Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 548 Security Standards Awareness and Training.

Published byWarren Lester Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCE 548 Security Standards Awareness and Training."— Presentation transcript:

1 CSCE 548 Security Standards Awareness and Training

2 CSCE 548 - Farkas2 Cyber Attacks Takes advantage of weakness in – Physical environment – Computer system – Software bugs – Human practices Need to identify, remove, and tolerate vulnerabilities

3 Secure Programs How do we keep programs free from flaws? How do we protect computing resources against programs that contain flaws? CSCE 548 - Farkas3

4 What is Secure? Characteristics that contribute to security – Who defines the characteristics? Assessment of security – What is the basis for the assessment? IEEE Standard for Software Verification and Validation, 2005 – Bug, error, fault, … CSCE 548 - Farkas4

5 Proof of Program Correctness Correctness: a given program computes a particular result, computes it correctly, and does nothing beyond what it is supposed to do. Program verification: – Initial assertion about the inputs – Checking if the desired output is generated – Problems: correctness depends on how the program statements are translated into logical implications, difficult to use and not intuitive, less developed than code production CSCE 548 - Farkas5

6 Standards of Program Development Software development organizations: specified software development practices Administrative control over: – Design – Documentation, language, coding style – Programming – Testing – Configuration management CSCE 548 - Farkas6

7 Process Management Human aspects: difficult to judge in advance How to assure that software is built in an orderly manner and that it leads to correct and secure product? – Process models: examine how and organization does something CSCE 548 - Farkas7

8 8 Reading Reading for this lecture: Carnegie Mellon, Software Engineering Institute (SEI): Capability Maturity Model Integration (CMMI®), http://www.sei.cmu.edu/cmmi/ http://www.sei.cmu.edu/cmmi/ US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.htmlhttp://www.sse-cmm.org/index.html Recommended DOD 8570.01-M, Information Assurance Workforce Improvement Program, http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf Certified Information Systems Security Professional (CISSP), http://www.isc2.org/cissp/default.aspx http://www.isc2.org/cissp/default.aspx

9 CSCE 548 - Farkas9 National Training Standards Committee on National Security Systems (CNSS) and the National Security Agency (NSA)  National Training Standards – NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals NSTISSI-4011 – CNSSI-4012, National Information Assurance Training Standard for Senior Systems Managers (SSM) CNSSI-4012 – NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA) NSTISSI-4013 – NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO) NSTISSI-4014 – NSTISSI-4015, National Training Standard for Systems Certifiers (SC) NSTISSI-4015 – CNSSI-4016, National Information Assurance Training Standard For Risk Analysts (RA) CNSSI-4016

10 National Standards and Certifications National Standards and Certifications

11 CSCE 548 - Farkas11 NSTISSI-4011 National Training Standard for Information Systems Security (INFOSEC) Professionals Provides the minimum course content for the training of information systems security (INFOSEC) professionals in the disciplines of telecommunications security and automated information systems (AIS) security.

12 CSCE 548 - Farkas12 NSTISSI-4011 National Security Telecommunications and Information Systems Security Directive No. 501 establishes the requirement for federal departments and agencies to implement training programs for INFOSEC professionals. INFOSEC professionals: responsible for the security oversight or management of national security systems during phases of the life cycle

13 CSCE 548 - Farkas13 NSTISSI-4011 Training Standards: two levels – “Awareness Level: Creates a sensitivity to the threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, information and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC.”

14 CSCE 548 - Farkas14 Awareness-level Instructional Content Behavioral Outcomes Topical Content

15 CSCE 548 - Farkas15 Program of Instructions a. COMMUNICATIONS BASICS (Awareness Level) b. AUTOMATED INFORMATION SYSTEMS (AIS) BASICS (Awareness Level) c. SECURITY BASICS (Awareness Level) d. NSTISS BASICS (Awareness Level) e. SYSTEM OPERATING ENVIRONMENT (Awareness Level) f. NSTISS PLANNING AND MANAGEMENT (Performance Level) g. NSTISS POLICIES AND PROCEDURES (Performance Level)

16 CSCE 548 - Farkas16 Information Systems Security Model Acknowledges information, not technology, as the basis for our security efforts – The actual medium is transparent – Eliminates unnecessary distinctions between Communications Security (COMSEC), Computer Security (COMPUSEC), Technical Security (TECHSEC), and other technology-defined security sciences – Can model the security relevant processes of information throughout an entire information system

17 CSCE 548 - Farkas17 Security Model Confidentiality Integrity Availability Characteristics Transmission StorageProcessing State Third Dimension Technology Policy Education, training, awareness

18 CSCE 548 - Farkas18 Performance Level Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices Employees are able to apply security concepts while performing their tasks

19 Meeting National Standards at USC Current certifications: – NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals NSTISSI-4011 – NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA) NSTISSI-4013 – NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO) NSTISSI-4014 Courses to take: – CSCE 522, CSCE 715, CSCE 727 CSCE 548 - Farkas19

20 GOVERNMENT AND INDUSTRY CERTIFICATIONS CSCE 548 - Farkas20

21 Computer Security Certifications International Information Systems Security Certification Consortium, (ISC) 2 – CISSP: Certified Information Systems Security Professional – ISSAP: Information Systems Security Architecture Professional – ISSEP: Information Systems Security Engineering Professional Computing Technology Industry Association (CompTIA) – Security+ (2008): security topics, e.g., access control, cryptography, etc. Information Systems Audit and Control Association (ISACA) – CISA: Certified Information Systems Auditor – CISM: Certified Information Security Manager CSCE 548 - Farkas21

22 CSCE 548 - Farkas22 Certified Information Systems Security Professional (CISSP) June, 2004, the CISSP program earned the ANSI ISO/IEC Standard 17024:2003 accreditation Formally approved by DoD in categories: Information Assurance Technical (IAT) and Managerial (IAM) categories Has been adopted as a baseline for the U.S. National Security Agency's ISSEP program

23 CSCE 548 - Farkas23 CISSP – Common Body of Knowledge Ten areas of interest (domains): 1. Access Control -- CSCE 522, 715 2. Application Security -- CSCE 522, 548 3. Business Continuity and Disaster Recovery Planning -- CSCE 522, 727 4. Cryptography -- CSCE 522, 557 5. Information Security and Risk Management -- CSCE 522, 548, 727 6. Legal, Regulations, Compliance and Investigations -- CSCE 517, 727 7. Operations Security -- CSCE 522, 548, 727 8. Physical (Environmental) Security -- CSCE 522. 727 9. Security Architecture and Design -- CSCE 522, 548, 715, 727 10. Telecommunications and Network Security -- CSCE 522, 715

24 Requirements 5 years of direct full-time security work experience in two or more of the ten (ISC)² information security domains – Associate of (ISC)²: passing the CISSP examination but not having the experience CISSP Code of Ethics Criminal history and related background Pass the CISSP exam with a scaled score of 700 points or greater Have their qualifications endorsed by another (ISC)² certified professional in good standing CSCE 548 - Farkas24

25 Validity of the Certification 3 years Renewal: – Retake the exam or – Report 120 Continuing Professional Education (CPE) credits CSCE 548 - Farkas25

26 Criticisms of the CISSP Lacking a business orientation Inferiority to Academic credentials CSCE 548 - Farkas26

27 CSCE 548 - Farkas27 Specialized Concentrations Information Systems Security Architecture Professional (ISSAP), Concentration in Architecture Information Systems Security Engineering Professional (ISSEP), Concentration in Engineering Information Systems Security Management Professional (ISSMP), Concentration in Management

28 CSCE 548 - Farkas28 Other (ISC)2 Certifications SSCP - Systems Security Certified Practitioner CAP - Certification and Accreditation Professional CSSLP - Certified Secure Software Lifecycle Professional

29 SECURITY ENGINEERING CSCE 548 - Farkas29

30 Security Process Models Capability Maturity Model (CMM): address organizations not products ISO 9001: similar to CMM U.S. NSA: System Security Engineering CMM (SSE-CMM) CSCE 548 - Farkas30

31 Capability Maturity Model Service mark owned by Carnegie Mellon University (CMU) Software Engineering Institute Development model, derived from data collected from organizations Can be applied to the software development process of organizations, to improve the process CSCE 548 - Farkas31

32 Capability Maturity Model Integration (CMMI) Problem with CMM: difficult to apply multiple models that are not integrated Extra cost CSCE 548 - Farkas32

33 CMM Structure Maturity Levels: a 5-Level process maturity continuum Key Process Areas: a cluster of related activities Goals: summarize the states that must exist for that key process area to have been implemented in an effective and lasting way Common Features Key Practices CSCE 548 - Farkas33

34 SEE-CMM Aims to advance the Security Engineering discipline Goals: – Enable the selection of qualified security engineering providers – Support informed investment in security engineering practices – Provide capability-based assurance CSCE 548 - Farkas34

35 Maturity Levels Define ordinal scale for measuring and evaluating process capability Define incremental steps for improving process capability CSCE 548 - Farkas35

36 Capability Levels 1. Initial : the starting point for use of a new process 2. Repeatable: Requirements management, Software project planning, Software project tracking and oversight, Software quality assurance, etc. 3. Defined: Organization process focus, Organization process definition, Training program, Integrated software management, Software product engineering, etc. 4. Managed: Quantitative process management, Software quality management 5. Optimizing: Defect prevention, Technology change management, Process change management CSCE 548 - Farkas36

37 Maturity Levels 1. Informal: base practices, ad-hoc process, success depends on individual effort 2. Planned, tracked: plan, track and verify performance, disciplined performance 3. Well defined: define and perform standard process, coordinate practices 4. Quantitatively controlled: establish measurable quality goals, objectively manage performance 5. Continuously improving: improve organizational capability, improve process effectiveness CSCE 548 - Farkas37

38 Security Engineering Process Areas Administer System Security Controls Assess Operational Security Risk Attack Security Build Assurance Argument Coordinate Security Determine Security Vulnerabilities Monitor System Security Posture Provide Security Input Specify Security Needs Verify and Validate Security CSCE 548 - Farkas38

39 Evaluation Phases: – Planning Phase: scope and plan – Preparation Phase: prepare evaluation team, questionnaire, collect evidence, analyze results – On-site phase: interview, establish findings, rating, report – Post-evaluation phase: report findings needs for improvement, manage results Use of evaluation: – Organizations to hire developers CSCE 548 - Farkas39

40 Problems with SSE-CMM Does not guarantee good results Need to ensure uniform evaluation Need good understanding of model and its use Does not eliminate the need for testing and evaluation No guarantee of assurance CSCE 548 - Farkas40

41 NATIONAL SECURITY CSCE 548 - Farkas41

42 CSCE 548 - Farkas42 National Security and IW U.S. agencies responsible for national security: large, complex information infrastructure Defense information infrastructure supports: – Critical war-fighting functions – Peacetime defense planning – Information for logistical support – Defense support organizations Need proper functioning of information infrastructure “Digitized Battlefield”

43 CSCE 548 - Farkas43 National Security and IW Increased reliance on information infrastructure – Information Dominance – Un-manned weapons – Communication infrastructure – Vital human services (e.g., transportation, law enforcement, emergency, etc.) Heavily connected to commercial infrastructure – 95% of DOD’s unclassified communication via public network No boundaries, cost effectiveness, ambiguous

44 CSCE 548 - Farkas44 Strategic Warfare (SW) Cold War: “single class of weapons delivered at a specific range” (Rattray) – E.g., use of nuclear weapons with intercontinental range Current: “variety of means … can create “strategic” effects, independent of considerations of distance and range.” Center of gravity: – Those characteristics, capabilities, or sources of power from which a military force derives its freedom of action, physical strength, or will to fight (DOD)

45 CSCE 548 - Farkas45 Strategic Information Warfare (SIW) “…means for state and non-state actors to achieve objectives through digital attacks on an adversary’s center of gravity.” (Rattray)

46 CSCE 548 - Farkas46 Strategic Warfare vs. SIW Similar challenges Historical observation: centers of gravity are difficult to damage because of – Resistance – Adaptation

47 CSCE 548 - Farkas47 Dimensions of Strategic Analysis Threads: – Need to related means to ends – Interacting with opponent capable of independent action Distinction between” – “Grand Strategy”: achievement of political object of the war (includes economic strength and man power, financial pressure, etc.) – “Military Strategy”: gain object of war (via battles as means)

48 CSCE 548 - Farkas48 Necessary conditions for SW Offensive freedom of action Significant vulnerability to attack Prospects for effective retaliation and escalation are minimized Vulnerabilities can be identified, targeted, and damage can be assessed

49 CSCE 548 - Farkas49 SIW Growing reliance  new target of concern Commercial networks for crucial functions Rapid change Widely available tools Significant uncertainties – Determining political consequences – Predicting damage, including cascading effects

Download ppt "CSCE 548 Security Standards Awareness and Training."

Similar presentations

1.Quality-“a characteristic or attribute of something.” As an attribute of an item, quality refers to measurable characteristics— things we are able to.

1.Quality-“a characteristic or attribute of something.” As an attribute of an item, quality refers to measurable characteristics— things we are able to.
Software Quality Assurance Plan

Software Quality Assurance Plan
Security and Personnel

Security and Personnel
SE 470 Software Development Processes James Nowotarski 12 May 2003.

SE 470 Software Development Processes James Nowotarski 12 May 2003.
Capability Maturity Model (CMM) in SW design

Capability Maturity Model (CMM) in SW design
Information Systems Security Officer

Information Systems Security Officer
1 R&D SDM 1 Software Project Management Capability Maturity Model 2009 Theo Schouten.

1 R&D SDM 1 Software Project Management Capability Maturity Model 2009 Theo Schouten.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
CMM Overview - 1 © Paul Sorenson CMPUT 401 - Software Engineering refs. IEEE Software, March 1988, 73-79, and IEEE Software, July 1993, 18- 27 (Capability.

CMM Overview - 1 © Paul Sorenson CMPUT Software Engineering refs. IEEE Software, March 1988, 73-79, and IEEE Software, July 1993, (Capability.
Chapter 3 The Structure of the CMM

Chapter 3 The Structure of the CMM
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Software Process CS 414 – Software Engineering I Donald J. Bagert Rose-Hulman Institute of Technology December 17, 2002.

Software Process CS 414 – Software Engineering I Donald J. Bagert Rose-Hulman Institute of Technology December 17, 2002.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Software Process and Product Metrics

Software Process and Product Metrics
Security Certification

Security Certification
Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.

Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.
IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.

IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management

Similar presentations

Ads by Google