CSCE 548CSCE 548

Security Standards Security Standards Awareness and Training Awareness and Training

CSCE 548 - Farkas 2

Cyber AttacksCyber Attacks

Takes advantage of weakness in– Physical environment– Computer system– Software bugs– Human practices

Need to identify, remove, and tolerate vulnerabilities

Secure ProgramsSecure Programs

How do we keep programs free from flaws?How do we protect computing resources

against programs that contain flaws?

CSCE 548 - Farkas 3

What is Secure?What is Secure?

Characteristics that contribute to security– Who defines the characteristics?

Assessment of security– What is the basis for the assessment?

IEEE Standard for Software Verification and Validation, 2005– Bug, error, fault, …

CSCE 548 - Farkas 4

Proof of Program CorrectnessProof of Program Correctness Correctness: a given program computes a particular result,

computes it correctly, and does nothing beyond what it is supposed to do.

Program verification:– Initial assertion about the inputs– Checking if the desired output is generated– Problems: correctness depends on how the program

statements are translated into logical implications, difficult to use and not intuitive, less developed than code production

CSCE 548 - Farkas 5

Standards of Program Standards of Program DevelopmentDevelopment

Software development organizations: specified software development practices

Administrative control over:– Design– Documentation, language, coding style– Programming– Testing– Configuration management

CSCE 548 - Farkas 6

Process ManagementProcess Management

Human aspects: difficult to judge in advance

How to assure that software is built in an orderly manner and that it leads to correct and secure product?– Process models: examine how and organization

does something

CSCE 548 - Farkas 7

CSCE 548 - Farkas 8

ReadingReading Reading for this lecture:

Carnegie Mellon, Software Engineering Institute (SEI): Capability Maturity Model Integration (CMMI®), http://www.sei.cmu.edu/cmmi/

US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html

Recommended DOD 8570.01-M, Information Assurance Workforce

Improvement Program, http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

Certified Information Systems Security Professional (CISSP), http://www.isc2.org/cissp/default.aspx

CSCE 548 - Farkas 9

National Training StandardsNational Training Standards Committee on National Security Systems (CNSS) and the

National Security Agency (NSA) National Training Standards– NSTISSI-4011, National Training Standard for

Information Systems Security (INFOSEC) Professionals

– CNSSI-4012, National Information Assurance Training Standard for Senior Systems Managers (SSM)

– NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA)

– NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO)

– NSTISSI-4015, National Training Standard for Systems Certifiers (SC)

– CNSSI-4016, National Information Assurance Training Standard For Risk Analysts (RA)

National StandardsNational Standardsand and

CertificationsCertifications

CSCE 548 - Farkas 11

NSTISSI-4011NSTISSI-4011

National Training Standard for Information Systems Security (INFOSEC) Professionals

Provides the minimum course content for the training of information systems security (INFOSEC) professionals in the disciplines of telecommunications security and automated information systems (AIS) security.

CSCE 548 - Farkas 12

NSTISSI-4011NSTISSI-4011

National Security Telecommunications and Information Systems Security Directive No. 501 establishes the requirement for federal departments and agencies to implement training programs for INFOSEC professionals.

INFOSEC professionals: responsible for the security oversight or management of national security systems during phases of the life cycle

CSCE 548 - Farkas 13

NSTISSI-4011NSTISSI-4011

Training Standards: two levels– “Awareness Level: Creates a sensitivity to the

threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, information and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC.”

CSCE 548 - Farkas 14

Awareness-levelAwareness-level

Instructional Content Behavioral OutcomesTopical Content

CSCE 548 - Farkas 15

Program of InstructionsProgram of Instructions

a. COMMUNICATIONS BASICS (Awareness Level)b. AUTOMATED INFORMATION SYSTEMS (AIS)

BASICS (Awareness Level)c. SECURITY BASICS (Awareness Level)d. NSTISS BASICS (Awareness Level)e. SYSTEM OPERATING ENVIRONMENT (Awareness

Level)f. NSTISS PLANNING AND MANAGEMENT

(Performance Level)g. NSTISS POLICIES AND PROCEDURES (Performance

Level)

CSCE 548 - Farkas 16

Information Systems Security Model

Acknowledges information, not technology, as the basis for our security efforts – The actual medium is transparent – Eliminates unnecessary distinctions between

Communications Security (COMSEC), Computer Security (COMPUSEC), Technical Security (TECHSEC), and other technology-defined security sciences

– Can model the security relevant processes of information throughout an entire information system

CSCE 548 - Farkas 17

Security ModelSecurity Model

Confidentiality

Integrity

Availability

Characteristics

Transmission Storage Processing

State

Third Dimension

Technology

Policy

Education, training, awareness

CSCE 548 - Farkas 18

Performance LevelPerformance Level

Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices

Employees are able to apply security concepts while performing their tasks

Meeting National Standards at Meeting National Standards at USCUSC

Current certifications: – NSTISSI-4011, National Training Standard for

Information Systems Security (INFOSEC) Professionals

– NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA)

– NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO)

Courses to take:– CSCE 522, CSCE 715, CSCE 727

CSCE 548 - Farkas 19

GOVERNMENT AND GOVERNMENT AND INDUSTRY CERTIFICATIONSINDUSTRY CERTIFICATIONS

CSCE 548 - Farkas 20

Computer Security Computer Security CertificationsCertifications

International Information Systems Security Certification Consortium, (ISC)2

– CISSP: Certified Information Systems Security Professional– ISSAP: Information Systems Security Architecture Professional– ISSEP: Information Systems Security Engineering Professional

Computing Technology Industry Association (CompTIA) – Security+ (2008): security topics, e.g., access control,

cryptography, etc. Information Systems Audit and Control Association (ISACA)

– CISA: Certified Information Systems Auditor– CISM: Certified Information Security Manager

CSCE 548 - Farkas 21

CSCE 548 - Farkas 22

Certified Information Systems Certified Information Systems Security Professional (CISSP)Security Professional (CISSP)

June, 2004, the CISSP program earned the ANSI ISO/IEC Standard 17024:2003 accreditation

Formally approved by DoD in categories: Information Assurance Technical (IAT) and Managerial (IAM) categories

Has been adopted as a baseline for the U.S. National Security Agency's ISSEP program

CSCE 548 - Farkas 23

CISSP – Common Body of CISSP – Common Body of Knowledge Knowledge

Ten areas of interest (domains):1. Access Control -- CSCE 522, 7152. Application Security -- CSCE 522, 5483. Business Continuity and Disaster Recovery Planning -- CSCE

522, 7274. Cryptography -- CSCE 522, 5575. Information Security and Risk Management -- CSCE 522,

548, 7276. Legal, Regulations, Compliance and Investigations -- CSCE 517,

7277. Operations Security -- CSCE 522, 548, 7278. Physical (Environmental) Security -- CSCE 522. 7279. Security Architecture and Design -- CSCE 522, 548, 715, 72710. Telecommunications and Network Security -- CSCE 522, 715

RequirementsRequirements 5 years of direct full-time security work experience in two

or more of the ten (ISC)² information security domains– Associate of (ISC)²: passing the CISSP examination but

not having the experience CISSP Code of Ethics Criminal history and related background Pass the CISSP exam with a scaled score of 700 points or

greater Have their qualifications endorsed by another (ISC)²

certified professional in good standing

CSCE 548 - Farkas 24

Validity of the CertificationValidity of the Certification

3 yearsRenewal:

– Retake the exam or– Report 120 Continuing Professional Education

(CPE) credits

CSCE 548 - Farkas 25

Criticisms of the CISSPCriticisms of the CISSP

Lacking a business orientationInferiority to Academic credentials

CSCE 548 - Farkas 26

CSCE 548 - Farkas 27

Specialized ConcentrationsSpecialized Concentrations

Information Systems Security Architecture Professional (ISSAP), Concentration in Architecture

Information Systems Security Engineering Professional (ISSEP), Concentration in Engineering

Information Systems Security Management Professional (ISSMP), Concentration in Management

CSCE 548 - Farkas 28

Other (ISC)2 CertificationsOther (ISC)2 Certifications

SSCP - Systems Security Certified Practitioner

CAP - Certification and Accreditation Professional

CSSLP - Certified Secure Software Lifecycle Professional

SECURITY ENGINEERINGSECURITY ENGINEERING

CSCE 548 - Farkas 29

Security Process ModelsSecurity Process Models

Capability Maturity Model (CMM): address organizations not products

ISO 9001: similar to CMMU.S. NSA: System Security Engineering

CMM (SSE-CMM)

CSCE 548 - Farkas 30

Capability Maturity ModelCapability Maturity Model

Service mark owned by Carnegie Mellon University (CMU) Software Engineering Institute

Development model, derived from data collected from organizations

Can be applied to the software development process of organizations, to improve the process

CSCE 548 - Farkas 31

Capability Maturity Model Capability Maturity Model Integration (CMMI) Integration (CMMI)

Problem with CMM: difficult to apply multiple models that are not integrated

Extra cost

CSCE 548 - Farkas 32

CMM StructureCMM Structure

Maturity Levels: a 5-Level process maturity continuum

Key Process Areas: a cluster of related activities Goals: summarize the states that must exist for

that key process area to have been implemented in an effective and lasting way

Common Features Key Practices

CSCE 548 - Farkas 33

SEE-CMMSEE-CMM

Aims to advance the Security Engineering discipline

Goals: – Enable the selection of qualified security

engineering providers– Support informed investment in security

engineering practices– Provide capability-based assurance

CSCE 548 - Farkas 34

Maturity LevelsMaturity Levels

Define ordinal scale for measuring and evaluating process capability

Define incremental steps for improving process capability

CSCE 548 - Farkas 35

Capability LevelsCapability Levels

1. Initial : the starting point for use of a new process2. Repeatable: Requirements management, Software project

planning, Software project tracking and oversight, Software quality assurance, etc.

3. Defined: Organization process focus, Organization process definition, Training program, Integrated software management, Software product engineering, etc.

4. Managed: Quantitative process management, Software quality management

5. Optimizing: Defect prevention, Technology change management, Process change management

CSCE 548 - Farkas 36

Maturity LevelsMaturity Levels

1. Informal: base practices, ad-hoc process, success depends on individual effort

2. Planned, tracked: plan, track and verify performance, disciplined performance

3. Well defined: define and perform standard process, coordinate practices

4. Quantitatively controlled: establish measurable quality goals, objectively manage performance

5. Continuously improving: improve organizational capability, improve process effectiveness

CSCE 548 - Farkas 37

Security Engineering ProcessSecurity Engineering ProcessAreasAreas

Administer System Security Controls Assess Operational Security Risk Attack Security Build Assurance Argument Coordinate Security Determine Security Vulnerabilities Monitor System Security Posture Provide Security Input Specify Security Needs Verify and Validate Security

CSCE 548 - Farkas 38

EvaluationEvaluation Phases:

– Planning Phase: scope and plan– Preparation Phase: prepare evaluation team, questionnaire,

collect evidence, analyze results– On-site phase: interview, establish findings, rating, report– Post-evaluation phase: report findings needs for

improvement, manage results Use of evaluation:

– Organizations to hire developers

CSCE 548 - Farkas 39

Problems with SSE-CMMProblems with SSE-CMM

Does not guarantee good resultsNeed to ensure uniform evaluationNeed good understanding of model and its

useDoes not eliminate the need for testing and

evaluationNo guarantee of assurance

CSCE 548 - Farkas 40

NATIONAL SECURITY NATIONAL SECURITY

CSCE 548 - Farkas 41

CSCE 548 - Farkas 42

National Security and IWNational Security and IW U.S. agencies responsible for national security:

large, complex information infrastructure Defense information infrastructure supports:

– Critical war-fighting functions– Peacetime defense planning– Information for logistical support– Defense support organizations

Need proper functioning of information infrastructure

“Digitized Battlefield”

CSCE 548 - Farkas 43

National Security and IWNational Security and IW Increased reliance on information infrastructure

– Information Dominance– Un-manned weapons– Communication infrastructure– Vital human services (e.g., transportation, law

enforcement, emergency, etc.) Heavily connected to commercial infrastructure

– 95% of DOD’s unclassified communication via public network

No boundaries, cost effectiveness, ambiguous

CSCE 548 - Farkas 44

Strategic Warfare (SW)Strategic Warfare (SW)

Cold War: “single class of weapons delivered at a specific range” (Rattray)– E.g., use of nuclear weapons with intercontinental

range Current: “variety of means … can create

“strategic” effects, independent of considerations of distance and range.”

Center of gravity: – Those characteristics, capabilities, or sources of power

from which a military force derives its freedom of action, physical strength, or will to fight (DOD)

CSCE 548 - Farkas 45

Strategic Information Warfare Strategic Information Warfare (SIW)(SIW)

“…means for state and non-state actors to achieve objectives through digital attacks on an adversary’s center of gravity.” (Rattray)

CSCE 548 - Farkas 46

Strategic Warfare vs. SIWStrategic Warfare vs. SIW

Similar challengesHistorical observation: centers of gravity

are difficult to damage because of– Resistance– Adaptation

CSCE 548 - Farkas 47

Dimensions of Strategic AnalysisDimensions of Strategic Analysis

Threads:– Need to related means to ends– Interacting with opponent capable of independent

action Distinction between”

– “Grand Strategy”: achievement of political object of the war (includes economic strength and man power, financial pressure, etc.)

– “Military Strategy”: gain object of war (via battles as means)

CSCE 548 - Farkas 48

Necessary conditions for SW Necessary conditions for SW

Offensive freedom of actionSignificant vulnerability to attackProspects for effective retaliation and

escalation are minimizedVulnerabilities can be identified, targeted,

and damage can be assessed

CSCE 548 - Farkas 49

SIWSIW

Growing reliance new target of concernCommercial networks for crucial functionsRapid changeWidely available toolsSignificant uncertainties

– Determining political consequences– Predicting damage, including cascading effects