1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.
-
Upload
maryann-copeland -
Category
Documents
-
view
213 -
download
0
Transcript of 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.
![Page 1: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/1.jpg)
1
A Comprehensive Framework for Information Assurance
Abe Usher, CISSP
![Page 2: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/2.jpg)
2
Agenda
Introduction
Information Assurance defined
What you need to know
A comprehensive (lightweight) framework
Demonstrations
IATAC resources
Questions
![Page 3: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/3.jpg)
3
Introduction: whoami
Deputy Director of the Information Assurance Technology Analysis Center (IATAC)
Certified Information Systems Security Professional (CISSP)
M.S. in Information Systems
Creator of the INFOSEC Zeitgeist
Former infantry officer
Geek
![Page 4: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/4.jpg)
4
Introduction: purpose
To provide an information briefing on a simple, yet comprehensive framework for thinking about Information Assurance (IA) issues
![Page 5: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/5.jpg)
5
IA defined: old perspective
Information Security:
“Protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.[1]”
John McCumber, 1991
![Page 6: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/6.jpg)
6
IA defined: contemporary perspective Information Assurance:
“Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.[2]”
confidentiality- assurance that information is not disclosed to unauthorized individuals, processes, or devices.
integrity- quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
availability- timely, reliable access to data and information services for authorized users.
NSTISSI No. 4009, "National IA Glossary," May 2003
![Page 7: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/7.jpg)
7
What you “need to know” Technologist perspective
– TCP/IP stack details
– Firewalls
– Intrusion detection
– Anti-virus
– INFOSEC Research Council hard problems list
Policy perspective:– DoD 8500 series documents
– DoD 5200 series documents
– DoD 8100 series documents
– NIST 800 series documents
– National Strategy to Secure Cyberspace
– DoD IA Strategy
– DITSCAP / NIACAP
Operator perspective:– IS Alliance: Common Sense Guide for Home and Individual Users
– IS Alliance: Common Sense Guide for Senior Managers
![Page 8: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/8.jpg)
8
Common criteria
![Page 9: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/9.jpg)
9
What you “need to know”
Do we lose the forest while looking at the trees?
![Page 10: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/10.jpg)
10
Thoughts on classification
“The beginning of all understanding is classification.”
Hayden White
![Page 11: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/11.jpg)
11
A comprehensive, yet “lightweight” framework
![Page 12: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/12.jpg)
12
Thoughts on classification
“Classification is, in fact, a general method used by us all for dealing with information… So by classification we can organize our knowledge of the [plant kingdom] into a system which stores and summarizes our information for us in a convenient manner…
Clearly, some systems by which we can organize this knowledge, make generalizations and predictions, and simply reduce the sheer bulk of data with which we have to deal, is not only desirable but essential.”
Charles Jefferies An Introduction to Plant Taxonomy
![Page 13: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/13.jpg)
13
A comprehensive, yet lightweight framework
![Page 14: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/14.jpg)
14
A comprehensive, yet lightweight framework
![Page 15: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/15.jpg)
15
A comprehensive, yet lightweight framework
![Page 16: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/16.jpg)
16
A comprehensive, yet lightweight framework
![Page 17: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/17.jpg)
17
Case study: confidentiality of information in transmission
Alice views an information resource belonging to Bob using a plain text protocol
Information state: transmission
Security service: confidentiality
Security countermeasure: encryption [3], secure transmission medium, frequency hopping, obscure system interface, access controls
![Page 18: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/18.jpg)
18
Case study: confidentiality of information in transmission
![Page 19: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/19.jpg)
19
Interactive Web based version
![Page 20: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/20.jpg)
20
Case study: availability of net based resources
Bob wants to view a Web resource belonging to Alice
Information state: storage, transmission
Security service: availability
Security countermeasure: traffic filtering/blocking [4], rate limiting, functional redundancy, data redundancy, load balancing, acceptable use policy, business continuity of operations plan
![Page 21: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/21.jpg)
21
Case study: availability of net based resources
![Page 22: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/22.jpg)
22
A comprehensive, yet lightweight framework
![Page 23: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/23.jpg)
23
IATAC Resources
IAnewsletter
IA Digest
Technical inquiries
Technical repository
On the Web at:
– http://iac.dtic.mil/iatac
– https://iatac.dtic.smil.mil
![Page 24: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/24.jpg)
24
Questions
![Page 25: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/25.jpg)
25
Backup slides
![Page 26: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/26.jpg)
26
References[1] McCumber, John. "Information Systems Security: A Comprehensive Model". Proceedings 14th National
Computer Security Conference. National Institute of Standards and Technology. Baltimore, MD. October 1991.
[2] NSTISSI No. 4009, "National INFOSEC Glossary," January 1999.
[3] OpenSSH protocol. Designed through the OpenBSD project at http://www.openbsd.org/. Latest release September 2003.
[4] Linux Planet. Traffic filtering by IP Address. http://www.linuxplanet.com/linuxplanet/tutorials/1527/5/. February 2000.
[5] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A Model for Information Assurance: An Integrated Approach". Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. U.S. Military Academy. West Point, NY. June 2001.
![Page 27: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/27.jpg)
27
Information Security Zeitgeist
Provides a graphical depiction of the emergence and disappearance of hot topics in information security over time
Inspired by the Google Zeitgeist report
On the Web:
http://www.sharp-ideas.net/research/infosec_zeitgeist.html
http://www.google.com/press/zeitgeist.html
![Page 28: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/28.jpg)
28
Information Security Zeitgeist
![Page 29: 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649e7d5503460f94b80144/html5/thumbnails/29.jpg)
29
Information Security Zeitgeist