Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.

Published byMaryann Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP."— Presentation transcript:

1 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP

2 2 Agenda  Introduction  Information Assurance defined  What you need to know  A comprehensive (lightweight) framework  Demonstrations  IATAC resources  Questions

3 3 Introduction: whoami  Deputy Director of the Information Assurance Technology Analysis Center (IATAC)Information Assurance Technology Analysis Center  Certified Information Systems Security Professional (CISSP)  M.S. in Information Systems  Creator of the INFOSEC ZeitgeistINFOSEC Zeitgeist  Former infantry officer  Geek

4 4 Introduction: purpose  To provide an information briefing on a simple, yet comprehensive framework for thinking about Information Assurance (IA) issues

5 5 IA defined: old perspective  Information Security:  “Protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.[1]”  John McCumber, 1991

6 6 IA defined: contemporary perspective  Information Assurance:  “Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.[2]”  confidentiality- assurance that information is not disclosed to unauthorized individuals, processes, or devices.  integrity- quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.  availability- timely, reliable access to data and information services for authorized users.  NSTISSI No. 4009, "National IA Glossary," May 2003

7 7 What you “need to know”  Technologist perspective –TCP/IP stack details –Firewalls –Intrusion detection –Anti-virus –INFOSEC Research Council hard problems list  Policy perspective: –DoD 8500 series documents –DoD 5200 series documents –DoD 8100 series documents –NIST 800 series documents –National Strategy to Secure Cyberspace –DoD IA Strategy –DITSCAP / NIACAP  Operator perspective: –IS Alliance: Common Sense Guide for Home and Individual Users –IS Alliance: Common Sense Guide for Senior Managers

8 8 Common criteria

9 9 What you “need to know”  Do we lose the forest while looking at the trees?

10 10 Thoughts on classification  “The beginning of all understanding is classification.” Hayden White

11 11 A comprehensive, yet “lightweight” framework

12 12 Thoughts on classification “Classification is, in fact, a general method used by us all for dealing with information… So by classification we can organize our knowledge of the [plant kingdom] into a system which stores and summarizes our information for us in a convenient manner… Clearly, some systems by which we can organize this knowledge, make generalizations and predictions, and simply reduce the sheer bulk of data with which we have to deal, is not only desirable but essential.”  Charles Jefferies An Introduction to Plant Taxonomy

13 13 A comprehensive, yet lightweight framework

14 14 A comprehensive, yet lightweight framework

15 15 A comprehensive, yet lightweight framework

16 16 A comprehensive, yet lightweight framework

17 17 Case study: confidentiality of information in transmission  Alice views an information resource belonging to Bob using a plain text protocol  Information state: transmission  Security service: confidentiality  Security countermeasure: encryption [3], secure transmission medium, frequency hopping, obscure system interface, access controls

18 18 Case study: confidentiality of information in transmission

19 19 Interactive Web based version

20 20 Case study: availability of net based resources  Bob wants to view a Web resource belonging to Alice  Information state: storage, transmission  Security service: availability  Security countermeasure: traffic filtering/blocking [4], rate limiting, functional redundancy, data redundancy, load balancing, acceptable use policy, business continuity of operations plan

21 21 Case study: availability of net based resources

22 22 A comprehensive, yet lightweight framework

23 23 IATAC Resources  IAnewsletter  IA Digest  Technical inquiries  Technical repository  On the Web at: –http://iac.dtic.mil/iatachttp://iac.dtic.mil/iatac –https://iatac.dtic.smil.milhttps://iatac.dtic.smil.mil

24 24 Questions

25 25 Backup slides

26 26 References [1] McCumber, John. "Information Systems Security: A Comprehensive Model". Proceedings 14th National Computer Security Conference. National Institute of Standards and Technology. Baltimore, MD. October 1991. [2] NSTISSI No. 4009, "National INFOSEC Glossary," January 1999. [3] OpenSSH protocol. Designed through the OpenBSD project at http://www.openbsd.org/. Latest release September 2003. http://www.openbsd.org/ [4] Linux Planet. Traffic filtering by IP Address. http://www.linuxplanet.com/linuxplanet/tutorials/1527/5/. February 2000. http://www.linuxplanet.com/linuxplanet/tutorials/1527/5/ [5] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A Model for Information Assurance: An Integrated Approach". Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. U.S. Military Academy. West Point, NY. June 2001.

27 27 Information Security Zeitgeist  Provides a graphical depiction of the emergence and disappearance of hot topics in information security over time  Inspired by the Google Zeitgeist report  On the Web:  http://www.sharp-ideas.net/research/infosec_zeitgeist.html http://www.sharp-ideas.net/research/infosec_zeitgeist.html  http://www.google.com/press/zeitgeist.html http://www.google.com/press/zeitgeist.html

28 28 Information Security Zeitgeist

29 29 Information Security Zeitgeist

Download ppt "1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP."

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
System integrity The term system integrity has the following meanings: That condition of a system where in its specified operational and technical parameters.

System integrity The term system integrity has the following meanings: That condition of a system where in its specified operational and technical parameters.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Chapter 1 – Introduction

Chapter 1 – Introduction
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cloud Usability Framework

Cloud Usability Framework
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
Information Assurance Education Today LTC Clifton H. Poole, CISSP, CISM, IAM Information Resources Management College National Defense University Policy2004.

Information Assurance Education Today LTC Clifton H. Poole, CISSP, CISM, IAM Information Resources Management College National Defense University Policy2004.
Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.

Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.
Computer System System Software. Learning Objective Students should understand the different types of systems software and their functions. Students should.

Computer System System Software. Learning Objective Students should understand the different types of systems software and their functions. Students should.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework

Similar presentations

Ads by Google