ECE579S/8 #1 Spring 2011 © , Richard A. Stanley ECE579S Computer and Network Security 8: Certification & Accreditation; Red/Black Professor Richard A. Stanley, P.E.
ECE579S/8 #2 Spring 2011 © , Richard A. Stanley Last time…SSL/TLS Summary SSL/TLS provides a means for secure transport layer communications in TCP/IP networks SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc. The key element of SSL is the handshake protocol
ECE579S/8 #3 Spring 2011 © , Richard A. Stanley Formal Evaluation Summary Formal security evaluation techniques are academically interesting, but have until recently failed to provide significant practical improvement in fielded systems security Emphasis is shifting to new evaluation schemes and empirical, policy-based security evaluation for trusted systems Both approaches offer opportunities for exploitation by malefactors and for real improvement in systems security
ECE579S/8 #4 Spring 2011 © , Richard A. Stanley IDS Summary IDS’s can be useful in monitoring networks for intrusions and policy violations Up-to-date attack signatures and policy implementations essential Many types of IDS available, at least one as freeware Serious potential legal implications Automated responses to be avoided
ECE579S/8 #5 Spring 2011 © , Richard A. Stanley SRA Proprietary5 Cyber Threat: Real & Damaging… Undermining both our national security and our economic leadership in the world marketplace –Threat started as nuisance activities by isolated bad actors –Threat is now coming from nation states, commercial espionage, terrorist organizations, organized crime groups, and ‘for-hire’ cyber organizations—it’s a business—and often in concert –Our intellectual property is the target F22 Oil exploration Google The extent of the damage is only beginning to be publicly acknowledged; >$1T and years and years of technology leadership
ECE579S/8 #6 Spring 2011 © , Richard A. Stanley SRA Proprietary6 Advanced Persistent Threats Step 1 - Reconnaissance Step 2 - Initial Intrusion into the Network Step 3 - Establish a Backdoor into the Network Step 4 - Obtain User Credentials Step 5 - Install Various Utilities Step 6 - Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 - Maintain Persistence Exploitation Life Cycle
ECE579S/8 #7 Spring 2011 © , Richard A. Stanley SRA Proprietary7 Vulnerability –External and Internal Vulnerabilities at all layers -Internet connections - -Software (malware, botnets) -Hardware -Firmware -Web pages/banners/pop-ups -Databases (SQL injection)
ECE579S/8 #8 Spring 2011 © , Richard A. Stanley SRA Proprietary8 The future wave of access vulnerability It won’t get any easier! The internet of things…
ECE579S/8 #9 Spring 2011 © , Richard A. Stanley SRA Proprietary9 IT Security Roles Designated Approving Authority (DAA) Accepts risk, issues ATO for IS Certifying Authority (CA)Certifies IS Information Assurance (IA) Manager (IAM) Responsible for the IA program for IS or organization IA Officer (IAO)Implements IA program for IAM User Representative (UR)Represents users in DIACAP Privileged User with IA responsibilities System Administrator (for example) Authorized User Any appropriately authorized individual
ECE579S/8 #10 Spring 2011 © , Richard A. Stanley SRA Proprietary10 IT Security Situation
ECE579S/8 #11 Spring 2011 © , Richard A. Stanley SRA Proprietary11 Terms and Definitions Cyber Security –Protection of computer systems, computer networks, and electronically stored and transmitted information; network and Internet security Information Security –Protection of information and information systems, provideng confidentiality, integrity (including authentication and non-repudiation), and availability. –Includes cyber security plus non-computer issues physical security of buildings personnel security security of paper files
ECE579S/8 #12 Spring 2011 © , Richard A. Stanley SRA Proprietary12 Terms and Definitions Information Assurance –Superset of information security, emphasizes strategic risk management over tools and tactics. –Also includes: Privacy Compliance Audits Business continuity Disaster recovery
ECE579S/8 #13 Spring 2011 © , Richard A. Stanley SRA Proprietary13 Information Security Cyber-Security plus protection for non-electronic Information Ensures: Confidentiality Integrity Availability Information Assurance Information Security Plus: Strategic Risk Management Privacy Compliance Audits Business Continuity Disaster Recovery Note : For SRA, Cyber Security = Information Assurance Cyber Security Defense-in-Depth for computers, networks, and electronic information
ECE579S/8 #14 Spring 2011 © , Richard A. Stanley SRA Proprietary14 THREAT - entity, circumstance, event producing intentional or accidental harm by: –Unauthorized access, destruction, disclosure, modification of data –Denial of Service (DoS) affecting mission performance VULNERABILITY – exploitable weakness in: –Computing, telecommunications system, or network system security procedures –Internal controls or implementation ASSET - personnel, hardware, software, or information that may possess vulnerabilities and are being protected against threats Threats, Vulnerabilities, Assets
ECE579S/8 #15 Spring 2011 © , Richard A. Stanley SRA Proprietary15 RISK - measure of the extent that an entity is threatened by potential circumstance/event, a function of likelihood of circumstance/ event occurring and resulting adverse impacts RISK can be thought of as where threats, vulnerabilities and assets overlap Risk
ECE579S/8 #16 Spring 2011 © , Richard A. Stanley SRA Proprietary16 References DoDD E- Information Assurance (IA) –Establishes policy and assigns responsibilities to achieve Department of Defense (DoD) information assurance (IA) DoDI Information Assurance (IA) Implementation –Implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems DoDI DoD Information Assurance Certification and Accreditation Process (DIACAP) –Establishes the DIACAP for authorizing the operation of DoD Information Systems DoD M - Information Assurance Workforce Improvement Program –provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance (IA) functions in assigned duty positions DoDI Information Assurance (IA) in the Defense Acquisition System –Implements policy, assigns responsibilities, and prescribes procedures to integrate IA into the Defense Acquisition System DoD M - National Industrial Security Program Manual (NISPOM) –Provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP
ECE579S/8 #17 Spring 2011 © , Richard A. Stanley SRA Proprietary17 DoDD E applies to… All DoD owned or controlled information systems Includes systems covered under National Industrial Security Program (NISP) Does not apply to weapons systems with no platform IT interconnection
ECE579S/8 #18 Spring 2011 © , Richard A. Stanley SRA Proprietary18 National Security System (NSS) Definition National security systems are information systems operated by the U.S. Government, its contractors or agents that contain classified information or that –involve intelligence activities –involve cryptographic activities related to national security –involve command and control of military forces –involve equipment that is an integral part of a weapon or weapons system –are critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications)
ECE579S/8 #19 Spring 2011 © , Richard A. Stanley SRA Proprietary19 Cyber Security Considerations What type of data ? –At rest –Transmitted –Processed –Encrypted Systems that store, process, transmit government data –What is the information flow? Upstream Downstream –Interconnections –Input/output –Information sharing –Mobile media
ECE579S/8 #20 Spring 2011 © , Richard A. Stanley SRA Proprietary20 Mission Assurance Category/Confidentiality Level Mission Assurance Category (MAC 1, 2, 3) –Importance of information and information systems –Availability and integrity Confidentiality Levels –Information classification level and need-to-know All DoD systems assigned MAC and Confidentiality Level Required security controls based on MAC and Confidentiality Level
ECE579S/8 #21 Spring 2011 © , Richard A. Stanley SRA Proprietary21 MAC 1,2,3 Compared
ECE579S/8 #22 Spring 2011 © , Richard A. Stanley SRA Proprietary22 Confidentiality Levels Classified - Official information that has been determined to require, in the interests of national security, protection against unauthorized disclosure –Confidential –Secret –Top Secret –Top Secret SCI, etc Sensitive - Loss, misuse, unauthorized access, or modification could adversely affect: –National interest –Conduct of Federal programs –Privacy of individuals Public - Official DoD information that has been reviewed and approved for public release by the information owner
ECE579S/8 #23 Spring 2011 © , Richard A. Stanley SRA Proprietary23 Information System Categories Enclaves Automated information system (AIS) application Outsourced IT-based process Platform IT interconnection
ECE579S/8 #24 Spring 2011 © , Richard A. Stanley SRA Proprietary24 System Boundary DoDD only mentions enclave boundary, does not define system boundary From NIST SP rev.1, a set of information resources –Same direct management control –Same function or mission objective –Same operating characteristics –Same information security needs –Same general operating environment (or if distributed, similar operating environments) In NIST this is security authorization boundary DIACAP refers to it as accreditation boundary Applies to production, test, and development
ECE579S/8 #25 Spring 2011 © , Richard A. Stanley SRA Proprietary25 IA Control Subject Areas
ECE579S/8 #26 Spring 2011 © , Richard A. Stanley SRA Proprietary26 IA Control Examples
ECE579S/8 #27 Spring 2011 © , Richard A. Stanley SRA Proprietary27 DIACAP Overview DoDI DoD Information Assurance Certification and Accreditation Process (DIACAP) –“Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-based software systems and applications”.
ECE579S/8 #28 Spring 2011 © , Richard A. Stanley SRA Proprietary28 DIACAP Applicability DoD-owned/controlled Information Systems with DoD information –receive –process –store –display –transmit Any classification or sensitivity Must meet the definition of a DoD Information System (enclave, AIS, outsourced IT-based process, or platform IT interconnection) from DoD Directive E
ECE579S/8 #29 Spring 2011 © , Richard A. Stanley SRA Proprietary29 DIACAP Team Designated Approving Authority – DAA –Incorporates IA in information system life-cycle management processes –Grants Authorization to Operate Certifying Authority – CA –DoD Component Senior Information Assurance Officer (SIAO) (or designee) –Makes certification determination
ECE579S/8 #30 Spring 2011 © , Richard A. Stanley SRA Proprietary30 DIACAP Team IS Program or System Manager - ISPM/SM –Implement DIACAP –Develop, track, resolve, and maintain the DIACAP Implementation Plan (DIP) –Ensure IT Security POA&M development, tracking, and resolution –Ensure that IS has a IA manager (IAM)
ECE579S/8 #31 Spring 2011 © , Richard A. Stanley SRA Proprietary31 DIACAP Implementation All IT has some information assurance requirements –DoDD E requires C&A for all DoD information systems –DoDI implements the requirements of DoDD E and defines controls –DoDI defines and implements the DIACAP process for C&A of DoD information systems DoD Information Systems are: –Enclave –Automated Information System (AIS) application –Outsourced IT-based processes –Platform IT with GIG interconnections
ECE579S/8 #32 Spring 2011 © , Richard A. Stanley SRA Proprietary32 DIACAP Implementation Development and test systems –Create full ATO package with IA Controls based on MAC and CL within development/testing environment –Send ATO package to the field with the completed system –The field organization Determines MAC and CL in their environment Reviews development/testing ATO package Determines which IA Controls are still valid and which must be newly implemented
ECE579S/8 #33 Spring 2011 © , Richard A. Stanley SRA Proprietary33 DIACAP Packages Comprehensive package –Includes all the information resulting from the DIACAP process –Used for the CA recommendation Executive package –Minimum information –Used for an accreditation decision –Provided to others in support of accreditation or other decisions, such as connection approval
ECE579S/8 #34 Spring 2011 © , Richard A. Stanley SRA Proprietary34 DIACAP Packages
ECE579S/8 #35 Spring 2011 © , Richard A. Stanley SRA Proprietary35 DIACAP Activities
ECE579S/8 #36 Spring 2011 © , Richard A. Stanley SRA Proprietary36 FISMA E- Government Act of 2002 Recognized the importance of information security to the economic and national security interests of the United States Title III of the E-Government Act: FISMA FISMA is the Federal Information Security Management Act Requires federal organizations to provide security for the information and information systems that support the agency
ECE579S/8 #37 Spring 2011 © , Richard A. Stanley SRA Proprietary37 FISMA Requirements Applies to all federal agencies, DoD and civil Periodic assessments of the risk Policies and procedures based on risk assessment Component-level plans for providing IT security for networks, facilities, and systems or groups of IT systems IT security awareness training Testing and evaluation of IT security policies, procedures, and practices at least annually Process for planning, implementing, evaluating, and documenting remedial action Procedures for detecting, reporting, responding to security incidents Plans and procedures to ensure continuity of operations for IT systems supporting the operations and assets of the organization
ECE579S/8 #38 Spring 2011 © , Richard A. Stanley Red/Black Well, OK, that isn’t really the Red/Black we are going to study, but do I have your attention now?
ECE579S/8 #39 Spring 2011 © , Richard A. Stanley Red/Black Red –Circuits carrying classified information that is not encrypted –Often used to refer to classified information itself Black –Circuits carrying information that is encrypted –Often used to refer to unclassified information Nomenclature comes from the TEMPEST program –A series of government-led approaches to minimize the effects of information leakage through covert channels as a result of signal coupling
ECE579S/8 #40 Spring 2011 © , Richard A. Stanley Red/Black Separation Owing to the laws of physics, physical separation between Red circuits and Black circuits is required to ensure no (or, in practice, minimal possible) signal leakage. Requirements can be found in, inter alia, –NSTISSAM TEMPEST 2-95, 12 December 1995, RED/BLACK INSTALLATION GUIDANCE –MIL-HDBK-232A, 24 October 2000, RED/BLACK ENGINEERING - INSTALLATION GUIDELINES –NSTISSI No.7003, 13 December 1996, Protective Distribution Systems Red and Black circuits CANNOT be interconnected, as we do not how to avoid covert channels in that circumstance
ECE579S/8 #41 Spring 2011 © , Richard A. Stanley Summary If you are involved with information assurance on government systems, you will be involved with many differing regulations and requirements Engineering information systems that carry classified information must deal with Red/Black standards
ECE579S/8 #42 Spring 2011 © , Richard A. Stanley Student Research Presentations