CSCE 548 Security Standards Awareness and Training

CSCE 548CSCE 548

Security Standards Security Standards Awareness and Training Awareness and Training

CSCE 548 - Farkas 2

Cyber AttacksCyber Attacks

Takes advantage of weakness in– Physical environment– Computer system– Software bugs– Human practices

Need to identify, remove, and tolerate vulnerabilities

Secure ProgramsSecure Programs

How do we keep programs free from flaws?How do we protect computing resources

against programs that contain flaws?

CSCE 548 - Farkas 3

What is Secure?What is Secure?

Characteristics that contribute to security– Who defines the characteristics?

Assessment of security– What is the basis for the assessment?

IEEE Standard for Software Verification and Validation, 2005– Bug, error, fault, …

CSCE 548 - Farkas 4

Proof of Program CorrectnessProof of Program Correctness Correctness: a given program computes a particular result,

computes it correctly, and does nothing beyond what it is supposed to do.

Program verification:– Initial assertion about the inputs– Checking if the desired output is generated– Problems: correctness depends on how the program

statements are translated into logical implications, difficult to use and not intuitive, less developed than code production

CSCE 548 - Farkas 5

Standards of Program Standards of Program DevelopmentDevelopment

Software development organizations: specified software development practices

Administrative control over:– Design– Documentation, language, coding style– Programming– Testing– Configuration management

CSCE 548 - Farkas 6

Process ManagementProcess Management

Human aspects: difficult to judge in advance

How to assure that software is built in an orderly manner and that it leads to correct and secure product?– Process models: examine how and organization

does something

CSCE 548 - Farkas 7

CSCE 548 - Farkas 8

ReadingReading Reading for this lecture:

Carnegie Mellon, Software Engineering Institute (SEI): Capability Maturity Model Integration (CMMI®), http://www.sei.cmu.edu/cmmi/

US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html

Recommended DOD 8570.01-M, Information Assurance Workforce

Improvement Program, http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

Certified Information Systems Security Professional (CISSP), http://www.isc2.org/cissp/default.aspx

CSCE 548 - Farkas 9

National Training StandardsNational Training Standards Committee on National Security Systems (CNSS) and the

National Security Agency (NSA) National Training Standards– NSTISSI-4011, National Training Standard for

Information Systems Security (INFOSEC) Professionals

– CNSSI-4012, National Information Assurance Training Standard for Senior Systems Managers (SSM)

– NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA)

– NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO)

– NSTISSI-4015, National Training Standard for Systems Certifiers (SC)

– CNSSI-4016, National Information Assurance Training Standard For Risk Analysts (RA)

National StandardsNational Standardsand and

CertificationsCertifications

CSCE 548 - Farkas 11

NSTISSI-4011NSTISSI-4011

National Training Standard for Information Systems Security (INFOSEC) Professionals

Provides the minimum course content for the training of information systems security (INFOSEC) professionals in the disciplines of telecommunications security and automated information systems (AIS) security.



National Security Telecommunications and Information Systems Security Directive No. 501 establishes the requirement for federal departments and agencies to implement training programs for INFOSEC professionals.

INFOSEC professionals: responsible for the security oversight or management of national security systems during phases of the life cycle



Training Standards: two levels– “Awareness Level: Creates a sensitivity to the

threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, information and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC.”


Awareness-levelAwareness-level

Instructional Content Behavioral OutcomesTopical Content


Program of InstructionsProgram of Instructions

a. COMMUNICATIONS BASICS (Awareness Level)b. AUTOMATED INFORMATION SYSTEMS (AIS)

BASICS (Awareness Level)c. SECURITY BASICS (Awareness Level)d. NSTISS BASICS (Awareness Level)e. SYSTEM OPERATING ENVIRONMENT (Awareness

Level)f. NSTISS PLANNING AND MANAGEMENT

(Performance Level)g. NSTISS POLICIES AND PROCEDURES (Performance

Level)


Information Systems Security Model

Acknowledges information, not technology, as the basis for our security efforts – The actual medium is transparent – Eliminates unnecessary distinctions between

Communications Security (COMSEC), Computer Security (COMPUSEC), Technical Security (TECHSEC), and other technology-defined security sciences

– Can model the security relevant processes of information throughout an entire information system


Security ModelSecurity Model

Confidentiality

Integrity

Availability

Characteristics

Transmission Storage Processing

State

Third Dimension

Technology

Policy

Education, training, awareness


Performance LevelPerformance Level

Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices

Employees are able to apply security concepts while performing their tasks

Meeting National Standards at Meeting National Standards at USCUSC

Current certifications: – NSTISSI-4011, National Training Standard for

Information Systems Security (INFOSEC) Professionals

– NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA)

– NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO)

Courses to take:– CSCE 522, CSCE 715, CSCE 727


GOVERNMENT AND GOVERNMENT AND INDUSTRY CERTIFICATIONSINDUSTRY CERTIFICATIONS


Computer Security Computer Security CertificationsCertifications

International Information Systems Security Certification Consortium, (ISC)2

– CISSP: Certified Information Systems Security Professional– ISSAP: Information Systems Security Architecture Professional– ISSEP: Information Systems Security Engineering Professional

Computing Technology Industry Association (CompTIA) – Security+ (2008): security topics, e.g., access control,

cryptography, etc. Information Systems Audit and Control Association (ISACA)

– CISA: Certified Information Systems Auditor– CISM: Certified Information Security Manager



Certified Information Systems Certified Information Systems Security Professional (CISSP)Security Professional (CISSP)

June, 2004, the CISSP program earned the ANSI ISO/IEC Standard 17024:2003 accreditation

Formally approved by DoD in categories: Information Assurance Technical (IAT) and Managerial (IAM) categories

Has been adopted as a baseline for the U.S. National Security Agency's ISSEP program


CISSP – Common Body of CISSP – Common Body of Knowledge Knowledge

Ten areas of interest (domains):1. Access Control -- CSCE 522, 7152. Application Security -- CSCE 522, 5483. Business Continuity and Disaster Recovery Planning -- CSCE

522, 7274. Cryptography -- CSCE 522, 5575. Information Security and Risk Management -- CSCE 522,

548, 7276. Legal, Regulations, Compliance and Investigations -- CSCE 517,

7277. Operations Security -- CSCE 522, 548, 7278. Physical (Environmental) Security -- CSCE 522. 7279. Security Architecture and Design -- CSCE 522, 548, 715, 72710. Telecommunications and Network Security -- CSCE 522, 715

RequirementsRequirements 5 years of direct full-time security work experience in two

or more of the ten (ISC)² information security domains– Associate of (ISC)²: passing the CISSP examination but

not having the experience CISSP Code of Ethics Criminal history and related background Pass the CISSP exam with a scaled score of 700 points or

greater Have their qualifications endorsed by another (ISC)²

certified professional in good standing


Validity of the CertificationValidity of the Certification

3 yearsRenewal:

– Retake the exam or– Report 120 Continuing Professional Education

(CPE) credits


Criticisms of the CISSPCriticisms of the CISSP

Lacking a business orientationInferiority to Academic credentials



Specialized ConcentrationsSpecialized Concentrations

Information Systems Security Architecture Professional (ISSAP), Concentration in Architecture

Information Systems Security Engineering Professional (ISSEP), Concentration in Engineering

Information Systems Security Management Professional (ISSMP), Concentration in Management


Other (ISC)2 CertificationsOther (ISC)2 Certifications

SSCP - Systems Security Certified Practitioner

CAP - Certification and Accreditation Professional

CSSLP - Certified Secure Software Lifecycle Professional

SECURITY ENGINEERINGSECURITY ENGINEERING


Security Process ModelsSecurity Process Models

Capability Maturity Model (CMM): address organizations not products

ISO 9001: similar to CMMU.S. NSA: System Security Engineering

CMM (SSE-CMM)


Capability Maturity ModelCapability Maturity Model

Service mark owned by Carnegie Mellon University (CMU) Software Engineering Institute

Development model, derived from data collected from organizations

Can be applied to the software development process of organizations, to improve the process


Capability Maturity Model Capability Maturity Model Integration (CMMI) Integration (CMMI)

Problem with CMM: difficult to apply multiple models that are not integrated

Extra cost


CMM StructureCMM Structure

Maturity Levels: a 5-Level process maturity continuum

Key Process Areas: a cluster of related activities Goals: summarize the states that must exist for

that key process area to have been implemented in an effective and lasting way

Common Features Key Practices


SEE-CMMSEE-CMM

Aims to advance the Security Engineering discipline

Goals: – Enable the selection of qualified security

engineering providers– Support informed investment in security

engineering practices– Provide capability-based assurance


Maturity LevelsMaturity Levels

Define ordinal scale for measuring and evaluating process capability

Define incremental steps for improving process capability


Capability LevelsCapability Levels

1. Initial : the starting point for use of a new process2. Repeatable: Requirements management, Software project

planning, Software project tracking and oversight, Software quality assurance, etc.

3. Defined: Organization process focus, Organization process definition, Training program, Integrated software management, Software product engineering, etc.

4. Managed: Quantitative process management, Software quality management

5. Optimizing: Defect prevention, Technology change management, Process change management


Maturity LevelsMaturity Levels

1. Informal: base practices, ad-hoc process, success depends on individual effort

2. Planned, tracked: plan, track and verify performance, disciplined performance

3. Well defined: define and perform standard process, coordinate practices

4. Quantitatively controlled: establish measurable quality goals, objectively manage performance

5. Continuously improving: improve organizational capability, improve process effectiveness


Security Engineering ProcessSecurity Engineering ProcessAreasAreas

Administer System Security Controls Assess Operational Security Risk Attack Security Build Assurance Argument Coordinate Security Determine Security Vulnerabilities Monitor System Security Posture Provide Security Input Specify Security Needs Verify and Validate Security


EvaluationEvaluation Phases:

– Planning Phase: scope and plan– Preparation Phase: prepare evaluation team, questionnaire,

collect evidence, analyze results– On-site phase: interview, establish findings, rating, report– Post-evaluation phase: report findings needs for

improvement, manage results Use of evaluation:

– Organizations to hire developers


Problems with SSE-CMMProblems with SSE-CMM

Does not guarantee good resultsNeed to ensure uniform evaluationNeed good understanding of model and its

useDoes not eliminate the need for testing and

evaluationNo guarantee of assurance


NATIONAL SECURITY NATIONAL SECURITY



National Security and IWNational Security and IW U.S. agencies responsible for national security:

large, complex information infrastructure Defense information infrastructure supports:

– Critical war-fighting functions– Peacetime defense planning– Information for logistical support– Defense support organizations

Need proper functioning of information infrastructure

“Digitized Battlefield”


National Security and IWNational Security and IW Increased reliance on information infrastructure

– Information Dominance– Un-manned weapons– Communication infrastructure– Vital human services (e.g., transportation, law

enforcement, emergency, etc.) Heavily connected to commercial infrastructure

– 95% of DOD’s unclassified communication via public network

No boundaries, cost effectiveness, ambiguous


Strategic Warfare (SW)Strategic Warfare (SW)

Cold War: “single class of weapons delivered at a specific range” (Rattray)– E.g., use of nuclear weapons with intercontinental

range Current: “variety of means … can create

“strategic” effects, independent of considerations of distance and range.”

Center of gravity: – Those characteristics, capabilities, or sources of power

from which a military force derives its freedom of action, physical strength, or will to fight (DOD)


Strategic Information Warfare Strategic Information Warfare (SIW)(SIW)

“…means for state and non-state actors to achieve objectives through digital attacks on an adversary’s center of gravity.” (Rattray)


Strategic Warfare vs. SIWStrategic Warfare vs. SIW

Similar challengesHistorical observation: centers of gravity

are difficult to damage because of– Resistance– Adaptation


Dimensions of Strategic AnalysisDimensions of Strategic Analysis

Threads:– Need to related means to ends– Interacting with opponent capable of independent

action Distinction between”

– “Grand Strategy”: achievement of political object of the war (includes economic strength and man power, financial pressure, etc.)

– “Military Strategy”: gain object of war (via battles as means)


Necessary conditions for SW Necessary conditions for SW

Offensive freedom of actionSignificant vulnerability to attackProspects for effective retaliation and

escalation are minimizedVulnerabilities can be identified, targeted,

and damage can be assessed


SIWSIW

Growing reliance new target of concernCommercial networks for crucial functionsRapid changeWidely available toolsSignificant uncertainties

– Determining political consequences– Predicting damage, including cascading effects

Documents

CSCE 548 Security Standards Awareness and Training