit it.

        Impact: Low – A fully mapped network increases the risk of successful exploitation, but does not
        itself result in a compromise of a system.

        Unmitigated Risk Level: Medium.

        Mitigation: Ames Laboratory will implement a split DNS Name space architecture, resulting in
        internal and external zones. The external zone contains only the names of Internet accessible
        machines, and zone transfers are disabled to prevent gathering data for the entire zone. The
        internal zone is only accessible from within the internal network.
         Residual Risk: The following residual risk remains:

         [Low] A misconfigured DNS Server could potentially reveal the network structure.

    SUMMARY OF RESIDUAL RISK – LOW.
5.4.5    Internal scans or exploits
Scans or exploits are initiated from inside the Ames Laboratory network.

        Likelihood: High - tools are readily available to allow attackers to mount scans and exploits from
        external or internal sources.

        Impact: Medium.

        Unmitigated Risk Level: Medium.

        Mitigation: Ames Laboratory monitors network traffic using Snort and NetFlow to detect any
        significant change in activity. Offending systems can be physically disconnected from the network.

        Residual risk: The following residual risks remain:

    [Low] Some logically isolated network segments (printers) may not be covered by an IDS and would
   not signal an alert.

    [Low] An attack could occur during periods when the IDS is not monitored. In that case, the affected
   system would not be isolated until the attack is detected by staff.

    [Low] An attack could occur that is not detectable using current IDS signatures.

   SUMMARY OF RESIDUAL RISK – LOW.
5.4.6    Malicious Code
Viruses, worms, and Trojan horses propagated over the network and/or brought in on media may infect
Ames Laboratory systems.

         Likelihood: High.

         Impact: High (worst case, most do not cause serious damage).

         Unmitigated Risk Level: High.

         Mitigation: Anti-virus and anti-spyware packages are deployed at Ames. Windows desktops and
         servers use McAfee and the license covers installation on home computers. Anti-virus software
         is used on UNIX mail servers. Ames Laboratory’s policy requires activating and using this
         protection. All products are configured to update signature files automatically, and updates can
         be pushed to internal systems and servers.

         Residual Risk: The following residual risks remain:

         [Low] Zero day attacks or an attack for which no signature file is available could result in damage
         to Ames Laboratory systems.
        [Low] Users could disable anti-virus or not install anti-virus protection on a device. This is
        checked using tools and the product would be re-enabled immediately.

    SUMMARY OF RESIDUAL RISK – MEDIUM TO LOW.



5.4.7   Visitor Access
Ames Laboratory facilities host visitors (U.S. citizens and foreign nationals) each year, many from
sensitive countries. These visitors require computer access to participate in research. This access could
be used for unauthorized purposes.

        Likelihood: Medium.

        Impact: High.

        Unmitigated Risk Level: Medium.

        Mitigation: Access for all visitors (U.S citizens and foreign nationals) is granted in accordance
        with Ames Laboratory procedures that implement the DOE Notice 205.2, Foreign National
        Access to DOE Cyber Systems. Procedures include the following:
             Background and indices checks as appropriate.
             Approval by the Ames Laboratory host for computer access and, if the computer contains
                sensitive information, approval from the system/data owner and principal investigator.
             Auditing of central servers and sensitive systems is conducted to determine authorized
                users.

        Residual Risk: The following residual risks remain:

        [Low] Users that have sufficient privileges (Windows & UNIX) may be able to install attack
        tools and use them to scan and exploit internal systems. However, network traffic can be tracked
        and monitored to detect such activity.

        [Low] If the visitor is granted access to a system and afterwards the sensitivity of the system
        changes, there is no procedure to reevaluate whether the user should continue to have access to
        that system. Ames Laboratory has very few systems with sensitive data and new systems added
        will be addressed at that time.

   SUMMARY OF RESIDUAL RISK – LOW.
5.4.8   Local System Administrative Rights
The requirements of research (including changing settings and installing custom software) mandate that
multiple individuals have administrative rights to their experimental systems. These rights may include
an individual having control of multiple systems. Nefarious people could use these systems to launch an
attack on the internal network which includes some systems and information that requires additional
protection. Users with administrator or root access can download and install software including hacker
tools, override security controls, and/or opt out of other protective measures. It is also possible that users
with unnecessary administrative rights violate the least user access security control.

        Likelihood: Medium.

        Impact: High.
        Unmitigated Risk Level: Medium.

        Mitigation: As discussed above all visitors are checked prior to being granted access to the
        laboratory. Ames Laboratory provides Assistant Computer Protection Managers (ACPMs) for
        each area. These individuals are responsible for assisting researchers in properly configuring
        their systems prior to connecting them to the network. Ames Laboratory has also implemented a
        routine that verifies the configuration and health of each system connected to the system
        management service. Any system found deficient is tagged and corrected or removed from the
        network. Any system with serious or potentially critical deficiencies is handled on a priority
        basis. Personnel who continually violate Ames Laboratory policies have their rights and systems
        restricted to limit their ability to impact other resources.

        Administrative division users are not given system privileges, and must work through
        their ACPM or the IS office to install applications and apply patches. Researchers are
        provided the option to have an administrative account to their own workstation, however
        these are separate from their day-to-day use accounts. All personnel with administrative
        rights to multiple systems undergo a basic indices check and additional training as part of the
        procedures for granting these elevated privileges. Ames Laboratory has a configuration
        management program. Systems are scanned for configuration changes and can be “rolled back”
        to an appropriate configuration by system administrators. Changes to the baseline configuration
        must be approved and are executed through a change control process.


        Residual Risk: The following residual risks remain:

        [Low] Users have sufficient privileges (Windows & UNIX) to install attack tools and use them to
        scan and exploit internal systems. Individuals may be able to use very slow (stealth) attack
        methodologies. This risk is mitigated through the use of IDS sensors that are configured and
        located to protect the most sensitive systems. Few personnel know the actions that will trigger an
        alert.

        [Low] If the administrator is granted privileged access to a system and afterwards the sensitivity
        of the system changes, there is no procedure to reevaluate whether the user should continue to
        have access to that system. Ames Laboratory has very few systems with sensitive data and new
        systems added will be addressed at that time.

        [Medium] The user changes security settings, bypassing the security controls. This will be
        captured on the next security scan and rolled back but does present a risk between scans.

        [Medium] The user loads or downloads malicious software. If the application is executed it will
        probably trigger one of the sensors in the network, but newer attacks or software may not be
        detected.

     SUMMARY OF RESIDUAL RISK – MEDIUM.


5.4.9   Peer to Peer services
Peer-to-Peer (P2P) services download client software from an external server to set up P2P sessions that
also can establish the client machine as a server with or without the user’s knowledge. The server could
introduce or provide a conduit for malicious software to the user’s desktop. New services appear at
regular intervals and existing services change names and IP addresses to avoid blocking. Copyright
violation and illegal software acquisition are facilitated by many P2P services.

        Likelihood: High.

        Impact: Medium.

        Unmitigated Risk Level: Medium.

        Mitigation: Ames Laboratory monitors Internet traffic for P2P traffic using IDS sensors. Ames
        Laboratory and Iowa State University both instruct users about the illegality of downloading
        copyrighted materials.

        Residual Risk: The following residual risks remain:

        [Low] New services are not detected in real time so that malicious software could be introduced
        before they are detected and blocked.

        [Low] User changes security settings after installation, bypassing security controls. Ames
        Laboratory CM tools will note any change in configuration of key settings and have an authorized
        individual correct the deficiency.

        [Medium] User loads or downloads malicious software.

        SUMMARY OF RESIDUAL RISK – MEDIUM TO LOW.
5.4.10 Remote Access
Remote access capability can be exploited by unauthorized individuals, giving them access to the Ames
   Laboratory network, including:
           Full access dial-up
           Virtual Private Network access via the Internet
           Secure Shell access

        Likelihood: Medium – Remote access exploits and tools are commonly available on the Internet.

        Impact: Medium.

        Unmitigated Risk Level: Medium.

        Mitigation: Establishing a standardized architecture for all remote access to the Ames Laboratory
        network.

        Specific mitigations include:
            Ames Laboratory is limiting the number of full access dial-up connections. The plan is to
                move this functionality to the perimeter and require VPN or SSH for internal access.
            Virtual Private Network (VPN) access via the Internet: The communications (including
                the authentication process) are encrypted.
            Secure Shell Access: Secure Shell (SSH) is a fully encrypted transaction, including the
                process of authentication.

        Residual Risk: The following residual risks remain for each of these remote access capabilities:
        [Low] Full access dial-up – if password authentication is compromised, it could grant
        unauthorized access to the Ames Laboratory network. Modem access is being moved to the
        perimeter.

        [Low] Virtual Private Network (VPN) access via the Internet - if a remote system is compromised
        and then used to access the Ames Laboratory network, it can introduce the compromise to the
        internal network. Connection sharing is disabled on VPN clients to prevent an attacker from
        tunneling through the connection.

        [Low] Secure Shell Access – no method of knowing if an SSH account was compromised before
        accessing the SSH gateway, thereby allowing unauthorized access.

        [Low] Direct access from the Internet to the SSH Servers in the DMZ – an unauthorized user
        could gain access to the internal network. Servers with exceptions to firewall rules should be
        documented; however errors could occur. Known exploits of SSH Servers exist and these could
        be used to compromise these servers if they are not correctly configured.

    SUMMARY OF RESIDUAL RISK - LOW.
5.4.11 Clear text passwords
Passwords used in clear text could be intercepted by a network sniffer and used to access target systems.
   Most passwords (e.g., domain server logins) are encrypted. However, some protocols (e.g., telnet, ftp)
   cannot natively support encrypted passwords.

        Likelihood: Medium.

        Impact: Medium.

        Unmitigated Risk Level: Medium.

        Mitigation: Ames Laboratory does not use clear-text passwords for any method of external
        authentication; all remote access (SSH and VPN) requires and supports encryption of credentials
        during the authentication process. Anonymous ftp is used (with separate upload and download
        servers) to prevent the interception of clear-text passwords during authentication. Telnet is not
        used at Ames Laboratory with the exception of some legacy systems and is restricted to internal
        use only; inbound telnet is blocked at the network boundary.

        Residual Risk: The following residual risk remains:

        [Low] An attacker could install an internal sniffer or compromise an internal host to capture
        credentials, but this would require internal access to the network and, in many cases, to specific
        network segments. Internal authentication generally also uses either encryption or a challenge-
        response process to protect credentials.

    SUMMARY OF RESIDUAL RISK – LOW.
5.4.12 Staff awareness
Staff is not well informed about cyber security threats, protection requirements, procedures, and their
     obligations for protecting Ames Laboratory information and systems. Given the dynamic threat
     environment, even staff with an understanding of cyber security may lack current awareness.

        Likelihood: High.
        Impact: Medium.

        Unmitigated Risk Level: Medium.

        Mitigation: Ames Laboratory established a training and awareness program that requires ACPMs
        and Group Administrators to take online Cyber Security Requirements Training. The online
        materials are being updated to reflect policies and procedures resulting from DOE Directives,
        self-assessments, and risk assessments. Users will be tested on the material; when they have
        completed the training, this information is entered into a training database. Staff responsibility,
        accountability, and requirements for cyber security are set out in Ames Laboratory policies and
        procedures which are available to the user community on the internal web. In addition, bulletins
        and articles in internal web communications and newsletters, as well as formal and informal
        presentations are used to increase awareness.

        Residual Risk: The following residual risks remain:

        [Medium] Despite training and awareness, many staff members find cyber security a
        complex technology that is beyond their understanding or fail to see the importance of it.
        This can lead to unintentional behavior resulting in security problems.

        [Medium] Despite training awareness, staff may intentionally disregard or circumvent
        cyber security policies and procedures.

     SUMMARY OF RESIDUAL RISK – MEDIUM.
5.4.13 Information remnants
The confidentiality or integrity of information on a business sensitive system could be compromised
     while the information is being processed.

        Likelihood: Low – The threat during actual processing is low unless the system has an installed
        Trojan. However, residual traces of the processing could remain on the system (e.g., cache, swap
        files.) after processing. The likelihood may become medium if the system is compromised.

        Impact: Medium – For sensitive systems the impact is medium.

        Unmitigated Risk Level: Low.

        Mitigation: Ames Laboratory has systems that contain or process moderate information, e.g.
        personally identifiable information or medical information. Logs from these systems are captured
        and reviewed to verify system access.

        Residual Risk: The following residual risks remain:

        [Low] Ames Laboratory does not process, generate or store any moderate data on systems outside
        the Moderate Enclave. Systems inside this enclave, if the access controls can be compromised,
        would provide access to the moderate information.

     SUMMARY OF RESIDUAL RISK – LOW.
5.4.14 Wireless networking
           Wireless networks have well-known vulnerabilities including the possibility of installing
           rogue access points attached to the wired network. Improperly configured Wireless Access
           Points (WAPs) on the Ames Laboratory network can be manually reconfigured to an
          appropriate configuration by system administrators. Changes to the baseline configuration
          must be approved and are executed through a change control process. Users are not allowed to
          change wireless access point settings, only qualified administrators have access to AP
          management.

          Residual Risk: The following residual risks remain:

          [Medium] The user changes security settings, bypassing the security controls. This will be
          captured on the next security scan and reconfigured but does present a risk between scans.

          [Medium] The user loads or downloads malicious software. If the application is executed it
          will probably trigger one of the sensors in the network, but newer attacks or software may not
          be detected.

    SUMMARY OF RESIDUAL RISK – MEDIUM.


5.4.15 Unauthorized Wireless Access
   Ames Laboratory is in the process of implementing wireless networks in certain areas, especially
   where the physical infrastructure of the building makes running cable difficult. This wireless network
   may be visible from outside the facility.

       Likelihood: High – Access points are easy to install, may not be properly configured and could
       allow unauthorized access to the campus network. Wireless networks are detectable over much
       greater distances than their stated ranges.

       Impact: High – Allowing unregulated wireless access to Ames Laboratory network could allow
       an attack on the broader network. Attackers with access to the wireless network could
       immediately gain access to internal Ames Laboratory networks.

       Unmitigated Risk Level: High.

       Mitigation: Ames Laboratory will implement strong authentication and encryption requirements
       on these networks when they are installed. The wireless subnets will be isolated from other Ames
       Laboratory network resources and the interfaces monitored for vulnerabilities and attacks. Ames
       Laboratory Cyber staff periodically scan or wardrive for unauthorized Wireless Access Points.

       Residual Risk: The following residual risks remain:

       [Medium] Users may not conform to policy.

       [Medium]: The network is not continuously monitored for detecting rogue access points.

       [Low] New exploits or vulnerabilities may allow attackers access to the network.

    SUMMARY OF RESIDUAL RISK – MEDIUM.


5.4.16 Weak passwords
    Users tend to create simple, easy-to-remember passwords. Unfortunately, such passwords may be
    easy to guess, and password-cracking software can identify them.
      Likelihood: High - tools are readily available to allow attackers to run password-cracking
      program that can crack weak passwords.

      Impact: Medium.

      Unmitigated Risk Level: Medium - Unchecked weak passwords could be cracked leading to
      machine compromise

      Mitigation: Ames Laboratory Cyber Security team runs password cracking for the Ames
      Laboratory Domain using password cracking tools. All users, as well as those users’ department
      heads, are notified of weak passwords and instructed to change them immediately. In the event, a
      user does not change his or her password, the account is then locked out until the user changes it.

      Ames Laboratory requires users to create strong passwords outlined in the Ames Laboratory
      Password Policy, which is based on the DOE G 205.3-1, Password Guide.

      Residual Risk: The following residual risks remain:

      [Low] Local Accounts are not checked leaving possible local weak passwords subject to
      compromise.

      [Low] From the time users are notified until the time an account is locked, a weak password
      exists on the network leaving it subject to compromise.

      [Low] A user could replace a weak password with another weak password that would not be
      discovered until the next scan.

      SUMMARY OF RESIDUAL RISK – LOW.


5.4.17 Compromised Credentials
    Users may store authentication credentials on remote systems. If the remote system is compromised,
    then the credentials may grant full access to Ames internal networks.

      Likelihood: High – remote (i.e. Home or ISU systems may not have strong protections against
      compromise).

      Impact: Medium.

      Unmitigated Risk Level: Medium

      Mitigation: Ames is not allowing any trust relationships with ISU computers. Remote access is
      audited for unusual patterns such as access outside of normal business hours. Users are cautioned
      as part of awareness training not to store credentials on local systems.

      Residual Risk: The following residual risks remain:

      [Medium] Account credentials can be stolen if users store them locally.

      SUMMARY OF RESIDUAL RISK – MEDIUM.
5.4.18 Administrative/Business (HP3000) Account Management
  The HP3000 operating system does not have the capability to implement password policy and account
  management capabilities based on DOE Password Guidance and NIST account management controls.
  The result is passwords do not meet the minimum guidance and account access enforcement
  mechanisms cannot be imposed.

       Likelihood: Medium.

       Impact: Medium.

       Unmitigated Risk Level: Medium - Unchecked weak passwords could be cracked leading to
       machine compromise. Account access cannot be automatically locked out after failed login
       attempts.

       Mitigation: The elements of DOE Password Guidance that are supported by the HP3000
       have been implemented. There are a limited number of users accessing the HP3000 for
       daily administrative processing. A third-party software tool is used to implement
       account management controls including logging off the user after three invalid attempts.
       The system administrator receives notification of the invalid attempts.

       Residual Risk: The following residual risks remain:

       [Low] A weak password exists on the network leaving it subject to compromise.
       [Low] An attacker can make repeated attempts to access the HP3000.

       SUMMARY OF RESIDUAL RISK – LOW.


5.4.19 Administrative/Business (HP3000) Clear text traffic.
  Clear text and session data could be intercepted by a network sniffer and used to access the HP3000.

       Likelihood: Medium.

       Impact: Medium.

       Unmitigated Risk Level: Medium.

       Mitigation: Ames Laboratory implemented network segregation and fully switched
       networks to on the internal networks to reduce the possibility of network sniffing.
       Access to the HP3000 requires OpenVPN to encapsulate data transfer between the
       desktop and the server. The HP3000 is being replaced by systems with more secure
       authentication protocols. Remote access to the HP3000 requires a VPN connection
       which supports encryption of credentials during the authentication process. The HP3000
       cannot be accessed between 9:00 PM and 6:00 AM each day.
       Residual Risk: The following residual risk remains:

       [Low] An attacker could install an internal sniffer or compromise an internal host to capture
       credentials, but this would require internal access to the Sensitive network segment. Internal
       authentication generally also uses either encryption or a challenge-response process to protect
       credentials.
SUMMARY OF RESIDUAL RISK – LOW.
6     SUMMARY STATEMENT

Ames Laboratory acknowledges its risks and the amount of remaining residual risk. Even though Ames
Laboratory has developed a proactive approach to residual risk, there are some areas of concern in
network operations, wireless networking, and user awareness training program. Ames Laboratory has
implemented several initiatives to strengthen these programs.

Although Ames Laboratory has appropriate policies on configuration and patch management, the network
infrastructure does not lend itself toward strong automated enforcement of these polices. Ames
Laboratory purchased automated tools (SMS) to support configuration management and control to ensure
configuration baselines are maintained for those systems in the AMESLAB-IOWA domain or with an
SMS agent installed.

In the area of wireless networking, Ames Laboratory will use wireless networks where the physical
building constraints make running wire difficult. Ames Laboratory has considered the risks of
implementing wireless access, and is studying controls to mitigate this risk, including authentication,
encryption, and segregation of the network.

In the area of user awareness training Ames Laboratory is awaiting a program promised by DOE Office
of Science to meet this need at all Science sites. Based upon the content of that material Ames
Laboratory will augment the material to meet site specific needs.

Ames Laboratory has implemented a scanning program to search for vulnerabilities on the Laboratory’s
networked devices, but the lab has not been able to fully integrate the scanning program with its other
processes. Additional study, as well as assistance from other DOE Office of Science labs will allow
Ames Laboratory to scan more completely, as well as more often, for internal mis-configurations and
vulnerabilities.


6.1   ACCEPTANCE OF RESIDUAL RISK

The undersigned acknowledge, understand, and accept the residual risks as described in this document:

Acceptance of Residual Risk

The undersigned acknowledge, understand, and accept the residual risks as described in this document:

_______________________________________________________                    ______________
Information Systems Manager                                                Date

_______________________________________________________                    ______________
Division Director, Technical and Administrative Services                   Date

_______________________________________________________                    ______________
Site Manager, Ames Laboratory Site Office                                  Date

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:6
posted:1/5/2012
language:English
pages:36