ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8:...
-
date post
21-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8:...
ECE579S/8 #1 Spring 2011© 2000-2011, Richard A. Stanley
ECE579SComputer and Network Security
8: Certification & Accreditation; Red/Black
Professor Richard A. Stanley, P.E.
ECE579S/8 #2 Spring 2011© 2000-2011, Richard A. Stanley
Last time…SSL/TLS Summary
• SSL/TLS provides a means for secure transport layer communications in TCP/IP networks
• SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc.
• The key element of SSL is the handshake protocol
ECE579S/8 #3 Spring 2011© 2000-2011, Richard A. Stanley
Formal Evaluation Summary• Formal security evaluation techniques are
academically interesting, but have until recently failed to provide significant practical improvement in fielded systems security
• Emphasis is shifting to new evaluation schemes and empirical, policy-based security evaluation for trusted systems
• Both approaches offer opportunities for exploitation by malefactors and for real improvement in systems security
ECE579S/8 #4 Spring 2011© 2000-2011, Richard A. Stanley
IDS Summary
• IDS’s can be useful in monitoring networks for intrusions and policy violations
• Up-to-date attack signatures and policy implementations essential
• Many types of IDS available, at least one as freeware
• Serious potential legal implications• Automated responses to be avoided
ECE579S/8 #5 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 5
Cyber Threat: Real & Damaging…
• Undermining both our national security and our economic leadership in the world marketplace– Threat started as nuisance activities by isolated bad actors– Threat is now coming from nation states, commercial espionage,
terrorist organizations, organized crime groups, and ‘for-hire’ cyber organizations—it’s a business—and often in concert
– Our intellectual property is the target• F22• Oil exploration• Google
• The extent of the damage is only beginning to be publicly acknowledged; >$1T and years and years of technology leadership
ECE579S/8 #6 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 6
Advanced Persistent Threats
• Step 1 - Reconnaissance
• Step 2 - Initial Intrusion into the Network
• Step 3 - Establish a Backdoor into the Network
• Step 4 - Obtain User Credentials
• Step 5 - Install Various Utilities
• Step 6 - Privilege Escalation / Lateral Movement / Data Exfiltration
• Step 7 - Maintain Persistence
Exploitation Life Cycle
ECE579S/8 #7 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 7
Vulnerability –External and Internal Vulnerabilities at all layers
-Internet connections-Email-Software (malware, botnets)-Hardware-Firmware-Web pages/banners/pop-ups-Databases (SQL injection)
ECE579S/8 #8 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 8
The future wave of access vulnerability
It won’t get any easier!
The internet of things…
ECE579S/8 #9 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 9
IT Security RolesDesignated Approving Authority (DAA)
Accepts risk, issues ATO for IS
Certifying Authority (CA) Certifies IS
Information Assurance (IA) Manager (IAM)
Responsible for the IA program for IS or organization
IA Officer (IAO) Implements IA program for IAM
User Representative (UR) Represents users in DIACAP
Privileged User with IA responsibilities
System Administrator (for example)
Authorized User Any appropriately authorized individual
ECE579S/8 #11 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 11
Terms and Definitions• Cyber Security
– Protection of computer systems, computer networks, and electronically stored and transmitted information; network and Internet security
• Information Security – Protection of information and information systems,
provideng confidentiality, integrity (including authentication and non-repudiation), and availability.
– Includes cyber security plus non-computer issues • physical security of buildings
• personnel security
• security of paper files
ECE579S/8 #12 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 12
Terms and Definitions• Information Assurance
– Superset of information security, emphasizes strategic risk management over tools and tactics.
– Also includes:• Privacy
• Compliance
• Audits
• Business continuity
• Disaster recovery
ECE579S/8 #13 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 13
Information SecurityCyber-Security plus protection for non-electronic Information Ensures:
•Confidentiality•Integrity•Availability
Information AssuranceInformation Security Plus:
•Strategic Risk Management•Privacy Compliance Audits•Business Continuity•Disaster Recovery
Note : For SRA, Cyber Security = Information Assurance
Cyber SecurityDefense-in-Depth for computers, networks, and electronic information
ECE579S/8 #14 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 14
• THREAT - entity, circumstance, event producing intentional or accidental harm by:
– Unauthorized access, destruction, disclosure, modification of data
– Denial of Service (DoS) affecting mission performance
• VULNERABILITY – exploitable weakness in:– Computing, telecommunications system, or network system
security procedures
– Internal controls or implementation
• ASSET - personnel, hardware, software, or information that may possess vulnerabilities and are being protected against threats
Threats, Vulnerabilities, Assets
ECE579S/8 #15 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 15
• RISK - measure of the extent that an entity is threatened by potential circumstance/event, a function of likelihood of circumstance/ event occurring and resulting adverse impacts
• RISK can be thought of as where threats, vulnerabilities and assets overlap
Risk
ECE579S/8 #16 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 16
References• DoDD 8500.01E- Information Assurance (IA)
– Establishes policy and assigns responsibilities to achieve Department of Defense (DoD) information assurance (IA)
• DoDI 8500.2 - Information Assurance (IA) Implementation
– Implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems
• DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP)
– Establishes the DIACAP for authorizing the operation of DoD Information Systems
• DoD 8570.01-M - Information Assurance Workforce Improvement Program
– provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance (IA) functions in assigned duty positions
• DoDI 8580.1 - Information Assurance (IA) in the Defense Acquisition System
– Implements policy, assigns responsibilities, and prescribes procedures to integrate IA into the Defense Acquisition System
• DoD 5220.22-M - National Industrial Security Program Manual (NISPOM)
– Provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP
ECE579S/8 #17 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 17
DoDD 8500.01E applies to…
• All DoD owned or controlled information systems
• Includes systems covered under National Industrial Security Program (NISP)
• Does not apply to weapons systems with no platform IT interconnection
ECE579S/8 #18 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 18
National Security System (NSS) Definition
• National security systems are information systems operated by the U.S. Government, its contractors or agents that contain classified information or that– involve intelligence activities
– involve cryptographic activities related to national security
– involve command and control of military forces
– involve equipment that is an integral part of a weapon or weapons system
– are critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications)
ECE579S/8 #19 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 19
Cyber Security Considerations• What type of data ?
– At rest– Transmitted– Processed– Encrypted
• Systems that store, process, transmit government data – What is the information flow?
• Upstream• Downstream
– Interconnections– Input/output– Information sharing– Mobile media
ECE579S/8 #20 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 20
Mission Assurance Category/Confidentiality Level
• Mission Assurance Category (MAC 1, 2, 3)– Importance of information and information systems
– Availability and integrity
• Confidentiality Levels – Information classification level and need-to-know
• All DoD systems assigned MAC and Confidentiality Level
• Required security controls based on MAC and Confidentiality Level
ECE579S/8 #21 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 21
MAC 1,2,3 Compared
Level Importance Integrity Loss Availability Loss
Possible Impact Protection Measures
MAC 1 Vital to op readiness
Unacceptable Unacceptable Loss of mission effectiveness
Stringent
MAC 2 Important to force support
Unacceptable Difficult – short term only
Seriously impact mission effectiveness
Beyond best practices
MAC 3 Necessary day-to-day
Tolerable Tolerable Degradation of routine activities
Best practices
ECE579S/8 #22 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 22
Confidentiality Levels• Classified - Official information that has been determined
to require, in the interests of national security, protection against unauthorized disclosure – Confidential– Secret– Top Secret – Top Secret SCI, etc
• Sensitive - Loss, misuse, unauthorized access, or modification could adversely affect:– National interest– Conduct of Federal programs– Privacy of individuals
• Public - Official DoD information that has been reviewed and approved for public release by the information owner
ECE579S/8 #23 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 23
Information System Categories
• Enclaves
• Automated information system (AIS) application
• Outsourced IT-based process
• Platform IT interconnection
ECE579S/8 #24 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 24
System Boundary• DoDD 8500.2 only mentions enclave boundary,
does not define system boundary• From NIST SP800-37 rev.1, a set of information
resources– Same direct management control– Same function or mission objective – Same operating characteristics – Same information security needs– Same general operating environment (or if distributed,
similar operating environments)• In NIST this is security authorization boundary• DIACAP refers to it as accreditation boundary• Applies to production, test, and development
ECE579S/8 #27 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 27
DIACAP Overview
• DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP)
– “Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-based software systems and applications”.
ECE579S/8 #28 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 28
DIACAP Applicability
• DoD-owned/controlled Information Systems with DoD information– receive– process– store– display– transmit
• Any classification or sensitivity• Must meet the definition of a DoD Information
System (enclave, AIS, outsourced IT-based process, or platform IT interconnection) from DoD Directive 8500.01E
ECE579S/8 #29 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 29
DIACAP Team
• Designated Approving Authority – DAA– Incorporates IA in information system life-cycle
management processes
– Grants Authorization to Operate • Certifying Authority – CA
– DoD Component Senior Information Assurance Officer (SIAO) (or designee)
– Makes certification determination
ECE579S/8 #30 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 30
DIACAP Team
• IS Program or System Manager - ISPM/SM– Implement DIACAP
– Develop, track, resolve, and maintain the DIACAP Implementation Plan (DIP)
– Ensure IT Security POA&M development, tracking, and resolution
– Ensure that IS has a IA manager (IAM)
ECE579S/8 #31 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 31
DIACAP Implementation• All IT has some information assurance
requirements– DoDD 8500.01E requires C&A for all DoD information
systems– DoDI 8500.2 implements the requirements of DoDD
8500.01E and defines controls– DoDI 8510.01 defines and implements the DIACAP
process for C&A of DoD information systems• DoD Information Systems are:
– Enclave– Automated Information System (AIS) application– Outsourced IT-based processes– Platform IT with GIG interconnections
ECE579S/8 #32 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 32
DIACAP Implementation• Development and test systems
– Create full ATO package with IA Controls based on MAC and CL within development/testing environment
– Send ATO package to the field with the completed system
– The field organization• Determines MAC and CL in their environment
• Reviews development/testing ATO package
• Determines which IA Controls are still valid and which must be newly implemented
ECE579S/8 #33 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 33
DIACAP Packages
• Comprehensive package– Includes all the information resulting from the
DIACAP process
– Used for the CA recommendation
• Executive package– Minimum information
– Used for an accreditation decision
– Provided to others in support of accreditation or other decisions, such as connection approval
ECE579S/8 #34 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 34
DIACAP Packages SRA CPMS DIACAP Executive Package
ECE579S/8 #36 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 36
FISMAE- Government Act of 2002• Recognized the importance of
information security to the economic and national security interests of the United States
Title III of the E-Government Act: FISMA• FISMA is the Federal Information Security
Management Act
• Requires federal organizations to provide security for the information and information systems that support the agency
ECE579S/8 #37 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 37
FISMA Requirements• Applies to all federal agencies, DoD and civil • Periodic assessments of the risk• Policies and procedures based on risk assessment• Component-level plans for providing IT security for networks,
facilities, and systems or groups of IT systems• IT security awareness training • Testing and evaluation of IT security policies, procedures, and
practices at least annually • Process for planning, implementing, evaluating, and documenting
remedial action • Procedures for detecting, reporting, responding to security incidents• Plans and procedures to ensure continuity of operations for IT systems
supporting the operations and assets of the organization
ECE579S/8 #38 Spring 2011© 2000-2011, Richard A. Stanley
Red/Black
• http://www.youtube.com/watch?v=do5ZVohtQxQ• Well, OK, that isn’t really the Red/Black we are
going to study, but do I have your attention now?
ECE579S/8 #39 Spring 2011© 2000-2011, Richard A. Stanley
Red/Black
• Red– Circuits carrying classified information that is not encrypted
– Often used to refer to classified information itself
• Black– Circuits carrying information that is encrypted
– Often used to refer to unclassified information
• Nomenclature comes from the TEMPEST program– A series of government-led approaches to minimize the effects of
information leakage through covert channels as a result of signal coupling
ECE579S/8 #40 Spring 2011© 2000-2011, Richard A. Stanley
Red/Black Separation
• Owing to the laws of physics, physical separation between Red circuits and Black circuits is required to ensure no (or, in practice, minimal possible) signal leakage.
• Requirements can be found in, inter alia,– NSTISSAM TEMPEST 2-95, 12 December 1995, RED/BLACK
INSTALLATION GUIDANCE– MIL-HDBK-232A, 24 October 2000, RED/BLACK
ENGINEERING - INSTALLATION GUIDELINES– NSTISSI No.7003, 13 December 1996, Protective Distribution
Systems
• Red and Black circuits CANNOT be interconnected, as we do not how to avoid covert channels in that circumstance
ECE579S/8 #41 Spring 2011© 2000-2011, Richard A. Stanley
Summary
• If you are involved with information assurance on government systems, you will be involved with many differing regulations and requirements
• Engineering information systems that carry classified information must deal with Red/Black standards