Upload
warren-lester
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
CSCE 548CSCE 548
Security Standards Security Standards Awareness and Training Awareness and Training
CSCE 548 - Farkas 2
Cyber AttacksCyber Attacks
Takes advantage of weakness in– Physical environment– Computer system– Software bugs– Human practices
Need to identify, remove, and tolerate vulnerabilities
Secure ProgramsSecure Programs
How do we keep programs free from flaws?How do we protect computing resources
against programs that contain flaws?
CSCE 548 - Farkas 3
What is Secure?What is Secure?
Characteristics that contribute to security– Who defines the characteristics?
Assessment of security– What is the basis for the assessment?
IEEE Standard for Software Verification and Validation, 2005– Bug, error, fault, …
CSCE 548 - Farkas 4
Proof of Program CorrectnessProof of Program Correctness Correctness: a given program computes a particular result,
computes it correctly, and does nothing beyond what it is supposed to do.
Program verification:– Initial assertion about the inputs– Checking if the desired output is generated– Problems: correctness depends on how the program
statements are translated into logical implications, difficult to use and not intuitive, less developed than code production
CSCE 548 - Farkas 5
Standards of Program Standards of Program DevelopmentDevelopment
Software development organizations: specified software development practices
Administrative control over:– Design– Documentation, language, coding style– Programming– Testing– Configuration management
CSCE 548 - Farkas 6
Process ManagementProcess Management
Human aspects: difficult to judge in advance
How to assure that software is built in an orderly manner and that it leads to correct and secure product?– Process models: examine how and organization
does something
CSCE 548 - Farkas 7
CSCE 548 - Farkas 8
ReadingReading Reading for this lecture:
Carnegie Mellon, Software Engineering Institute (SEI): Capability Maturity Model Integration (CMMI®), http://www.sei.cmu.edu/cmmi/
US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html
Recommended DOD 8570.01-M, Information Assurance Workforce
Improvement Program, http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf
Certified Information Systems Security Professional (CISSP), http://www.isc2.org/cissp/default.aspx
CSCE 548 - Farkas 9
National Training StandardsNational Training Standards Committee on National Security Systems (CNSS) and the
National Security Agency (NSA) National Training Standards– NSTISSI-4011, National Training Standard for
Information Systems Security (INFOSEC) Professionals
– CNSSI-4012, National Information Assurance Training Standard for Senior Systems Managers (SSM)
– NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA)
– NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO)
– NSTISSI-4015, National Training Standard for Systems Certifiers (SC)
– CNSSI-4016, National Information Assurance Training Standard For Risk Analysts (RA)
National StandardsNational Standardsand and
CertificationsCertifications
CSCE 548 - Farkas 11
NSTISSI-4011NSTISSI-4011
National Training Standard for Information Systems Security (INFOSEC) Professionals
Provides the minimum course content for the training of information systems security (INFOSEC) professionals in the disciplines of telecommunications security and automated information systems (AIS) security.
CSCE 548 - Farkas 12
NSTISSI-4011NSTISSI-4011
National Security Telecommunications and Information Systems Security Directive No. 501 establishes the requirement for federal departments and agencies to implement training programs for INFOSEC professionals.
INFOSEC professionals: responsible for the security oversight or management of national security systems during phases of the life cycle
CSCE 548 - Farkas 13
NSTISSI-4011NSTISSI-4011
Training Standards: two levels– “Awareness Level: Creates a sensitivity to the
threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, information and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC.”
CSCE 548 - Farkas 14
Awareness-levelAwareness-level
Instructional Content Behavioral OutcomesTopical Content
CSCE 548 - Farkas 15
Program of InstructionsProgram of Instructions
a. COMMUNICATIONS BASICS (Awareness Level)b. AUTOMATED INFORMATION SYSTEMS (AIS)
BASICS (Awareness Level)c. SECURITY BASICS (Awareness Level)d. NSTISS BASICS (Awareness Level)e. SYSTEM OPERATING ENVIRONMENT (Awareness
Level)f. NSTISS PLANNING AND MANAGEMENT
(Performance Level)g. NSTISS POLICIES AND PROCEDURES (Performance
Level)
CSCE 548 - Farkas 16
Information Systems Security Model
Acknowledges information, not technology, as the basis for our security efforts – The actual medium is transparent – Eliminates unnecessary distinctions between
Communications Security (COMSEC), Computer Security (COMPUSEC), Technical Security (TECHSEC), and other technology-defined security sciences
– Can model the security relevant processes of information throughout an entire information system
CSCE 548 - Farkas 17
Security ModelSecurity Model
Confidentiality
Integrity
Availability
Characteristics
Transmission Storage Processing
State
Third Dimension
Technology
Policy
Education, training, awareness
CSCE 548 - Farkas 18
Performance LevelPerformance Level
Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices
Employees are able to apply security concepts while performing their tasks
Meeting National Standards at Meeting National Standards at USCUSC
Current certifications: – NSTISSI-4011, National Training Standard for
Information Systems Security (INFOSEC) Professionals
– NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA)
– NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO)
Courses to take:– CSCE 522, CSCE 715, CSCE 727
CSCE 548 - Farkas 19
GOVERNMENT AND GOVERNMENT AND INDUSTRY CERTIFICATIONSINDUSTRY CERTIFICATIONS
CSCE 548 - Farkas 20
Computer Security Computer Security CertificationsCertifications
International Information Systems Security Certification Consortium, (ISC)2
– CISSP: Certified Information Systems Security Professional– ISSAP: Information Systems Security Architecture Professional– ISSEP: Information Systems Security Engineering Professional
Computing Technology Industry Association (CompTIA) – Security+ (2008): security topics, e.g., access control,
cryptography, etc. Information Systems Audit and Control Association (ISACA)
– CISA: Certified Information Systems Auditor– CISM: Certified Information Security Manager
CSCE 548 - Farkas 21
CSCE 548 - Farkas 22
Certified Information Systems Certified Information Systems Security Professional (CISSP)Security Professional (CISSP)
June, 2004, the CISSP program earned the ANSI ISO/IEC Standard 17024:2003 accreditation
Formally approved by DoD in categories: Information Assurance Technical (IAT) and Managerial (IAM) categories
Has been adopted as a baseline for the U.S. National Security Agency's ISSEP program
CSCE 548 - Farkas 23
CISSP – Common Body of CISSP – Common Body of Knowledge Knowledge
Ten areas of interest (domains):1. Access Control -- CSCE 522, 7152. Application Security -- CSCE 522, 5483. Business Continuity and Disaster Recovery Planning -- CSCE
522, 7274. Cryptography -- CSCE 522, 5575. Information Security and Risk Management -- CSCE 522,
548, 7276. Legal, Regulations, Compliance and Investigations -- CSCE 517,
7277. Operations Security -- CSCE 522, 548, 7278. Physical (Environmental) Security -- CSCE 522. 7279. Security Architecture and Design -- CSCE 522, 548, 715, 72710. Telecommunications and Network Security -- CSCE 522, 715
RequirementsRequirements 5 years of direct full-time security work experience in two
or more of the ten (ISC)² information security domains– Associate of (ISC)²: passing the CISSP examination but
not having the experience CISSP Code of Ethics Criminal history and related background Pass the CISSP exam with a scaled score of 700 points or
greater Have their qualifications endorsed by another (ISC)²
certified professional in good standing
CSCE 548 - Farkas 24
Validity of the CertificationValidity of the Certification
3 yearsRenewal:
– Retake the exam or– Report 120 Continuing Professional Education
(CPE) credits
CSCE 548 - Farkas 25
Criticisms of the CISSPCriticisms of the CISSP
Lacking a business orientationInferiority to Academic credentials
CSCE 548 - Farkas 26
CSCE 548 - Farkas 27
Specialized ConcentrationsSpecialized Concentrations
Information Systems Security Architecture Professional (ISSAP), Concentration in Architecture
Information Systems Security Engineering Professional (ISSEP), Concentration in Engineering
Information Systems Security Management Professional (ISSMP), Concentration in Management
CSCE 548 - Farkas 28
Other (ISC)2 CertificationsOther (ISC)2 Certifications
SSCP - Systems Security Certified Practitioner
CAP - Certification and Accreditation Professional
CSSLP - Certified Secure Software Lifecycle Professional
SECURITY ENGINEERINGSECURITY ENGINEERING
CSCE 548 - Farkas 29
Security Process ModelsSecurity Process Models
Capability Maturity Model (CMM): address organizations not products
ISO 9001: similar to CMMU.S. NSA: System Security Engineering
CMM (SSE-CMM)
CSCE 548 - Farkas 30
Capability Maturity ModelCapability Maturity Model
Service mark owned by Carnegie Mellon University (CMU) Software Engineering Institute
Development model, derived from data collected from organizations
Can be applied to the software development process of organizations, to improve the process
CSCE 548 - Farkas 31
Capability Maturity Model Capability Maturity Model Integration (CMMI) Integration (CMMI)
Problem with CMM: difficult to apply multiple models that are not integrated
Extra cost
CSCE 548 - Farkas 32
CMM StructureCMM Structure
Maturity Levels: a 5-Level process maturity continuum
Key Process Areas: a cluster of related activities Goals: summarize the states that must exist for
that key process area to have been implemented in an effective and lasting way
Common Features Key Practices
CSCE 548 - Farkas 33
SEE-CMMSEE-CMM
Aims to advance the Security Engineering discipline
Goals: – Enable the selection of qualified security
engineering providers– Support informed investment in security
engineering practices– Provide capability-based assurance
CSCE 548 - Farkas 34
Maturity LevelsMaturity Levels
Define ordinal scale for measuring and evaluating process capability
Define incremental steps for improving process capability
CSCE 548 - Farkas 35
Capability LevelsCapability Levels
1. Initial : the starting point for use of a new process2. Repeatable: Requirements management, Software project
planning, Software project tracking and oversight, Software quality assurance, etc.
3. Defined: Organization process focus, Organization process definition, Training program, Integrated software management, Software product engineering, etc.
4. Managed: Quantitative process management, Software quality management
5. Optimizing: Defect prevention, Technology change management, Process change management
CSCE 548 - Farkas 36
Maturity LevelsMaturity Levels
1. Informal: base practices, ad-hoc process, success depends on individual effort
2. Planned, tracked: plan, track and verify performance, disciplined performance
3. Well defined: define and perform standard process, coordinate practices
4. Quantitatively controlled: establish measurable quality goals, objectively manage performance
5. Continuously improving: improve organizational capability, improve process effectiveness
CSCE 548 - Farkas 37
Security Engineering ProcessSecurity Engineering ProcessAreasAreas
Administer System Security Controls Assess Operational Security Risk Attack Security Build Assurance Argument Coordinate Security Determine Security Vulnerabilities Monitor System Security Posture Provide Security Input Specify Security Needs Verify and Validate Security
CSCE 548 - Farkas 38
EvaluationEvaluation Phases:
– Planning Phase: scope and plan– Preparation Phase: prepare evaluation team, questionnaire,
collect evidence, analyze results– On-site phase: interview, establish findings, rating, report– Post-evaluation phase: report findings needs for
improvement, manage results Use of evaluation:
– Organizations to hire developers
CSCE 548 - Farkas 39
Problems with SSE-CMMProblems with SSE-CMM
Does not guarantee good resultsNeed to ensure uniform evaluationNeed good understanding of model and its
useDoes not eliminate the need for testing and
evaluationNo guarantee of assurance
CSCE 548 - Farkas 40
NATIONAL SECURITY NATIONAL SECURITY
CSCE 548 - Farkas 41
CSCE 548 - Farkas 42
National Security and IWNational Security and IW U.S. agencies responsible for national security:
large, complex information infrastructure Defense information infrastructure supports:
– Critical war-fighting functions– Peacetime defense planning– Information for logistical support– Defense support organizations
Need proper functioning of information infrastructure
“Digitized Battlefield”
CSCE 548 - Farkas 43
National Security and IWNational Security and IW Increased reliance on information infrastructure
– Information Dominance– Un-manned weapons– Communication infrastructure– Vital human services (e.g., transportation, law
enforcement, emergency, etc.) Heavily connected to commercial infrastructure
– 95% of DOD’s unclassified communication via public network
No boundaries, cost effectiveness, ambiguous
CSCE 548 - Farkas 44
Strategic Warfare (SW)Strategic Warfare (SW)
Cold War: “single class of weapons delivered at a specific range” (Rattray)– E.g., use of nuclear weapons with intercontinental
range Current: “variety of means … can create
“strategic” effects, independent of considerations of distance and range.”
Center of gravity: – Those characteristics, capabilities, or sources of power
from which a military force derives its freedom of action, physical strength, or will to fight (DOD)
CSCE 548 - Farkas 45
Strategic Information Warfare Strategic Information Warfare (SIW)(SIW)
“…means for state and non-state actors to achieve objectives through digital attacks on an adversary’s center of gravity.” (Rattray)
CSCE 548 - Farkas 46
Strategic Warfare vs. SIWStrategic Warfare vs. SIW
Similar challengesHistorical observation: centers of gravity
are difficult to damage because of– Resistance– Adaptation
CSCE 548 - Farkas 47
Dimensions of Strategic AnalysisDimensions of Strategic Analysis
Threads:– Need to related means to ends– Interacting with opponent capable of independent
action Distinction between”
– “Grand Strategy”: achievement of political object of the war (includes economic strength and man power, financial pressure, etc.)
– “Military Strategy”: gain object of war (via battles as means)
CSCE 548 - Farkas 48
Necessary conditions for SW Necessary conditions for SW
Offensive freedom of actionSignificant vulnerability to attackProspects for effective retaliation and
escalation are minimizedVulnerabilities can be identified, targeted,
and damage can be assessed
CSCE 548 - Farkas 49
SIWSIW
Growing reliance new target of concernCommercial networks for crucial functionsRapid changeWidely available toolsSignificant uncertainties
– Determining political consequences– Predicting damage, including cascading effects