informations system security comprehensive model nstissi 4011 coen 250 fall 2007 t. schwarz, s.j
Post on 21-Dec-2015
230 views
TRANSCRIPT
Information System Security
ConfidentialitySecurity Policy: Set of rules that determines
whether a given subject can gain access to a specific object
Confidentiality: Assurance that access controls are enforced
Information System Security
IntegrityQuality of information that identifies how
closely the data represent reality
Information System Security
Availability Information is provided to authorized users
when it is requested
Information System Security
Security MeasuresTechnologyPolicy and Practice
Policy: Formulation of Security Posture Practice: Procedures followed to enhance security
posture.
Education, Training, Awareness
Information System Security
Education, Training, Awareness
Procedures and Policies
Technology
Transmission, Storage, Processing
Confid
entia
lity In
tegr
ity A
vaila
bility
Three axes of ISS
NTISSI 4011 Training Standards
Awareness Creates sensitivity to threats and vulnerabilities of
national security information systems Recognition of the need to protect data, information,
and the means of processing Building working knowledge of principles and
practices of INFOSEC Performance Level
Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices
Elements of Computer Security Computer security should support the mission of the
organization Computer security is an integral element of sound
management Computer security should be cost effective Computer security responsibilities and accountability
should be made explicit System owners have computer security responsibilities
outside their own organizations Computer security requires a comprehensive and
integrated approach Computer security should be periodically reassessed Computer security is constrained by societal factors.
NIST 800-12
Common Threats
Errors and Omissions Users Entry clerks System operators Software engineers
Fraud and Theft Insiders / outsiders Computer as tools / targets
Employee sabotage Loss of physical / infrastructure support Malicious hacking Espionage
Industrial / foreign government Malicious codes Privacy
Management Controls
Computer Security Policy Definition of term
“Documentation of computer security decisions.” But term encompasses wide range of meanings.
Three basic types Program policy
creates an organization’s computer security program Issue specific policies
address specific issues such as use of crypto, private use of equipment, software installation, etc.
System specific policies focuses on a single system
Management Controls
Tools to implement policy Standards
specify uniform use of specific technologies e.g. organization-wide identification badges
Guidelines assists users, systems personnel, etc in effectively securing
a system
Procedures normally assist in complying with applicable security policies,
standards, and guidelines
Management Controls
Program Policy Head of organization issues program policy to establish the
org.’s computer security program. Basic Components
Purpose Scope Responsibility
assigned to a newly created or existing office establishes roles of officials and offices in the org.
Compliance General compliance, e.g. specifying an oversight office Use of specific penalties and disciplinary actions
A policy usually only creates the structure
Management Controls
Issue-specific Policy Applies to a specific issue such as
Internet Access E-mail Privacy Use of unofficial software
Basic Components Issue statement
Define issue with any relevant terms, distinctions, conditions Statement of org.’s position on issue Applicability Roles and responsibilities Compliance Points of contact and supplementary information
Management Controls
System Specific Policies Components
Security objectives concrete well defined
Operational security rules Rules for operating a system: Who can do what to which
specific classes and records of data, under what conditions Often accompanied by implementing procedures and
guidelines
Management Controls
System specific policy implementationsTechnology plays not the sole role in
enforcing system-specific policies Technology: limits printing of confidential
information to a specific printer Non-technology: access to printer output is
guarded
Management ControlsComputer Security Program Management OMB Circular A-130
establishes requirement for federal agencies to establish computer security programs
Federal agencies are complex: Management occurs
at different levels, at least
Centralized level System level
Management ControlsComputer Security Program Management
Sources of (Some) Requirements forFederal Unclassified Computer Security Programs
A federal agency computer security program is created and operates in an environment rich in guidance and direction from other organizations. The figure illustrates some of the external sources of requirements and guidance directed toward agency management with regard to computer security. While a full discussion of each is outside the scope of this chapter, it is important to realize that a program does not operate in a vacuum; federal organizations are constrained - by both statute and regulation - in a number of ways.
Management ControlsComputer Security Program Management
Example for placement of computer security program level and system level functions
Management ControlsComputer Security Risk Management Basic assumption: Computers can never
be fully secured Risk Assessment
Process of analyzing and interpreting risk3 basic activities
Determining assessment scope and methodology Collecting and analyzing data Interpreting risk analysis results
Management ControlsComputer Security Risk Management Components of Risk
Assessment Asset Valuation Consequence
Assessment Threat Identification Vulnerabilities Safeguards Likelihood
Management ControlsAssurance Assurance
Degree of confidence that the security measures work as intended to protect system and information
Not a measurement Accreditation
Management official’s formal acceptance of adequacy of a system’s security
Components Technical features
Do they operate as intended? Operational practices
Is the system operated according to stated procedures? Overall security
Are there threats that are not addressed? Remaining risks
Acceptability?
Operational ControlsPersonnel / User Issues Two principles
Separation of duties Least privilege
Staffing Job definition Sensitivity determination Filling position
Screening applicants Selecting individual
Training and Awareness Creation
Operational ControlsPersonnel / User Issues User Administration
User account management Identification Authentication Access Verification
Auditing Verify periodically legitimacy of current accounts and access
authorizations Modification / Removal of Access
Contractor Access Management Public Access Considerations
Operational ControlsContingency & Disaster Preparation
Contingency planning in six steps Identification of mission-critical functions Identification of resources that support critical
functions Anticipation of potential contingencies / disasters Selecting contingency planning strategies Implementing contingency strategies Testing and revisiting strategies
Operational ControlsIncident Response
Incident Response: Actions taken to deal with an incident.
Incident Response: Containment & Repair
Countermeasures
Detection
Operational Controls Incident Response Establishment of Successful Incident Handling Capability
Components Understanding of constituency Education of constituency Centralized communication Expertise in requisite technology Links to other groups assisting in incident handling, as needed
Technical support Nationwide / worldwide reporting facility for incidents Rapid communications Secure communications for incidents involving national security
Operational ControlsAwareness, Training, & Education Basic premise: people are fallible Two main benefits
Improvement of employment behavior Buy-in Knowledge and skills
Increased ability to hold employees accountable Dissemination and enforcement of policies presupposes
awareness
Operational Controls Awareness, Training, & Education Awareness
“What” Information
Training “How” Knowledge
Education “Why” Insight
Operational ControlsSecurity Considerations in Computer Support and Operations
Computer Support and Operations Everything done to run a computer system
User support – Help desk Needs to recognize which problems are security
related Example: Failed login can result from logout caused by
hacker running a password guessing attack Software support
Control of software used on a system Software can only be modified with proper
authorization
Operational ControlsSecurity Considerations in Computer Support and Operations
Configuration Management Goal: to ensure that changes to the system do not
unintentionally or unknowingly diminish security Backups
critical for contingency planning Media control
Provide physical and environmental protection and accountability for removable media
Documentation Maintenance
Operational ControlsPhysical and Environmental Security Protect computer systems from
Interruptions in providing computer services Physical damage Unauthorized access of information
Example: Tempest program Loss of control over system Physical theft
Mobile and portable systems present new range of issues
Technical ControlsIdentification and Authentication Identification:
Means by which a user provides a claimed identity to the system Authentication
Means of establishing the validity of the claim Identification and Authentication based on
What you know. E.g. password, pass-phrase, (secret key, private key).
What you have. Physical key, smart card.
What you are. Biometrics.
Where you are. E.g. trusted machine, access to room, …
Technical ControlsLogical Access Control Access
Ability to do something with a computing resource Access control
Means by which this ability is explicitly enabled or restricted
Not to be confused with Authorization
Permission to use computer resource Authentication
Proof of identity
Technical ControlsLogical Access Control Access Criteria typically based on
Identity Roles Location Time
Personnel files only accessible during normal business hours Transactions
Phone inquiry answered by computer Computer authenticates inquirer If too complicated, requires human clerk to answer Computer grants clerk permission to access inquirer’s record for the
duration of the transaction
Technical ControlsAudit Trails Audit Trail
Series of records of computer events Auditing
Review and analysis of management, operational, and technical controls
Establishing audit trails helps to establish Individual accountability Reconstruction of events Intrusion detection Problem analysis