Information Security in a Wireless World · Information Security in a Wireless World ... •...
Transcript of Information Security in a Wireless World · Information Security in a Wireless World ... •...
![Page 1: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/1.jpg)
Information Securityin a Wireless World
Dennis D. SteinauerComputer Security Division
Information Technology LaboratoryNational Institute of Standards and Technology
Gaithersburg, MD
![Page 2: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/2.jpg)
Information Securityin a Wireless World
• Basic Security Strategy
• Emerging Technologies
• Critical Information Infrastructure Elements
• Emerging Security Needs
![Page 3: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/3.jpg)
The Lingo
Detect Recover
Threats
InformationAssets
Prevent
Vulnerabilities
PotentialLosses
Risk
Storage In Transit
ConfidentialityIntegrityAvailability
Protection Strategies
![Page 4: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/4.jpg)
Security Services
• Confidentiality
• Integrity
• Authentication
• Access Control
• Non-Repudiation
![Page 5: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/5.jpg)
Emerging Technologies
• Wireless communications
• Intelligent/mobile agents
• Embedded & ubiquitous computing
• Component-based systems
• Next ???
All new information technologies that have impact oncritical national infrastructures will have securityneeds -- which must be addressed from the start.
![Page 6: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/6.jpg)
Critical National Infrastructures
• Banking
• Transportation
• Oil & Gas Distribution
• Electric Power Distribution
• Emergency & Protective Services
• Information & Communications
• Government Services
![Page 7: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/7.jpg)
Critical Information InfrastructureElements
• Internet Backbone
• Internet Domain Name Service
• Public Key Infrastructure(s)
• Underlying Communications Technology
![Page 8: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/8.jpg)
Emerging Security Needs• Formal security criteria• Advanced testing methodologies• High confidence, high availability systems• Advanced authentication• Advanced, high-speed cryptography• Complex system composition/analysis• Configurable/maintainable systems• Intrusion Detection• Audit & threat monitoring
![Page 9: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/9.jpg)
Critical Infrastructure ProtectionFocus Areas
• Security Technology
• Systems Survivability
• High Assurance Systems
• Application of Domain-Specific Expertise
• Security for Federal Systems
![Page 10: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/10.jpg)
Security Technology
• Advanced Cryptography
• Public Key Infrastructure
• Common Criteria (CC)
• National Information Assurance Partnership(NIAP)
![Page 11: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/11.jpg)
Specification-Based T/E
Product
Crypto Module
Algorithm
Application/System
Level Example SpecificationApplication/System Air Traffic Control CC, GSSP, ...Product Firewall , OS Common Criteria (CC)Security Module Crypto Module FIPS 140-1Algorithm DES FIPS 46-2
![Page 12: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/12.jpg)
System Survivability
• Extend intrusion detection & responsetechnology to large-scale, high criticalitysystems & networks
• Metrics, test methods, & remote testingtechniques for assessing system survivability
• Best practices for designing and deployingsurvivable systems
• Security framework for “security” mobileagents
![Page 13: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/13.jpg)
High Assurance Systems
• Legacy system evaluation
• High assurance security engineering– Transfer system engineering technology from
NASA, NRC, FAA safety critical systems
– Develop new technical methods & approaches
– Automated testing techniques
– Professional certification
– Fault tolerance/redundancy
![Page 14: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/14.jpg)
Security for Domain-SpecificOperational Support Systems
• Manufacturing supervisory control & dataacquisition (SCADA) systems (MEL)
• Cybernetic building management systems(BFRL)
![Page 15: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/15.jpg)
Security for Federal Systems
• Identify, apply “Best Practices”– Training & awareness guides
• Develop standards, reference implementations,& security and interoperability testbeds– Criteria, tests, & accreditation requirements for
system security administrators
• Agency Assistance– Protecting their critical infrastructures
– Using advanced security technology
“Lead by Example”
![Page 16: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/16.jpg)
Security Technologyfor Critical Infrastructure Systems
• Applying existing technology
• Extending domain expertise
• Building security infrastructures
• High assurance systems engineering
• Meeting emerging needs
• Government-Industry partnership
![Page 17: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/17.jpg)
NIST Computer Security Program:From Algorithms to Critical Infrastructures
• Basic Technologies
• Program Strategy
• IT Security Standards
• Program Structure
• Program Elements
![Page 18: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/18.jpg)
Basic Information SecurityTechnologies
• Cryptography– Privacy encryption
– Digital Signatures
• Authentication
• Access Control
• High Assurance Systems Engineering
• Test and Evaluation
• Audit, Threat Monitoring, Intrusion Detection
![Page 19: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/19.jpg)
NIST Security Program Strategy• Collaboration with Industry
– Work with industry to develop specifications andconformance tests for secure, trustworthy, interoperableproducts and systems
• Primary Focus on Specification-Based Testing– Validate conformance of commercial products to FIPS– Common Criteria– National Information Assurance Partnership
• Act as “honest broker”• Technology Transfer• Balance Computer Security Act, PDD63, and
“Traditional” NIST/ITL Roles
![Page 20: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/20.jpg)
NIST IT Security Standards– a record of partnership with Industry
• Data Encryption (DES) - FIPS 46-2, ANSI• Message Authentication (MAC) - ANSI, FIPS 113• Cryptographic Module Security Requirements - FIPS
140• Key Management - ANSI X9.17, FIPS 171• Digital Signature and Hash (DSA/SHA) - FIPS 186,
180-1• Entity Authentication (FIPS 196) - IETF• Cryptographic API’s (Draft FIPS) - X/OPEN• Posix - FIPS, IEEE, ISO• Minimum Interoperability Specification for PKI
Components (MISPC) - NIST SP, IETF
![Page 21: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/21.jpg)
NIST Computer Security Program
National/Critical Information InfrastructureNational/Critical Information Infrastructure
Health CareHealth Care EnvironmentEnvironment Manufact.Manufact. Elec.Comm.Elec.Comm. Gov’t SvcsGov’t Svcs EducationEducation LibrariesLibraries
IndustryIndustry FederalGovernment
FederalGovernment
Customers
Program Focus Areas
Enabling Technology– Cryptographic Technology
and Applications– Key Recovery– Secure Internet Protocols
Enabling Infrastructure– Public Key Infrastructure– Criteria and Assurance– Internetworking Security– Security Management
![Page 22: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/22.jpg)
Cryptographic Technology andApplications
• Commercial Cryptographic Standards– Advanced Encryption Standard (AES)
– FIPS to allow RSA & EC technology
– Conformance Tests for ANSI RSA & ECDSA
• Crypto-Module Validation Program (FIPS140-1)
• ANSI Random Number Generation (co-editor)
![Page 23: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/23.jpg)
Key Recovery
• Technical Support for Emergency AccessWorking Group by Testing Key RecoveryPilots
• Secretariat and Liaison for CommercialData Recovery Technical AdvisoryCommittee; and Participation as Gov'tTechnical Representative
• Establish Key Recovery Root CA
• Develop Pilot Email Key Recovery System
![Page 24: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/24.jpg)
Public Key Infrastructure
• Tests and Assertions for MinimumInteroperability Specification for PKIComponents (MISPC)
• Develop MISPC Reference Implementation
• Implementation of a root CA Testbed forgovernment pilots
• Develop Security Requirements for CAcomponents
![Page 25: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/25.jpg)
Internetworking Security
• IPv6 Reference Implementation and TestBed
• Role Based Access Control
• Federal Government Computer IncidentResponse Center (FedCIRC)
![Page 26: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/26.jpg)
Security Management andSupport
• National Information System SecurityConference
• Computer System Security and PrivacyAdvisory Board
• Federal Computer Security ProgramManagers Forum
• Agency Assistance & Collaboration
![Page 27: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/27.jpg)
Criteria and Assurance
• Specification-Based Testing & Evaluation(T/E)
• Common Criteria (CC)
• Common Criteria Testing Program (CCTP)
• National Information Assurance Partnership(NIAP)
![Page 28: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/28.jpg)
Advanced Network Technology
• IPsec• IP testbed• Mobile agents• Virtual Private Networks• “Adaptive” Networks
![Page 29: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/29.jpg)
High Assurance DevelopmentTools
• Current Work– Role Based Access Control (RBAC)]
– Software Analysis Tools (Slicer, etc.)
• Planned/Potential Work– Advanced Analysis Tools, Toolkit
– Automated Testing
– Error/Failure Database
– Formal Methods
![Page 30: Information Security in a Wireless World · Information Security in a Wireless World ... • Internet Backbone ... – Automated testing techniques](https://reader031.fdocuments.in/reader031/viewer/2022022518/5b143bdf7f8b9a207c8c1148/html5/thumbnails/30.jpg)
For Additional Information
• NIST Computer Security Resource Center– http://csrc.nist.gov
• President’s Commission on CriticalInfrastructure Protection– http://www.pccip.gov
• Internet Engineering Task Force– http://www.ietf.org