Duty, Honor Country Information Warfare in the Trenches : Teaching Cadets the Basics of Information Assurance [email protected] Information Assurance

Duty, Honor CountryDuty, Honor Country

Information Warfare in the TrenchesInformation Warfare in the Trenches: : Teaching Cadets the Basics Teaching Cadets the Basics of Information Assuranceof Information Assurance

[email protected]@usma.edu

Information Assurance Education OR Training: Blurring the BoundariesAaron J. Ferguson, Ph.D., CISSP

National Security Agency Visiting ProfessorUnited States Military Academy

Department of Electrical Engineering & Computer Science




Definitions

Education – the act or process of bringing an understanding to an individual.

Training – the process or routine of making proficient with specialized instruction and practice.


Goal

Using Bloom’s Taxonomy as a model, provide strategies for using the training standards to build a curriculum that educates—allows the student to take Information Security Professional and Designated Approval Authority knowledge and demonstrate conceptual understanding in multiple contexts.


Attributes of Information Assurance Education

1. Context Sensitive

2. Dynamic

3. Multidisciplinary

4. Application-Oriented


Inherent Tensions in Information Assurance Education


Center of Academic Excellence in Information Assurance Education

Provides an excellent Roadmap for Information Assurance Course and Curriculum Development NSTISSI 4011 – Training of INFOSEC Professionals NSTISSI 4012 – Designated Approval Authority

Strategies USMA Courses USMACOM Case Study


NSTISSI 4011 – Training of INFOSEC Professionals

The NSTISSI 4011 establishes the minimum training standard for the training of information systems security professionals in the disciplines of telecommunications and automated information systems security.


What are the INFOSEC Professional “Big Ideas?”

Awareness Sensitivity to the threats and vulnerabilities of national security

information systems, and a recognition of the need to protect data, information, and the means of processing them and builds a working knowledge of INFOSEC principles and practices

Performance The skill and/or ability to design, execute, or evaluate agency

INFOSEC security procedures and practices.

Courses CS482 – Information Assurance

Cyber Defense Exercise IT460 – Cyber Warfare NSA Coder’s Cup


NSTISSI 4012 – Designated Approving Authority

The NSTISSI 4012 establishes the minimum course content or standard for the development and implementation of training for Designated Approving Authorities in the disciplines of telecommunications security and information systems (IS) security.


What are the DAA “Big Ideas?”

INFOSEC Functions Legal Liability Issues Policy Threats and Incidents Access Administration COMSEC


Bloom’s Taxonomy (Bloom Hierarchy)

KNOWLEDGE

COMPREHENSION

APPLICATION

ANALYSIS

SYNTHESIS

EVALUATION


DAA Case Study


What is a Controlled Interface Device (aka Security Guard)?

Guard: A device or collection of devices that mediate controlled transfers of information across security boundaries (e.g., between Security Domain “A” and Security Domain “B”).

It is “trusted” to allow sharing of data across boundaries (possibly including controlled “read up” and/or “write down”)

Part of the “high side” security architecture Enforces a defined security policy

Other characteristics: type of data being passed, direction of data flow; human or fully automated review; number of connections; connection protocol (serial; Ethernet)

SecurityDomain

“A”

SecurityDomain

“B”

Guard


Guards Versus Firewalls

Guards Generally implemented on

trusted platform (often B1 or higher)

Connects domains at different levels

Opens doors that are normally closed

Prevents data leakage Filters data at application level

Few services allowed through (e.g., E-mail, messages, file transfer)

Often no IP forwarding Performs downgrading

Firewalls Not generally implemented on

trusted platform

Connects domains at same level

Closes doors that are normally open

Controls network services Filters packets at protocol level; may

proxy packets at application level More services allowed through (e.g.,

file transfer, E-mail, TELNET, HTTP) Some types offer IP forwarding No downgrading required


USMACOM Case Study

Establish secure network communications with coalition partners to provide an immediate Coalition Task Force (CTF) capability.

CTF membership is based on trust level—level of trust between the US and country seeking membership in the CTF.

The ultimate goal is to protect the SIPRNET, as it is a SECRET-High US only network with connectivity to the National Information Infrastructure. However, information on the SIPRNET must be securely shared with members of the CTF.

A Foreign Disclosure Officer on the SIPRNET decides what information gets shared with the CTF.

The CTF is classified CTF-SECRET, and the Nation LAN is assumed to be UNCLASSIFIED.


USMACOM Learning Objectives

1. Demonstrate an understanding of the INFOSEC functions of a DAA.

2. Discuss threats and vulnerabilities.

3. Perform a risk assessment.

4. Explain the DAA’s role in information warfare through the use of Information Security tactics, techniques, and procedures.


USMACOM Learning Objectives

5. Describe ways in which connecting to the National Information Infrastructure can create risks to your systems.

6. Discuss the importance of training to the separation of duties required of the DAA.

7. Explain DAA responsibility for preventing unauthorized disclosure of information.

8. Extrapolate risk management concepts to multiple scenarios.

9. Make decisions based on reasoned judgment.


High-Level Requirement

SIPRNET CTF LAN Nation LAN

US-SECRET CTF-SECRET UNCLASSIFIED

TIER 1 TIER 2


Low-Level Requirements

1. Must develop a one-time accreditable security architecture that uses high-assurance guarding technology to facilitate information exchange across security domains.

2. USMACOM must be able to add a new member (now and in the future) to any tier without going through the accreditation process for each nation.

3. For each CTF user, she has a colleague back in her home country’s Nation LAN that she must communicate with.

4. There should be at least one system administrator per security domain and this person is responsible for performing all security-related administration of the security domain LAN, e.g., patch management, CERT notification, anti-virus maintenance, and training.


Case Study Assumptions

1. The CTF resides in US spaces and is US-owned and administered. The composition of coalition partners will be dynamic throughout operations and all data is releasable to all individuals who have authorized access to the CTF LAN.

2. The CTF LAN will be a high attribution/high consequence network--must use a multi-tiered architecture with each tier having different domain names for email purposes.

3. Clients in non-US-controlled spaces will not be allowed to access CTF LAN resources directly.


Case Study Assumptions

1. Connectivity will be severely restricted—by data attachment type (“dot-pdf”, “dot-rtf”, “dot-txt”, HTML, and “dot-gif”) and data flow direction.

2. Unauthorized access to SIPRNET resources or data must be the result of intentional malicious action by an authorized CTF user located in controlled US spaces or by a malicious user in one of the Nation-LANs.

3. An in-country user should not be able to spoof a CTF user’s email address.


What are “DAA” Big Ideas?

1. Accreditation and the role of the DAA

2. Tier membership/trust level

3. Attachment Types Threats and Vulnerabilities

4. Risk Assessment


Accreditation and the Role of the DAA

The Designated Approval Authority (DAA) is the person that assumes all risk for operating a system in a specified configuration in a specified location for a specified period of time. System architecture, system security measures, system

operations policy, system security management plan, and provisions for system operator and end user training.

The student should play the role of the DAA and establish guidelines for the security posture of any system and/or architecture that she is required to approve.


Tier membership/Trust level

Trust level and Tier membership have attribution implications. The student should be able to explain attribution

and how it manifests itself in multiple contexts, since attribution and Trust level/Tier membership are tightly coupled.

Student will also have to decide what file types are going to be exchanged between the CTF-LAN and the SIPRNET and in what direction.


Tier 1

SIPRNET

GT1

GT2

GT3

CTF(Tier 1)

WSC1

WSB1

WSA1


Tier 2 - What about reach-back capability?

GT4

GT5

Nation LAN(Tier 2)

WSC2

WSA2

WSB2


Attachment Type

Guard Guard Type/Services

Direction? Attachments

GT1

GT2

●

●


Putting it All Together

SIPRNET

GT1

GT2

GT3

CTF(Tier 1)

GT4

GT5

Nation LAN(Tier 2)

WSC2

WSA2

WSB2

WSC1

WSB1

WSA1


Risk Assessment

1. As a culminating exercise the instructor should have one set of students act as the DAA and another set act as Risk Analysts (RA) making their accreditation case to the DAA.

2. The RAs should be able to either make a compelling case for the DAA to accredit or make a compelling case for not accrediting—all based on risk evidence.

3. This risk evidence should be built around trust level, level of attribution, consequence, data flow, and data type.


Scaffolding Questions

1. Is there still high attribution if a Tier 0 user sends malicious email to the SIPRNET with a malicious code attachment? Why?

2. How could a Tier 2 user compromise Tier 1?

3. Why is the Tier 1 LAN a lower risk than the Tier 2 environment?

4. Can a user in Tier 2 spoof an email address?


Scaffolding Questions (cont’d)

5. What are some of the system administration challenges associated with the design?

6. How do you set up a CERT function in a coalition environment? Who enforces it?

7. Suppose USMACOM levied a new requirement: move all Tier 1 users down to Tier 2 to facilitate collaboration (e.g., chat, VoIP). Currently there are no Guarding Technologies that allow secure chat or secure VoIP. Specifically, user A1 cannot chat with user A2 even though

they are from the same nation. What would you do and why?


How do we Blur the Boundaries with IA Training Standards?

As information security becomes increasingly important, it can no longer be left to the realm of training.

1. Standards need to be “de-govied”—less government-focused and include academic and industry foci.

2. The standards need to focus more on Information Assurance than INFOSEC as the former defines thinking and behavior and the latter just behavior.

3. The standards should be incorporate more layer 2 (comprehension), 4 (analysis), 5 (synthesis), and 6 (evaluation), because without these critical layers, the case for academic excellence in Information Assurance is tenuous at best!

KNOWLEDGE

COMPREHENSION

APPLICATION

ANALYSIS

SYNTHESIS

EVALUATION


Changes Coming Down the Road

1. More Information Assurance focused vice INFOSEC

2. More User-Friendly

3. More input from Academia and Private Industry

4. Contract to upgrade 4011 to be let in May/June

5. 4012 fully coordinated with CNSS community and in for DIRNSA signature.

6. DISA to create 4012 CBT.

7. 4012 renamed Senior Systems Manager Focused on advances in technology


Feedback

If you like this briefing, please send an email to:

[email protected]

If you did not like this briefing, please send an email to:

[email protected]

Aaron J. Ferguson, Ph.D., CISSPNational Security Agency Visiting Professor

Dept. of Electrical Engineering & Computer ScienceUnited States Military Academy

[email protected] ARMY!

Documents

Duty, Honor Country Information Warfare in the Trenches : Teaching Cadets the Basics of Information Assurance [email protected] Information Assurance