ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8:...

ECE579S/8 #1 Spring 2011© 2000-2011, Richard A. Stanley

ECE579SComputer and Network Security

8: Certification & Accreditation; Red/Black

Professor Richard A. Stanley, P.E.


Last time…SSL/TLS Summary

• SSL/TLS provides a means for secure transport layer communications in TCP/IP networks

• SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc.

• The key element of SSL is the handshake protocol


Formal Evaluation Summary• Formal security evaluation techniques are

academically interesting, but have until recently failed to provide significant practical improvement in fielded systems security

• Emphasis is shifting to new evaluation schemes and empirical, policy-based security evaluation for trusted systems

• Both approaches offer opportunities for exploitation by malefactors and for real improvement in systems security


IDS Summary

• IDS’s can be useful in monitoring networks for intrusions and policy violations

• Up-to-date attack signatures and policy implementations essential

• Many types of IDS available, at least one as freeware

• Serious potential legal implications• Automated responses to be avoided

ECE579S/8 #5 Spring 2011© 2000-2011, Richard A. StanleySRA Proprietary 5

Cyber Threat: Real & Damaging…

• Undermining both our national security and our economic leadership in the world marketplace– Threat started as nuisance activities by isolated bad actors– Threat is now coming from nation states, commercial espionage,

terrorist organizations, organized crime groups, and ‘for-hire’ cyber organizations—it’s a business—and often in concert

– Our intellectual property is the target• F22• Oil exploration• Google

• The extent of the damage is only beginning to be publicly acknowledged; >$1T and years and years of technology leadership


Advanced Persistent Threats

• Step 1 - Reconnaissance

• Step 2 - Initial Intrusion into the Network

• Step 3 - Establish a Backdoor into the Network

• Step 4 - Obtain User Credentials

• Step 5 - Install Various Utilities

• Step 6 - Privilege Escalation / Lateral Movement / Data Exfiltration

• Step 7 - Maintain Persistence

Exploitation Life Cycle


Vulnerability –External and Internal Vulnerabilities at all layers

-Internet connections-Email-Software (malware, botnets)-Hardware-Firmware-Web pages/banners/pop-ups-Databases (SQL injection)


The future wave of access vulnerability

It won’t get any easier!

The internet of things…


IT Security RolesDesignated Approving Authority (DAA)

Accepts risk, issues ATO for IS

Certifying Authority (CA) Certifies IS

Information Assurance (IA) Manager (IAM)

Responsible for the IA program for IS or organization

IA Officer (IAO) Implements IA program for IAM

User Representative (UR) Represents users in DIACAP

Privileged User with IA responsibilities

System Administrator (for example)

Authorized User Any appropriately authorized individual


IT Security Situation


Terms and Definitions• Cyber Security

– Protection of computer systems, computer networks, and electronically stored and transmitted information; network and Internet security

• Information Security – Protection of information and information systems,

provideng confidentiality, integrity (including authentication and non-repudiation), and availability.

– Includes cyber security plus non-computer issues • physical security of buildings

• personnel security

• security of paper files


Terms and Definitions• Information Assurance

– Superset of information security, emphasizes strategic risk management over tools and tactics.

– Also includes:• Privacy

• Compliance

• Audits

• Business continuity

• Disaster recovery


Information SecurityCyber-Security plus protection for non-electronic Information Ensures:

•Confidentiality•Integrity•Availability

Information AssuranceInformation Security Plus:

•Strategic Risk Management•Privacy Compliance Audits•Business Continuity•Disaster Recovery

Note : For SRA, Cyber Security = Information Assurance

Cyber SecurityDefense-in-Depth for computers, networks, and electronic information


• THREAT - entity, circumstance, event producing intentional or accidental harm by:

– Unauthorized access, destruction, disclosure, modification of data

– Denial of Service (DoS) affecting mission performance

• VULNERABILITY – exploitable weakness in:– Computing, telecommunications system, or network system

security procedures

– Internal controls or implementation

• ASSET - personnel, hardware, software, or information that may possess vulnerabilities and are being protected against threats

Threats, Vulnerabilities, Assets


• RISK - measure of the extent that an entity is threatened by potential circumstance/event, a function of likelihood of circumstance/ event occurring and resulting adverse impacts

• RISK can be thought of as where threats, vulnerabilities and assets overlap

Risk


References• DoDD 8500.01E- Information Assurance (IA)

– Establishes policy and assigns responsibilities to achieve Department of Defense (DoD) information assurance (IA)

• DoDI 8500.2 - Information Assurance (IA) Implementation

– Implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems

• DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP)

– Establishes the DIACAP for authorizing the operation of DoD Information Systems

• DoD 8570.01-M - Information Assurance Workforce Improvement Program

– provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance (IA) functions in assigned duty positions

• DoDI 8580.1 - Information Assurance (IA) in the Defense Acquisition System

– Implements policy, assigns responsibilities, and prescribes procedures to integrate IA into the Defense Acquisition System

• DoD 5220.22-M - National Industrial Security Program Manual (NISPOM)

– Provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP


DoDD 8500.01E applies to…

• All DoD owned or controlled information systems

• Includes systems covered under National Industrial Security Program (NISP)

• Does not apply to weapons systems with no platform IT interconnection


National Security System (NSS) Definition

• National security systems are information systems operated by the U.S. Government, its contractors or agents that contain classified information or that– involve intelligence activities

– involve cryptographic activities related to national security

– involve command and control of military forces

– involve equipment that is an integral part of a weapon or weapons system

– are critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications)


Cyber Security Considerations• What type of data ?

– At rest– Transmitted– Processed– Encrypted

• Systems that store, process, transmit government data – What is the information flow?

• Upstream• Downstream

– Interconnections– Input/output– Information sharing– Mobile media


Mission Assurance Category/Confidentiality Level

• Mission Assurance Category (MAC 1, 2, 3)– Importance of information and information systems

– Availability and integrity

• Confidentiality Levels – Information classification level and need-to-know

• All DoD systems assigned MAC and Confidentiality Level

• Required security controls based on MAC and Confidentiality Level


MAC 1,2,3 Compared

Level Importance Integrity Loss Availability Loss

Possible Impact Protection Measures

MAC 1 Vital to op readiness

Unacceptable Unacceptable Loss of mission effectiveness

Stringent

MAC 2 Important to force support

Unacceptable Difficult – short term only

Seriously impact mission effectiveness

Beyond best practices

MAC 3 Necessary day-to-day

Tolerable Tolerable Degradation of routine activities

Best practices


Confidentiality Levels• Classified - Official information that has been determined

to require, in the interests of national security, protection against unauthorized disclosure – Confidential– Secret– Top Secret – Top Secret SCI, etc

• Sensitive - Loss, misuse, unauthorized access, or modification could adversely affect:– National interest– Conduct of Federal programs– Privacy of individuals

• Public - Official DoD information that has been reviewed and approved for public release by the information owner


Information System Categories

• Enclaves

• Automated information system (AIS) application

• Outsourced IT-based process

• Platform IT interconnection


System Boundary• DoDD 8500.2 only mentions enclave boundary,

does not define system boundary• From NIST SP800-37 rev.1, a set of information

resources– Same direct management control– Same function or mission objective – Same operating characteristics – Same information security needs– Same general operating environment (or if distributed,

similar operating environments)• In NIST this is security authorization boundary• DIACAP refers to it as accreditation boundary• Applies to production, test, and development


IA Control Subject Areas


IA Control Examples


DIACAP Overview

• DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP)

– “Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-based software systems and applications”.


DIACAP Applicability

• DoD-owned/controlled Information Systems with DoD information– receive– process– store– display– transmit

• Any classification or sensitivity• Must meet the definition of a DoD Information

System (enclave, AIS, outsourced IT-based process, or platform IT interconnection) from DoD Directive 8500.01E


DIACAP Team

• Designated Approving Authority – DAA– Incorporates IA in information system life-cycle

management processes

– Grants Authorization to Operate • Certifying Authority – CA

– DoD Component Senior Information Assurance Officer (SIAO) (or designee)

– Makes certification determination


DIACAP Team

• IS Program or System Manager - ISPM/SM– Implement DIACAP

– Develop, track, resolve, and maintain the DIACAP Implementation Plan (DIP)

– Ensure IT Security POA&M development, tracking, and resolution

– Ensure that IS has a IA manager (IAM)


DIACAP Implementation• All IT has some information assurance

requirements– DoDD 8500.01E requires C&A for all DoD information

systems– DoDI 8500.2 implements the requirements of DoDD

8500.01E and defines controls– DoDI 8510.01 defines and implements the DIACAP

process for C&A of DoD information systems• DoD Information Systems are:

– Enclave– Automated Information System (AIS) application– Outsourced IT-based processes– Platform IT with GIG interconnections


DIACAP Implementation• Development and test systems

– Create full ATO package with IA Controls based on MAC and CL within development/testing environment

– Send ATO package to the field with the completed system

– The field organization• Determines MAC and CL in their environment

• Reviews development/testing ATO package

• Determines which IA Controls are still valid and which must be newly implemented


DIACAP Packages

• Comprehensive package– Includes all the information resulting from the

DIACAP process

– Used for the CA recommendation

• Executive package– Minimum information

– Used for an accreditation decision

– Provided to others in support of accreditation or other decisions, such as connection approval


DIACAP Packages SRA CPMS DIACAP Executive Package


DIACAP Activities


FISMAE- Government Act of 2002• Recognized the importance of

information security to the economic and national security interests of the United States

Title III of the E-Government Act: FISMA• FISMA is the Federal Information Security

Management Act

• Requires federal organizations to provide security for the information and information systems that support the agency


FISMA Requirements• Applies to all federal agencies, DoD and civil • Periodic assessments of the risk• Policies and procedures based on risk assessment• Component-level plans for providing IT security for networks,

facilities, and systems or groups of IT systems• IT security awareness training • Testing and evaluation of IT security policies, procedures, and

practices at least annually • Process for planning, implementing, evaluating, and documenting

remedial action • Procedures for detecting, reporting, responding to security incidents• Plans and procedures to ensure continuity of operations for IT systems

supporting the operations and assets of the organization


Red/Black

• http://www.youtube.com/watch?v=do5ZVohtQxQ• Well, OK, that isn’t really the Red/Black we are

going to study, but do I have your attention now?


Red/Black

• Red– Circuits carrying classified information that is not encrypted

– Often used to refer to classified information itself

• Black– Circuits carrying information that is encrypted

– Often used to refer to unclassified information

• Nomenclature comes from the TEMPEST program– A series of government-led approaches to minimize the effects of

information leakage through covert channels as a result of signal coupling


Red/Black Separation

• Owing to the laws of physics, physical separation between Red circuits and Black circuits is required to ensure no (or, in practice, minimal possible) signal leakage.

• Requirements can be found in, inter alia,– NSTISSAM TEMPEST 2-95, 12 December 1995, RED/BLACK

INSTALLATION GUIDANCE– MIL-HDBK-232A, 24 October 2000, RED/BLACK

ENGINEERING - INSTALLATION GUIDELINES– NSTISSI No.7003, 13 December 1996, Protective Distribution

Systems

• Red and Black circuits CANNOT be interconnected, as we do not how to avoid covert channels in that circumstance


Summary

• If you are involved with information assurance on government systems, you will be involved with many differing regulations and requirements

• Engineering information systems that carry classified information must deal with Red/Black standards


Student Research Presentations

ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8:...

Documents

Transcript of ECE579S/8 #1 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S Computer and Network Security 8:...