cyber security compliance

dgall

My company has to be cyber security compliance because of drawings we have to download for a job. I am just now getting into this can pfsense meet the requirements for this?

KOM

Can pfSense meet your requirements that you haven't listed at all? How is anybody supposed to answer that?

dgall

cyber security compliance for doing contract work with the department of defense

KOM

Which would involve what, exactly? That's what I'm getting at. Nobody know what 'cyber security compliance' means since it's a completely vague term.

If you have a summary document you can link to, that would help.

akuma1x

@dgall said in cyber security compliance:

cyber security compliance

What @KOM is probably getting at is that there is NO "cyber security compliance" standard that has been set anywhere, and I'm assuming you're in the USA. It could literally be different for any company or any organization anywhere in the world.

I searched the term and came up with dozens and dozens of hits, all of them different.

Is this the document you're talking about - NIST Special Publication 800-171, highlighted here?

https://business.defense.gov/Small-Business/Cybersecurity/

Jeff

dgall

It is DFARS 800-171 and NIST SP 800-171 its all spelled out in this little document right here nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf which covers a whole lot more then just the firewall when you search the word firewall in the PDF a mountain of stuff pops up I will be a couple of days just looking over this document. Also here is a quick video on it https://www.youtube.com/watch?v=BumucglrJ_c&feature=youtu.be

chpalmer

https://youtu.be/BumucglrJ_c?t=1031

Start here and listen for a few minutes. Also read the slide.

I recommend setting the youtube speed to 1.5x ;)

pfsense by default blocks unsolicited traffic on the WAN from coming through the firewall from outside. Anything else from the LAN side-

https://youtu.be/BumucglrJ_c?t=2457

bmeeks

I did this type of work in nuclear power stations before I retired. We had very similar rules (and then a bunch more!) to meet. This is a sea of landmines if you have not had special training in the area and have no experience in cyber security. This requires a lot more than just a pfSense firewall. There are requirements for network segmentation and isolation, requirements for portable media controls (USB memory sticks, CD/DVD disks, etc.), requirements for active network monitoring to detect intrusions and a host of policy controls that must be implemented. These mostly involve account management stuff like immediately terminating accounts of employees who leave the company, requiring complex passwords, requiring periodic password resets, restricting access to data based on permissions (meaning using ACLs on files and directories to control access), maintaining documentation of account privileges (who has access to what and why they have it), and on and on and on. Can take a fulltime staff of several folks to keep up with all this and keep a company in compliance.

My advice to you would be to seek out a reputable contractor with experience in this area and hire them to guide you through the maze and get you set up.

johnpoz

Out of curiosity what are you using now, what is the makeup of your company? How many employees, IT staff?

Working with the DOD is a very deep and crazy rabbit hole your about to try and enter...

If your not even close, ie looking for a firewall?? It is unlikely the cost of getting your network and policies up to speed are going to far exceed of the revenue from the job.. But once you pass requirements, will open you up for more work with the dod and other gov agencies, etc.

bmeeks

To reinforce what @johnpoz said -- it would take a contract worth a whole lot of money (and I'm talking multiple millions) of dollars for me to bite off promising to keep my company in compliance with DOD cyber rules. Most especially if there are audit failure penalties. These government regulations are what we called "audit bait". That means the auditors come at you armed with the eqivalent of Encylopedia Brittanica (if you are old enough to remember what that was) and then nit-pick you to death over some sentence in some paragraph you overlooked on page 1004 ... .

dgall

I have been looking into it and you are correct on most everything I see that you wrote. I am not dealing in top secret documents and I am a small business so a few things they are a little more relaxed on I am actually going to take a coarse on cyber security compliance giving by the government in July. I am going to bring in an expert to help I have been told that will cost about 5K not including all the software and hardware I will need to buy. I have to see if my PfSense will fit into this or if I will be upgrading my firewall also.

bmeeks

@dgall said in cyber security compliance:

I have been looking into it and you are correct on most everything I see that you wrote. I am not dealing in top secret documents and I am a small business so a few things they are a little more relaxed on I am actually going to take a coarse on cyber security compliance giving by the government in July. I am going to bring in an expert to help I have been told that will cost about 5K not including all the software and hardware I will need to buy. I have to see if my PfSense will fit into this or if I will be upgrading my firewall also.

Your pfSense hardware is fine. And the software is OK. Where those cyber regulations get you is in the policy area. Lots of fine print in there to pay attention to. All of it is valid and applicable to cyber for sure. I don't mean to poo-poo it, but there is a lot of stuff in there to get straight.

dgall

@johnpoz Thanks for the reply John the kind of work I am looking at local shops are keeping 30-50 people busy all year.

bmeeks

Hiring an expert is a great idea. That person can guide you through the process. Our rules in nuclear were based on NIST 800, but then got modified fairly heavily in an attempt to apply those security controls to power plant industrial control systems. That was a difficult road to navigate for sure! Not having top-secret classification stuff to protect will of course make things a little easier.

dgall

@dgall also John I am using Netgate SG-3100 2.4.4-RELEASE-p2 with 7 computers I am going to upgrade to hardware with a more performance soon my Netgate SG-3100 when barely pushed at all the thermal sensor is in the red and when I set snort IPS Policy Selection on wan and lan to secure my memory usage goes to 100% and slows down to a crawl.

tim.mcmanus

@bmeeks said in cyber security compliance:

I did this type of work in nuclear power stations before I retired. We had very similar rules (and then a bunch more!) to meet. This is a sea of landmines if you have not had special training in the area and have no experience in cyber security. This requires a lot more than just a pfSense firewall. There are requirements for network segmentation and isolation, requirements for portable media controls (USB memory sticks, CD/DVD disks, etc.), requirements for active network monitoring to detect intrusions and a host of policy controls that must be implemented. These mostly involve account management stuff like immediately terminating accounts of employees who leave the company, requiring complex passwords, requiring periodic password resets, restricting access to data based on permissions (meaning using ACLs on files and directories to control access), maintaining documentation of account privileges (who has access to what and why they have it), and on and on and on. Can take a fulltime staff of several folks to keep up with all this and keep a company in compliance.

My advice to you would be to seek out a reputable contractor with experience in this area and hire them to guide you through the maze and get you set up.

Best advice ever!

I too do compliance work as well as audits. Compliance is a maze of things, and if you don't have controls in place, it will cost money to set them up. But I would absolutely hire an expert to help guide you through this and you should also sign up for some compliance coursework too.

dgall

I am bringing in a company to help comply with NIST SP 800-171 from what I am reading and hearing from the experts one of the biggest things on the firewall side along with all the great features PfSense has will be its logging features.
For my company so far it looks like I will have 2 networks with a separate firewall, server, computers for secure documents and software that logs when someone looks at, modifies, copies or deletes a file. All computers on this network will need the USB ports disabled except for the ports for the mouse and keyboard I would like to build a computer without any usb ports but finding a decent motherboard with a PS/2 for a mouse and keyboard is non existent anymore. That is just the few of things on the software and hardware side of it. Consulting for a small company runs between 5K to 8K and thats not including any of the software or hardware.

bmeeks

@dgall said in cyber security compliance:

I am bringing in a company to help comply with NIST SP 800-171 from what I am reading and hearing from the experts one of the biggest things on the firewall side along with all the great features PfSense has will be its logging features.
For my company so far it looks like I will have 2 networks with a separate firewall, server, computers for secure documents and software that logs when someone looks at, modifies, copies or deletes a file. All computers on this network will need the USB ports disabled except for the ports for the mouse and keyboard I would like to build a computer without any usb ports but finding a decent motherboard with a PS/2 for a mouse and keyboard is non existent anymore. That is just the few of things on the software and hardware side of it. Consulting for a small company runs between 5K to 8K and thats not including any of the software or hardware.

It sounds like you are off to a good start. Just as a point of reference, my company spent millions of dollars to get into compliance with the NRC cyber rule for nuclear power plants. To be fair the biggest portion of that was to make some physical design modifications within the plants, but we also spent a lot of money on software and consultants/contractors.

For USB controls you can usually disable the ports, but we were encouraged (maybe strong-armed is a better word) to also use physical port locking devices such as these to further lock down portable media access. Be sure to purchase the proper unlocking key as well. Several companies make this kind of device. Search for USB port blocks.

On the logging side I suggest setting up a third-party SIEM (Security Intrusion and Event Monitoring) system and piping all of the pfSense logs into it via the remote logging features available within pfSense.

johnpoz

@bmeeks said in cyber security compliance:

my company spent millions of dollars to get into compliance with the NRC cyber rule for nuclear power plants.

Yup wouldn't doubt it ;) And don't forget the on going yearly costs to maintain compliance and pass audits... Its by no way a one and done, set it and forget sort of thing... This will be ongoing diligence and upkeep..Its going to be rinse and repeat sort operation.. Better look to bringing someone on staff to deal with it vs just hiring a consultant to get you started. If not multiple people.

Part of the reason you don't see a lot of ma and pop sort of shops doing business with dod and gov is the requirements/costs of doing business with them is not cheap.

dgall

Here is one of the reasons they are doing this https://www.cnn.com/2019/05/02/politics/china-pentagon-report/index.html