Information Assurance

Enlisted Information Dominance Warfare Specialist

References Joint DODIIS/Cryptologic SCI Information Systems Security Practices

Director of Central Intelligence Directive 6/3

SECNAVINST M-5239.1

CJCSM 6510.01

SECNAVINST 5270.47B DON Policy for Content of Publicly Accessible www sites

CNSSI 4009

What is IA?

•Information operations that protect and defend data and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.

•This includes providing restoration of IS by incorporating protection, detection, and reaction capabilities.

The Role of Operations Security

•Balance ease of use against required mechanisms needed for system controls.

•Value of data (monetary value)

•Ongoing operational need for the data

•Reduced vulnerabilities and threats to ongoing operations

5 Attributes of IAConfidentiality - Render the information unintelligible except by authorized entities

Integrity - Data has not been altered in an unauthorized manner since it was created, transmitted, or stored.

Availability - Timely, reliable access to data and information services for authorized users

Non-repudiation - assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.

Authentication - Establishes the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information.

The CIA Triad

Confi

dent

ialit

y

Availability

Integrity

The CIA Triad

Confidentiality: Ensures that information is not compromised or shared amongst unauthorized participants:

• While data is on the source device

• While data is in transit on the network

• Upon data reaching its intended target

The CIA Triad

Integrity: Ensures that data is not damaged or modified while either in transit or storage.

• Protects against both malicious intentional damage and accidental damage by authorized users.

• Ensures data is consistent and is a true reflection of real information

The CIA Triad

Confidentiality: Ensures that information is not compromised or shared amongst unauthorized participants:

• While data is on the source device

• While data is in transit on the network

• Upon data reaching its intended target

The CIA Triad

Availability: Ensures that information is always available at the time authorized users need it.

IA Terminology

Certification

Accreditation

Designated Approving Authority (DAA)

System Security Plan

System Security Authorization Agreement (SSAA)

Authority To Operate (ATO)

Interim Authority To Operate (IATO)

Configuration Management

IA Terminology

Certification

•A comprehensive evaluation of the technical and non-technical security features of an IS and other safeguards, made as part of and in support of the accreditation process, to establish the extent to which a particular design and implementation meet a set of specified security requirements.

IA Terminology

Accreditation• The official management decision to permit operation of an IS

in a specified environment at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. This authorization is granted by the Designated Approving Authority (DAA). Decision based on the DAA’s review of the SSAA.

IA Terminology

•Designated Approving Authority (DAA)

• The official with the authority to formally assume responsibility for operating a system (or network) at an acceptable level of risk

IA Terminology

System Security Authorization Agreement (SSAA)•A formal document that fully describes the planned security tasks required to meet system or network security requirements. The package must contain all information necessary to allow the DAA Rep/SCO to make an official management determination for authorization for a system, network, or site to operate in a particular security mode of operation, with a prescribed set of safeguards, against a defined threat with stated vulnerabilities and countermeasures; in a given operational environment, under a stated operational concept; with stated interconnection to external systems; and acceptable levels of risk.

IA Terminology

Authority to Operate (ATO)• Authorization granted by a DAA for a DoD IS to process, store,

or transmit information. An ATO indicated a DoD IS has adequately implemented all assigned IA controls to the point where residual risk is acceptable to the DAA. ATOs may be issued for up to 3 years.

Interim Authority to Operate (IATO)• A temporary authorization to operate a DoD IS under the

conditions or constraints enumerated in the accreditation decision.

IA TerminologyConfiguration Management

• The procedures used to carry out changes that affect the network, individual systems, or software.

• Identifying, controlling, accounting for, and auditing changes made to the baseline trusted computing base (TCB), which includes changes to hardware, software, and firmware.

• A system that controls changes and tests documentation through the operational life cycle of a system.

WhoWho makes changes? makes changes?WhoWho makes changes? makes changes?

WhyWhy are changes made? are changes made?WhyWhy are changes made? are changes made?

WhenWhen changes are made changes are madeWhenWhen changes are made changes are madeWhatWhat changes are made? changes are made?WhatWhat changes are made? changes are made?

Risk Management

•The discipline of identifying and measuring security risks associated with an IS, and controlling and reducing those risks to an acceptable level.

9 Categories of Computer Incidents

Precedence

Category Description

1 1 Root Level Intrusion (Incident)

2 2 User Level Intrusion (Incident)

3 4 Denial of Service (Incident)

4 7 Malicious Logic (Incident)

5 3 Unsuccessful Activity Attempt (Event)

6 5 Non-Compliance Activity (Event)

7 6 Reconnaissance (Event)

8 8 Investigating (Event)

9 9 Explained Anomaly (Event)

SECNAVINST 5720.47BDoN World Wide Web Policy

•Comprehensive web site management instruction for publicly accessible web content

Vulnerability Management

IAVA - Information Assurance Vulnerability Alert :

• Addresses severe network vulnerabilities resulting in immediate and potentially severe threats to DOD systems and information. Corrective action is of the highest priority due to the severity of the vulnerability risk

IAVB - Information Assurance Vulnerability Bulletin:

• Addresses new vulnerabilities that do not pose an immediate risk to DoD systems, but are significant enough that noncompliance with the corrective action could escalate the risk.

•IAVT - Information Assurance Vulnerability Technical Advisory

• Addresses new vulnerabilities that are generally categorized as low risk to DoD systems

CTO - Communications Tasking Order

• Addresses vulnerabilities extremely critical to the overall security of the GIG. They supersede or change current DoN network policy, and provide implementation direction for new IA initiatives.

Security Definitions

Vulnerability - a software, hardware, or procedural weakness that may provide an attacker the open door needed to gain access to a computer or network.

Threat - Any potential danger to information or systems.

Security RelationshipsThreatThreatAgentAgentThreatThreatAgentAgent

ThreatThreatThreatThreat

VulnerabilityVulnerabilityVulnerabilityVulnerability

RiskRiskRiskRisk

AssetAssetAssetAsset

ExposurExposuree

ExposurExposuree

SafeguaSafeguardrd

SafeguaSafeguardrd

Gives rise to

Exploits

Leads to

Can Damage

And Causes

Can be counter-measured by a

Directly affects

Information Assurance Manager (IAM)

•Functions as the focal point and principal advisor for IA matters on behalf of the IA Program Manager and the CO.

Q & A