CYB_300_4-4_Milestone_Evaluation_Joshua_Minnick

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

300

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

4

Uploaded by CommodoreWombatMaster597

Report
4-4 Milestone: Checklist Analysis and Modification Joshua Minnick Information Technology Department, Southern New Hampshire University CYB-300 System and Communication Security Dr. Segun Odion November 19, 2023 1
Checklists are a very valuable way to evaluate a plan or system to verify the essential functions and capabilities are addressed within the plan being evaluated by the checklist. Utilizing a checklist when implementing a certificate authority (CA) is essential because of the nature of a CA and the essential nature of its proper functionality and security. The attached checklist was provided to me for review, analysis, and update. I have completed a review and analysis of this document which is detailed below. There are two areas I have detailed needing to be updated or improved for proper implementation of a CA. I have also created an updated version for your review which is the document accompanying this report. The first area of concern I will address is titled “Part C”. I think this part of the checklist has a good base but could be improved with minor additions. The first addition I would suggest is to add language regarding the requirement of a management level official making the request for a user to receive a CA assignment. While I agree the IT department, specifically a higher- level official with specific knowledge about CA management should be the final authority for these approvals, the request should require a manager within the department the employee works in to submit the request to the IT department official in charge of approval. When approved, having a CA approval means an employee has a greater level of security clearance within the organization and should have to show adequate reasoning to receive this approval. Requiring a management level official to submit this request means they have greater knowledge of the job duties this user has and have greater scrutiny of whether the user needs this access. The second part of the checklist I would strongly suggest updating is “Part E” which discusses certificate renegotiation from the server. Certificate renegotiation was found to be insecure in the past and is no longer supported with the implementation of Transport Layer Security version 1.3 (TLS 1.3). Certificate renegotiation created vulnerabilities that could be 2
exploited to allow a threat actor to enact a denial-of-service attack or execute a man-in-the- middle attack. TLS 1.3 created a simplified handshake process that resolved the vulnerabilities of certificate renegotiation. This part of the checklist needs to be rewritten to include a verification that TLS 1.3 is the only version supported or used by any servers or browsers utilized by this organization. Evaluating the overall applicability of this checklist shows me there is more information needed for this to be fully capable of addressing all areas of interest and concern for the implementation of a CA server. When evaluating this checklist by the standards laid out by the National Institute of Standards and Technology (NIST), this document falls short of meeting all requirements NIST provides. I do believe this document is a strong starting point for the organization, but more precise information is needed to make this fully capable of addressing all concerns offered in NIST 800-70 revision 4, specifically pages 14 – 15. Some of the concerns I have about this checklist are its lack of stating the skill level required for implementation and maintenance of the CA authority, its lack of explaining security objectives, and the checklist’s failure to consider recent vulnerabilities evidenced by its previous reference to certificate renegotiation which was phased out with the introduction of TLS version 1.3. 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
References Department of Commerce, Quinn, S. D., Souppaya, M., Cook, M., & Scarfone, K., National Checklist Program for IT products: Guidelines for checklist users and developers 14–15 (2018). Washington, D.C.; National Institute of Standards and Technology. Kiprin, B. (2022, September 26). What is the SSL renegotiation vulnerability? Crashtest Security. https://crashtest-security.com/secure-client-initiated-ssl-renegotiation/ Nohe, P. (2023, March 20). TLS 1.3 update: Everything you need to know . Hashed Out by The SSL StoreTM. https://www.thesslstore.com/blog/tls-1-3-everything-possibly-needed-know/ 4

Related Documents

mod11.docx
CYB_300_3-2_Lab_Worksheet_Joshua_Minnick.docx
Week 7 and 8 Discussions.docx
traceability-matrix-template (1).xlsx
CYB_300_4-4_Milestone_Joshua_Minnick.docx
CYB_300_5-2_Milestone_Joshua_Minnick.docx
Joshua Crowley IT 202 Project One Site Survey Project.docx
CYB_230_Project_3_Joshua_Crowley.docx
CYB 230 Module Two Lab Worksheet_Joshua Crowley (1).docx
CYB 230 Module Five Lab Worksheet Joshua Crowley.docx
CYB 230 Module Four Lab Worksheet Joshua Crowley (1).docx
IT 200 Project One Technology Hardware and Software.docx