Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8: Certification & Accreditation; Red/Black Professor Richard.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8: Certification & Accreditation; Red/Black Professor Richard."— Presentation transcript:

1 ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8: Certification & Accreditation; Red/Black Professor Richard A. Stanley, P.E.

2 ECE579S/8 #2 Spring 2011 © 2000-2011, Richard A. Stanley Last time…SSL/TLS Summary SSL/TLS provides a means for secure transport layer communications in TCP/IP networks SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc. The key element of SSL is the handshake protocol

3 ECE579S/8 #3 Spring 2011 © 2000-2011, Richard A. Stanley Formal Evaluation Summary Formal security evaluation techniques are academically interesting, but have until recently failed to provide significant practical improvement in fielded systems security Emphasis is shifting to new evaluation schemes and empirical, policy-based security evaluation for trusted systems Both approaches offer opportunities for exploitation by malefactors and for real improvement in systems security

4 ECE579S/8 #4 Spring 2011 © 2000-2011, Richard A. Stanley IDS Summary IDS’s can be useful in monitoring networks for intrusions and policy violations Up-to-date attack signatures and policy implementations essential Many types of IDS available, at least one as freeware Serious potential legal implications Automated responses to be avoided

5 ECE579S/8 #5 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary5 Cyber Threat: Real & Damaging… Undermining both our national security and our economic leadership in the world marketplace –Threat started as nuisance activities by isolated bad actors –Threat is now coming from nation states, commercial espionage, terrorist organizations, organized crime groups, and ‘for-hire’ cyber organizations—it’s a business—and often in concert –Our intellectual property is the target F22 Oil exploration Google The extent of the damage is only beginning to be publicly acknowledged; >$1T and years and years of technology leadership

6 ECE579S/8 #6 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary6 Advanced Persistent Threats Step 1 - Reconnaissance Step 2 - Initial Intrusion into the Network Step 3 - Establish a Backdoor into the Network Step 4 - Obtain User Credentials Step 5 - Install Various Utilities Step 6 - Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 - Maintain Persistence Exploitation Life Cycle

7 ECE579S/8 #7 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary7 Vulnerability –External and Internal Vulnerabilities at all layers -Internet connections -Email -Software (malware, botnets) -Hardware -Firmware -Web pages/banners/pop-ups -Databases (SQL injection)

8 ECE579S/8 #8 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary8 The future wave of access vulnerability It won’t get any easier! The internet of things…

9 ECE579S/8 #9 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary9 IT Security Roles Designated Approving Authority (DAA) Accepts risk, issues ATO for IS Certifying Authority (CA)Certifies IS Information Assurance (IA) Manager (IAM) Responsible for the IA program for IS or organization IA Officer (IAO)Implements IA program for IAM User Representative (UR)Represents users in DIACAP Privileged User with IA responsibilities System Administrator (for example) Authorized User Any appropriately authorized individual

10 ECE579S/8 #10 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary10 IT Security Situation

11 ECE579S/8 #11 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary11 Terms and Definitions Cyber Security –Protection of computer systems, computer networks, and electronically stored and transmitted information; network and Internet security Information Security –Protection of information and information systems, provideng confidentiality, integrity (including authentication and non-repudiation), and availability. –Includes cyber security plus non-computer issues physical security of buildings personnel security security of paper files

12 ECE579S/8 #12 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary12 Terms and Definitions Information Assurance –Superset of information security, emphasizes strategic risk management over tools and tactics. –Also includes: Privacy Compliance Audits Business continuity Disaster recovery

13 ECE579S/8 #13 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary13 Information Security Cyber-Security plus protection for non-electronic Information Ensures: Confidentiality Integrity Availability Information Assurance Information Security Plus: Strategic Risk Management Privacy Compliance Audits Business Continuity Disaster Recovery Note : For SRA, Cyber Security = Information Assurance Cyber Security Defense-in-Depth for computers, networks, and electronic information

14 ECE579S/8 #14 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary14 THREAT - entity, circumstance, event producing intentional or accidental harm by: –Unauthorized access, destruction, disclosure, modification of data –Denial of Service (DoS) affecting mission performance VULNERABILITY – exploitable weakness in: –Computing, telecommunications system, or network system security procedures –Internal controls or implementation ASSET - personnel, hardware, software, or information that may possess vulnerabilities and are being protected against threats Threats, Vulnerabilities, Assets

15 ECE579S/8 #15 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary15 RISK - measure of the extent that an entity is threatened by potential circumstance/event, a function of likelihood of circumstance/ event occurring and resulting adverse impacts RISK can be thought of as where threats, vulnerabilities and assets overlap Risk

16 ECE579S/8 #16 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary16 References DoDD 8500.01E- Information Assurance (IA) –Establishes policy and assigns responsibilities to achieve Department of Defense (DoD) information assurance (IA) DoDI 8500.2 - Information Assurance (IA) Implementation –Implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP) –Establishes the DIACAP for authorizing the operation of DoD Information Systems DoD 8570.01-M - Information Assurance Workforce Improvement Program –provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance (IA) functions in assigned duty positions DoDI 8580.1 - Information Assurance (IA) in the Defense Acquisition System –Implements policy, assigns responsibilities, and prescribes procedures to integrate IA into the Defense Acquisition System DoD 5220.22-M - National Industrial Security Program Manual (NISPOM) –Provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP

17 ECE579S/8 #17 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary17 DoDD 8500.01E applies to… All DoD owned or controlled information systems Includes systems covered under National Industrial Security Program (NISP) Does not apply to weapons systems with no platform IT interconnection

18 ECE579S/8 #18 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary18 National Security System (NSS) Definition National security systems are information systems operated by the U.S. Government, its contractors or agents that contain classified information or that –involve intelligence activities –involve cryptographic activities related to national security –involve command and control of military forces –involve equipment that is an integral part of a weapon or weapons system –are critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications)

19 ECE579S/8 #19 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary19 Cyber Security Considerations What type of data ? –At rest –Transmitted –Processed –Encrypted Systems that store, process, transmit government data –What is the information flow? Upstream Downstream –Interconnections –Input/output –Information sharing –Mobile media

20 ECE579S/8 #20 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary20 Mission Assurance Category/Confidentiality Level Mission Assurance Category (MAC 1, 2, 3) –Importance of information and information systems –Availability and integrity Confidentiality Levels –Information classification level and need-to-know All DoD systems assigned MAC and Confidentiality Level Required security controls based on MAC and Confidentiality Level

21 ECE579S/8 #21 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary21 MAC 1,2,3 Compared

22 ECE579S/8 #22 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary22 Confidentiality Levels Classified - Official information that has been determined to require, in the interests of national security, protection against unauthorized disclosure –Confidential –Secret –Top Secret –Top Secret SCI, etc Sensitive - Loss, misuse, unauthorized access, or modification could adversely affect: –National interest –Conduct of Federal programs –Privacy of individuals Public - Official DoD information that has been reviewed and approved for public release by the information owner

23 ECE579S/8 #23 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary23 Information System Categories Enclaves Automated information system (AIS) application Outsourced IT-based process Platform IT interconnection

24 ECE579S/8 #24 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary24 System Boundary DoDD 8500.2 only mentions enclave boundary, does not define system boundary From NIST SP800-37 rev.1, a set of information resources –Same direct management control –Same function or mission objective –Same operating characteristics –Same information security needs –Same general operating environment (or if distributed, similar operating environments) In NIST this is security authorization boundary DIACAP refers to it as accreditation boundary Applies to production, test, and development

25 ECE579S/8 #25 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary25 IA Control Subject Areas

26 ECE579S/8 #26 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary26 IA Control Examples

27 ECE579S/8 #27 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary27 DIACAP Overview DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP) –“Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-based software systems and applications”.

28 ECE579S/8 #28 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary28 DIACAP Applicability DoD-owned/controlled Information Systems with DoD information –receive –process –store –display –transmit Any classification or sensitivity Must meet the definition of a DoD Information System (enclave, AIS, outsourced IT-based process, or platform IT interconnection) from DoD Directive 8500.01E

29 ECE579S/8 #29 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary29 DIACAP Team Designated Approving Authority – DAA –Incorporates IA in information system life-cycle management processes –Grants Authorization to Operate Certifying Authority – CA –DoD Component Senior Information Assurance Officer (SIAO) (or designee) –Makes certification determination

30 ECE579S/8 #30 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary30 DIACAP Team IS Program or System Manager - ISPM/SM –Implement DIACAP –Develop, track, resolve, and maintain the DIACAP Implementation Plan (DIP) –Ensure IT Security POA&M development, tracking, and resolution –Ensure that IS has a IA manager (IAM)

31 ECE579S/8 #31 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary31 DIACAP Implementation All IT has some information assurance requirements –DoDD 8500.01E requires C&A for all DoD information systems –DoDI 8500.2 implements the requirements of DoDD 8500.01E and defines controls –DoDI 8510.01 defines and implements the DIACAP process for C&A of DoD information systems DoD Information Systems are: –Enclave –Automated Information System (AIS) application –Outsourced IT-based processes –Platform IT with GIG interconnections

32 ECE579S/8 #32 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary32 DIACAP Implementation Development and test systems –Create full ATO package with IA Controls based on MAC and CL within development/testing environment –Send ATO package to the field with the completed system –The field organization Determines MAC and CL in their environment Reviews development/testing ATO package Determines which IA Controls are still valid and which must be newly implemented

33 ECE579S/8 #33 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary33 DIACAP Packages Comprehensive package –Includes all the information resulting from the DIACAP process –Used for the CA recommendation Executive package –Minimum information –Used for an accreditation decision –Provided to others in support of accreditation or other decisions, such as connection approval

34 ECE579S/8 #34 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary34 DIACAP Packages

35 ECE579S/8 #35 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary35 DIACAP Activities

36 ECE579S/8 #36 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary36 FISMA E- Government Act of 2002 Recognized the importance of information security to the economic and national security interests of the United States Title III of the E-Government Act: FISMA FISMA is the Federal Information Security Management Act Requires federal organizations to provide security for the information and information systems that support the agency

37 ECE579S/8 #37 Spring 2011 © 2000-2011, Richard A. Stanley SRA Proprietary37 FISMA Requirements Applies to all federal agencies, DoD and civil Periodic assessments of the risk Policies and procedures based on risk assessment Component-level plans for providing IT security for networks, facilities, and systems or groups of IT systems IT security awareness training Testing and evaluation of IT security policies, procedures, and practices at least annually Process for planning, implementing, evaluating, and documenting remedial action Procedures for detecting, reporting, responding to security incidents Plans and procedures to ensure continuity of operations for IT systems supporting the operations and assets of the organization

38 ECE579S/8 #38 Spring 2011 © 2000-2011, Richard A. Stanley Red/Black http://www.youtube.com/watch?v=do5ZVohtQxQ Well, OK, that isn’t really the Red/Black we are going to study, but do I have your attention now?

39 ECE579S/8 #39 Spring 2011 © 2000-2011, Richard A. Stanley Red/Black Red –Circuits carrying classified information that is not encrypted –Often used to refer to classified information itself Black –Circuits carrying information that is encrypted –Often used to refer to unclassified information Nomenclature comes from the TEMPEST program –A series of government-led approaches to minimize the effects of information leakage through covert channels as a result of signal coupling

40 ECE579S/8 #40 Spring 2011 © 2000-2011, Richard A. Stanley Red/Black Separation Owing to the laws of physics, physical separation between Red circuits and Black circuits is required to ensure no (or, in practice, minimal possible) signal leakage. Requirements can be found in, inter alia, –NSTISSAM TEMPEST 2-95, 12 December 1995, RED/BLACK INSTALLATION GUIDANCE –MIL-HDBK-232A, 24 October 2000, RED/BLACK ENGINEERING - INSTALLATION GUIDELINES –NSTISSI No.7003, 13 December 1996, Protective Distribution Systems Red and Black circuits CANNOT be interconnected, as we do not how to avoid covert channels in that circumstance

41 ECE579S/8 #41 Spring 2011 © 2000-2011, Richard A. Stanley Summary If you are involved with information assurance on government systems, you will be involved with many differing regulations and requirements Engineering information systems that carry classified information must deal with Red/Black standards

42 ECE579S/8 #42 Spring 2011 © 2000-2011, Richard A. Stanley Student Research Presentations

Download ppt "ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8: Certification & Accreditation; Red/Black Professor Richard."

Similar presentations

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Information Systems Security Officer

Information Systems Security Officer
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Similar presentations

Ads by Google