Sample Security Model

Security Model

Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s

Monitor: Intrusion Detection and Response Content-Based Detection and Response Employee monitoring

Audit: Security Posture Assessment Vulnerability Scanning Patch verification/Application audit

Manage: Secure Device Management Event / Data Analysis and Reporting Network Security Intelligence

POLICYM

anag

e Monitor

Audit

Secure

Information Warfare Definition

"Actions taken to achieve information superiority by affecting adversary information, information-based processes, information system, and computer-based networks while defending one's own information, information-based systems, information systems and computer-based systems."

Information Warfare Definition(s)

Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own.

Such actions are designed to achieve advantages over military or business adversaries.(Dr Ivan Goldman)

Skill vs Technology

Decreasing

Skill and Knowledge and resources

Increasing Tools, Power and

Sophistication

1940 2004

• Code cleanup

• License selection

• Development environment & portal

• Training

Implementation

• Objective

• Metrics

• Architecture

• Cost / Benefit Analysis

• Community Relevance

• Risk Mitigation

Business Case

• Launch Planning

• Community Awareness

• Competitive Participation

Marketing

• Measuring

• Ongoing Marketing

• Strategic Direction

Maintenance

Outbound Open Source

Levels of Concern (Low, Moderate, High)

Level of concern for confidentiality Based on the tolerance for unauthorized disclosure or compromise of

information on the system

Level of concern for integrity Based on the tolerance for unauthorized modification or destruction

of information on the system

Level of concern for availability Based on the tolerance for delay in the processing, transmission, or

storage of information on the system or the tolerance for the disruption or denial of a service provided by the system

Levels of Concern (Low, Moderate, High)

Level of concern for external exposure Based on the definitions in SP 800-37 (user access methods, backend

connections, number of users)

Level of concern for internal exposure Based on the definitions in SP 800-37 (security background

assurances/clearances, access approvals, need-to-know)

Level of concern for total system exposure Based on the values assigned to both external and internal exposure

factors as defined in SP 800-37

System Characterization

Levels of concern for confidentiality, integrity,availability and system exposure determine:

Security controls for the IT system Security certification level

Classes of Security Controls

Management Controls Controls that address the security management aspects of the IT system

and the management of risk for the system

Operational Controls Controls that address the security mechanisms primarily implemented

and executed by people (as opposed to systems)

Technical Controls Controls that address security mechanisms contained in and executed

by the computer system

A Comprehensive ApproachLinking Critical Assessment Activities

INFORMATION ASSURANCE (IA) Objectives of the IA Program

• Employ efficient and cost-effective security features to protect information system resources

• Adopt a risk-based life cycle management approach• Conduct an assessment of threats, identify and apply

appropriate safeguards

Security Risks =(Threats x Vulnerabilities) - Countermeasures Exposure

Objectives of the IA Program (Continued)

Protect the information with regard to:

Confidentiality

Integrity

Availability

Authentication

Non-repudiation

What is the threat?

• Internal– Intentional (Disgruntled Employee)

– Unintentional (Employee Error)

• External– Intentional (Terrorists, Hackers)

– Unintentional (Natural Disaster)

IA Program Personnel

• Designated Approving Authority (DAA)• Information Systems Security Manager (ISSM)• Network Security Officer (NSO)• Information Systems Coordinator (ISC)• Information Systems Security Coordinator (ISSC)• YOU

YOUR Responsibilities

• Computer & Network Security• Information Security• Software Security• Physical Security• Communications & Emanations

Security• Personnel / Administration Security

YOUR Responsibilities Computer & Network Security

• Log-On Information • Warning Banner• Use of Corporate Systems

YOUR ResponsibilitiesComputer & Network Security

P A

S

S

W

L O G O F F

R

D

YOUR ResponsibilitiesComputer & Network Security

• System Configuration Information• Virus Detection• Firewalls

YOUR Responsibilities Information Security

• Classification level of information

• Back-ups

• Off-Site Storage

• Media Protection

YOUR Responsibilities Software Security

• DO NOT install unapproved software

• Software Accountability / Inventory

• Software Copyright

YOUR Responsibilities Physical Security

• DRMO/Destruction

• Housekeeping

• Media Protection

• Ensure adequate physical controls

YOUR Responsibilities Communications & Emanations Security

• Sending Sensitive data over the Internet

• Encryption

• TEMPEST

YOUR Responsibilities Personnel & Administration Security

• Operating Procedures

• Training

• System Accreditation

• Incident Reporting

• Need-to-know

• Audit Trails

• Contingency Planning• Adequate Environmental Controls

SUMMARY

• We must incorporate a security mindset in our day-to-day operations

• You are the most important asset in the fight to provide adequate security of our Information Systems