information systems security office (isso) services maj carmine cicalese cinc infosec support one...
TRANSCRIPT
INFORMATION SYSTEMS SECURITY OFFICE (ISSO)
SERVICES
MAJ Carmine CicaleseCINC INFOSEC Support
INFORMATION SYSTEMS SECURITY OFFICE (ISSO)
SERVICES
MAJ Carmine CicaleseCINC INFOSEC Support
One Team, One MissionInformation Superiority for America
INFORMATION SYSTEMS SECURITY (INFOSEC)
INFORMATION SYSTEMS SECURITY (INFOSEC)
The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats
The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats
GROWING NEED FOR INFOSEC
GROWING NEED FOR INFOSEC
Nation has become highly dependent on networking for military ops, government, and commerce
Information infrastructure is at risk! Data and systems are highly vulnerable to unauthorized access
Information warfare could inflict massive disruption on military readiness and the economy
Nation has become highly dependent on networking for military ops, government, and commerce
Information infrastructure is at risk! Data and systems are highly vulnerable to unauthorized access
Information warfare could inflict massive disruption on military readiness and the economy
RACE AGAINST TIME:INFOSEC VS. INFOWARRACE AGAINST TIME:
INFOSEC VS. INFOWAR
Massive Use of Networking Makes U.S. the World’s Most Vulnerable Target for Information Warfare Intelligence Exploitation Disruption of Network Infrastructure
U.S. Has Orders of Magnitude More to Lose to Information Warfare Attacks Than Our Adversaries
Reliance on Unprotected Networks Carries Risk of Military Failure and Catastrophic Economic Loss
Massive Use of Networking Makes U.S. the World’s Most Vulnerable Target for Information Warfare Intelligence Exploitation Disruption of Network Infrastructure
U.S. Has Orders of Magnitude More to Lose to Information Warfare Attacks Than Our Adversaries
Reliance on Unprotected Networks Carries Risk of Military Failure and Catastrophic Economic Loss
INFORMATION WARFARE
INFORMATION WARFARE
“...the threat to our military and commercial information systems poses a significant risk to national security and must be addressed.”
“...the threat to our military and commercial information systems poses a significant risk to national security and must be addressed.”
William J. ClintonWilliam J. ClintonPresident of the United StatesPresident of the United States
1995 National Security Strategy1995 National Security Strategy
INFORMATION WARFARE
INFORMATION WARFARE
“Information in all its forms, information protection, and the increasingly prominent position of information in the attack have become central features in determining the outcome of modern and future conflicts.”
“Information in all its forms, information protection, and the increasingly prominent position of information in the attack have become central features in determining the outcome of modern and future conflicts.”
General John M. ShalikashviliGeneral John M. ShalikashviliChairman of the Joint Chiefs of StaffChairman of the Joint Chiefs of Staff
Memorandum, Memorandum, Information Warfare StatusInformation Warfare Status, 10 October 1995, 10 October 1995
SANCTUARY -- LOSTSANCTUARY -- LOST
U.S.U.S.
SOCIETYSOCIETYADVERSARYADVERSARYU.S.U.S.
MILITARYMILITARY
U.S.U.S.
SOCIETYSOCIETYADVERSARYADVERSARYU.S.U.S.
MILITARYMILITARY
PASTPASTPRESENTPRESENT
INFOSEC CHALLENGES
INFOSEC CHALLENGES
Keeping pace with technology National Information Infrastructure (NII) Support to military operations
Keeping pace with technology National Information Infrastructure (NII) Support to military operations
POTENTIAL ISSO CUSTOMERS
POTENTIAL ISSO CUSTOMERS
??PRIVATE INDUSTRYPRIVATE INDUSTRY
JOHN Q. PUBLICJOHN Q. PUBLIC
FINANCIAL COMMUNITYFINANCIAL COMMUNITYACADEMIAACADEMIA
HEALTH PROFESSIONHEALTH PROFESSION
WHAT ARE WE DOING ABOUT IT?
WHAT ARE WE DOING ABOUT IT?
Key INFOSEC Goal:Keep Pace with Network Technology and
Security Needs
Criteria for Success:Solutions that are Secure, Affordable, and Easy to Use, as Defined by Our Customers
Key INFOSEC Goal:Keep Pace with Network Technology and
Security Needs
Criteria for Success:Solutions that are Secure, Affordable, and Easy to Use, as Defined by Our Customers
GOALSGOALS
Enhance Network Security Meet All Requirements for Unique, High
Assurance Solutions Advance INFOSEC Technology Champion Information Security for the Nation Forge an Innovative Customer-Driven
Corporate Culture
Enhance Network Security Meet All Requirements for Unique, High
Assurance Solutions Advance INFOSEC Technology Champion Information Security for the Nation Forge an Innovative Customer-Driven
Corporate Culture
ISSO MISSIONISSO MISSION
Provide leadership, products, and services necessary to enable customers to protect national security and sensitive information in information systems pursuant to Federal law and national policies; and...
Provide technical support to the government’s efforts to incorporate information systems security into the National Information Infrastructure (NII)
Provide leadership, products, and services necessary to enable customers to protect national security and sensitive information in information systems pursuant to Federal law and national policies; and...
Provide technical support to the government’s efforts to incorporate information systems security into the National Information Infrastructure (NII)
SECURITY TERMSSECURITY TERMS
DATA INTEGRITY -
AUTHENTICATION -
NON-REPUDIATION -
CONFIDENTIALITY -
AVAILABILITY -
DATA INTEGRITY -
AUTHENTICATION -
NON-REPUDIATION -
CONFIDENTIALITY -
AVAILABILITY -
Absolute verification data has not been modified (Detection of a single bit change)
Verification of originator (Signature on check)
Undeniable proof-of-participation (Sender/receiver in bank transaction)
Privacy with encryption (Scrambled text)
Assurance of service on demand (Guaranteed dial tone)
Absolute verification data has not been modified (Detection of a single bit change)
Verification of originator (Signature on check)
Undeniable proof-of-participation (Sender/receiver in bank transaction)
Privacy with encryption (Scrambled text)
Assurance of service on demand (Guaranteed dial tone)
INFOSEC BUSINESSINFOSEC BUSINESS
The business of information security comprises a cycle of critical activities designed to meet constantly changing customer needs in the emerging information age.
The business of information security comprises a cycle of critical activities designed to meet constantly changing customer needs in the emerging information age. Assess NeedsAssess Needs
Customer education, threat awareness, vulnerability assessment, Customer education, threat awareness, vulnerability assessment, impact on business, leading national advocacy role.impact on business, leading national advocacy role.
Deliver SolutionsDeliver SolutionsProduct and systems evaluations, risk management, system Product and systems evaluations, risk management, system security engineering consultancy, new solutions, implementation security engineering consultancy, new solutions, implementation assistance, security management infrastructure, life cycle assistance, security management infrastructure, life cycle support, policies and guidelines.support, policies and guidelines.
Create Advanced TechnologiesCreate Advanced TechnologiesAnticipate and enable emerging technologies, conduct and Anticipate and enable emerging technologies, conduct and coordinate research and development, rapid prototyping.coordinate research and development, rapid prototyping.
INFOSEC SOLUTIONSINFOSEC SOLUTIONS
INFOSECSOLUTIONS
INFOSECSOLUTIONSPRODUCTSPRODUCTS
TECHNOLOGIESTECHNOLOGIES
SERVICESSERVICES
PRODUCTSPRODUCTS
MISSI/Fortezza STU-III KG-84 KG-194 KG-95 CONDOR
MISSI/Fortezza STU-III KG-84 KG-194 KG-95 CONDOR
Key Management System (EKMS)
Embedded Modules Chips Algorithms Secure Terminal
Equipment
Key Management System (EKMS)
Embedded Modules Chips Algorithms Secure Terminal
Equipment
DISNDISN DMSDMS GCCSGCCS EC/EDIEC/EDI CINCMLSCINCMLSDFASDFAS
NETWORK SECURITY MANAGEMENTNETWORK SECURITY MANAGEMENTElectronic KeyElectronic Key
Management SystemManagement SystemCertification AuthorityCertification Authority
Workstation (CAW) Workstation (CAW) DOD Directory Service DOD Directory Service
DIIDII
Non - RepudiationNon - Repudiation
ConfidentialityConfidentialityIntegrityIntegrity
AvailabilityAvailability
Identification & AuthenticationIdentification & Authentication
MISSI BUILDING BLOCK PRODUCTSMISSI BUILDING BLOCK PRODUCTS
SECURITYSECURITY SERVICESSERVICES
SecureComputing
High Assurance
Guards
Firewalls
In-Line Network
Encryptors
********
Fortezza +Fortezza
DEFENSE INFORMATION INFRASTRUCTURE SECURITY
DEFENSE INFORMATION INFRASTRUCTURE SECURITY
Workstation Products FORTEZZA
High Assurance Guards Secure Network Server (SNS)
» Standard Mail Guard (SMG) Secret unclassified e-mail
In-Line Network Encryptors Network Encryption System (NES) (current) Tactical End-to-End Device (TEED) (emerging) Fastlane (multimedia ATM) (emerging) KG-189 (Synchronous Optical Network (SONET))
Workstation Products FORTEZZA
High Assurance Guards Secure Network Server (SNS)
» Standard Mail Guard (SMG) Secret unclassified e-mail
In-Line Network Encryptors Network Encryption System (NES) (current) Tactical End-to-End Device (TEED) (emerging) Fastlane (multimedia ATM) (emerging) KG-189 (Synchronous Optical Network (SONET))
MISSIMISSI
Mulitlevel Information Systems Security Initiaitive
ISSO SERVICESISSO SERVICES
ISSO services is the intellectual set of activities that assist customers in protecting the mission information
ISSO services is the intellectual set of activities that assist customers in protecting the mission information
ISSO SERVICESISSO SERVICES
System Security Assessments Information System Security Education, Training
and Awareness (ISSETA) Security Engineering and Consulting Product Evaluation Clearinghouse for Security Technical Information Security Infrastructure
System Security Assessments Information System Security Education, Training
and Awareness (ISSETA) Security Engineering and Consulting Product Evaluation Clearinghouse for Security Technical Information Security Infrastructure
SYSTEM SECURITY ASSESSMENTS
SYSTEM SECURITY ASSESSMENTS
Threat Assessment
OPSEC Assessment
INFOSEC Assessment
Network Vulnerability Assessments
Technical Security And Facilities Evaluation
Threat Assessment
OPSEC Assessment
INFOSEC Assessment
Network Vulnerability Assessments
Technical Security And Facilities Evaluation
COMSEC Monitoring
System Security Profiles
System Certification Assistance
System Accreditation Assistance
Risk Assessment
COMSEC Monitoring
System Security Profiles
System Certification Assistance
System Accreditation Assistance
Risk Assessment
SYSTEM SECURITY ASSESSMENTS
SYSTEM SECURITY ASSESSMENTS
THREAT ASSESSMENTTHREAT ASSESSMENT
All source intelligence via SIGINT, HUMINT, and IMINT
Analytic interface to intel community Assessments tailored to customer
requirements Special studies, briefings, and video Assist in resource and countermeasure
allocations
All source intelligence via SIGINT, HUMINT, and IMINT
Analytic interface to intel community Assessments tailored to customer
requirements Special studies, briefings, and video Assist in resource and countermeasure
allocations
OPSEC ASSESSMENTOPSEC ASSESSMENT
Identify vulnerabilities Information on
Operations Supporting operations Competitors or adversaries
Basis for risk management decisions
Identify vulnerabilities Information on
Operations Supporting operations Competitors or adversaries
Basis for risk management decisions
INFOSEC ASSESSMENTINFOSEC ASSESSMENT
High level technical analysis of the security posture of an organization’s communications and automated information systems Determine potential vulnerabilities and identify
countermeasures Based on known and perceived threats
Present day snapshot of implemented security Baseline of current security assets
High level technical analysis of the security posture of an organization’s communications and automated information systems Determine potential vulnerabilities and identify
countermeasures Based on known and perceived threats
Present day snapshot of implemented security Baseline of current security assets
NETWORK VULNERABILITY ANALYSIS
NETWORK VULNERABILITY ANALYSIS
TECHNICAL SECURITY AND FACILITIES EVALUATION
TECHNICAL SECURITY AND FACILITIES EVALUATION
COMSEC MONITORINGCOMSEC MONITORING
Support customer’s risk management process by providing information needed to make informed trade-offs between systems security risk, cost, schedule, and mission requirements
Provide timely mission and configuration specific analysis
Support certification and accreditation Document secure system design efforts
Support customer’s risk management process by providing information needed to make informed trade-offs between systems security risk, cost, schedule, and mission requirements
Provide timely mission and configuration specific analysis
Support certification and accreditation Document secure system design efforts
SYSTEM SECURITY PROFILES
SYSTEM SECURITY PROFILES
Provide future efforts design guidance Inject security into early design phases
Lower costs
Minimal impact
Improve commercial secure products Feed lessons learned to vendors
Provide feedback to profiling process
Provide future efforts design guidance Inject security into early design phases
Lower costs
Minimal impact
Improve commercial secure products Feed lessons learned to vendors
Provide feedback to profiling process
SYSTEM SECURITY PROFILES
SYSTEM SECURITY PROFILES
SYSTEM SECURITY PROFILES
SYSTEM SECURITY PROFILES
Focuses on developmental systems or those being upgraded
A system profile: Presents non-judgemental technical facts Is not a NSA endorsement Is a structured presentation of engineering
documentation Delivers report to customer who controls it Is time constrained vulnerability search
Focuses on developmental systems or those being upgraded
A system profile: Presents non-judgemental technical facts Is not a NSA endorsement Is a structured presentation of engineering
documentation Delivers report to customer who controls it Is time constrained vulnerability search
SYSTEM CERTIFICATION ASSISTANCE
SYSTEM CERTIFICATION ASSISTANCE
Make Recommendations Regarding the Technical and Economic Feasibility of Additional Countermeasures Which Should Be Used (or Are Planned to Be Used) to Further Minimize Risks to the System
Make Recommendations Regarding the Technical and Economic Feasibility of Additional Countermeasures Which Should Be Used (or Are Planned to Be Used) to Further Minimize Risks to the System
SYSTEM ACCREDITATION ASSISTANCE
SYSTEM ACCREDITATION ASSISTANCE
The Cost-Effective Approach to Security Requires DAAs to Lower Risks to Acceptable Levels While Minimizing Costs
The Cost-Effective Approach to Security Requires DAAs to Lower Risks to Acceptable Levels While Minimizing Costs
Conferences Training Classes Standards Development Policy Committees Doctrine, Policy, and Procedures Foreign Policy and Relations Security Awareness INFOSEC OUTREACH Program Technology Transfer
Conferences Training Classes Standards Development Policy Committees Doctrine, Policy, and Procedures Foreign Policy and Relations Security Awareness INFOSEC OUTREACH Program Technology Transfer
INFORMATION SYSTEMS SECURITY EDUCATION, TRAINING, AND
AWARENESS (ISSETA)
INFORMATION SYSTEMS SECURITY EDUCATION, TRAINING, AND
AWARENESS (ISSETA)
CONFERENCESCONFERENCES
National Information Systems Security Conference
AFCEA IEEE
National Information Systems Security Conference
AFCEA IEEE
TRAINING CLASSESTRAINING CLASSES
Train-The-Trainer Teach, Train, and Assist (TTA)
Train-The-Trainer Teach, Train, and Assist (TTA)
STANDARDS DEVELOPMENT
STANDARDS DEVELOPMENT
ISO ANSII
ISO ANSII
POLICY COMMITTEESPOLICY COMMITTEES
NSTISSC National policies, directives, guidance, etc.,
according to NSD-42 NII DoD Military Services
NSTISSC National policies, directives, guidance, etc.,
according to NSD-42 NII DoD Military Services
DOCTRINE, POLICY, AND PROCEDURES
DOCTRINE, POLICY, AND PROCEDURES
Over-the-air rekeying Advanced concepts and modeling for
INFOSEC doctrine and risk management Manages National COMSEC Insecurity
Reporting System Trended analysis and reports
Over-the-air rekeying Advanced concepts and modeling for
INFOSEC doctrine and risk management Manages National COMSEC Insecurity
Reporting System Trended analysis and reports
INFOSEC OUTREACH PROGRAM
INFOSEC OUTREACH PROGRAM
Certified Module Embedment (CME) Program
Certified Module Embedment (CME) Program
SECURITY ENGINEERING AND CONSULTING
SECURITY ENGINEERING AND CONSULTING
Information Systems Security Engineering (ISSE)
System Design Guidance Security Architecture and Frameworks System Acquisition Life Cycle Consulting
Information Systems Security Engineering (ISSE)
System Design Guidance Security Architecture and Frameworks System Acquisition Life Cycle Consulting
INFORMATION SYSTEMS SECURITY ENGINEERINGINFORMATION SYSTEMS SECURITY ENGINEERING
ISSE Handbook System Security Engineering Model
(SSEM)
ISSE Handbook System Security Engineering Model
(SSEM)
LIFE CYCLE CONSULTINGLIFE CYCLE
CONSULTING
Key Management Privilege Management Product Installation and Support Training Design Methodology Rainbow Series
Key Management Privilege Management Product Installation and Support Training Design Methodology Rainbow Series
PRODUCT EVALUATION
PRODUCT EVALUATION
Product Profiles TEMPEST Endorsement Program (TEP) Trusted Product Evaluation Program
(TPEP) Evaluated INFOSEC (COMSEC)
Product Listing
Product Profiles TEMPEST Endorsement Program (TEP) Trusted Product Evaluation Program
(TPEP) Evaluated INFOSEC (COMSEC)
Product Listing
EVALUATED INFOSEC (COMSEC) PRODUCT LISTING
EVALUATED INFOSEC (COMSEC) PRODUCT LISTING
Commercial COMSEC Endorsement Program (CCEP)
Authorized Vendor Program (AVP)
Commercial COMSEC Endorsement Program (CCEP)
Authorized Vendor Program (AVP)
CLEARINGHOUSE FOR INFORMATION
CLEARINGHOUSE FOR INFORMATION
Commercial Product Data Base Vulnerability Data Base Information (DOCKMASTER,
TEMPEST Info Center) Help Desk
Commercial Product Data Base Vulnerability Data Base Information (DOCKMASTER,
TEMPEST Info Center) Help Desk
INFORMATIONINFORMATION
DOCKMASTER TEMPEST Info Center
DOCKMASTER TEMPEST Info Center
SECURITY INFRASTRUCTURE
SECURITY INFRASTRUCTURE
Key Management and Provisioning Doctrine, Policy, and Standards MISSI Network Security Management
Certification Authentication Workstation (CAW) Directory System Agent (DSA) Mail List Agent (MLA) Rekey Manager (with EKMS) Audit Manager
Key Management and Provisioning Doctrine, Policy, and Standards MISSI Network Security Management
Certification Authentication Workstation (CAW) Directory System Agent (DSA) Mail List Agent (MLA) Rekey Manager (with EKMS) Audit Manager
STRATEGY FOR PROVIDING CUSTOMER SUPPORT
STRATEGY FOR PROVIDING CUSTOMER SUPPORT
V11V11
DISADISADISADISAVENDORSVENDORSVENDORSVENDORS
ISSOISSOISSOISSO
ARMYARMYARMYARMY
NAVY/MARINESNAVY/MARINESNAVY/MARINESNAVY/MARINES
AIR FORCEAIR FORCEAIR FORCEAIR FORCE
WHO ARE YOU GOING TO CALL
WHO ARE YOU GOING TO CALL
CONTRACTOR SUPPORT(410) 859-4524 (STU-III)
CINCS, JOINT COMMANDS & DEFENSE AGENCIES(410) 859-4711 (STU-III)
MILITARY DEPARTMENTS(410) 859-4391 (STU-III)
CIVIL AGENCIES(410) 859-4790 (STU-III)
DSN Prefix: 644-0111, Ask Operator for DesiredFAX: (410) 859-6651STU-III FAX: (410) 859-6665TOLL FREE: 1-800-688-6115
CONTRACTOR SUPPORT(410) 859-4524 (STU-III)
CINCS, JOINT COMMANDS & DEFENSE AGENCIES(410) 859-4711 (STU-III)
MILITARY DEPARTMENTS(410) 859-4391 (STU-III)
CIVIL AGENCIES(410) 859-4790 (STU-III)
DSN Prefix: 644-0111, Ask Operator for DesiredFAX: (410) 859-6651STU-III FAX: (410) 859-6665TOLL FREE: 1-800-688-6115