Informations System SecurityComprehensive Model

NSTISSI 4011COEN 250Fall 2007T. Schwarz, S.J.

Information System Security

Main Goals: CIAConfidentiality IntegrityAvailability

Information System Security

ConfidentialitySecurity Policy: Set of rules that determines

whether a given subject can gain access to a specific object

Confidentiality: Assurance that access controls are enforced

Information System Security

IntegrityQuality of information that identifies how

closely the data represent reality

Information System Security

Availability Information is provided to authorized users

when it is requested

Information System Security

Information StatesTransmissionStorageProcessing

Information System Security

Security MeasuresTechnologyPolicy and Practice

Policy: Formulation of Security Posture Practice: Procedures followed to enhance security

posture.

Education, Training, Awareness

Information System Security

Education, Training, Awareness

Procedures and Policies

Technology

Transmission, Storage, Processing

Confid

entia

lity In

tegr

ity A

vaila

bility

Three axes of ISS

NTISSI 4011 Training Standards

Awareness Creates sensitivity to threats and vulnerabilities of

national security information systems Recognition of the need to protect data, information,

and the means of processing Building working knowledge of principles and

practices of INFOSEC Performance Level

Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices

Elements of Computer Security Computer security should support the mission of the

organization Computer security is an integral element of sound

management Computer security should be cost effective Computer security responsibilities and accountability

should be made explicit System owners have computer security responsibilities

outside their own organizations Computer security requires a comprehensive and

integrated approach Computer security should be periodically reassessed Computer security is constrained by societal factors.

NIST 800-12

Common Threats

Errors and Omissions Users Entry clerks System operators Software engineers

Fraud and Theft Insiders / outsiders Computer as tools / targets

Employee sabotage Loss of physical / infrastructure support Malicious hacking Espionage

Industrial / foreign government Malicious codes Privacy

Management Controls

Computer Security Policy Definition of term

“Documentation of computer security decisions.” But term encompasses wide range of meanings.

Three basic types Program policy

creates an organization’s computer security program Issue specific policies

address specific issues such as use of crypto, private use of equipment, software installation, etc.

System specific policies focuses on a single system

Management Controls

Tools to implement policy Standards

specify uniform use of specific technologies e.g. organization-wide identification badges

Guidelines assists users, systems personnel, etc in effectively securing

a system

Procedures normally assist in complying with applicable security policies,

standards, and guidelines

Management Controls

Program Policy Head of organization issues program policy to establish the

org.’s computer security program. Basic Components

Purpose Scope Responsibility

assigned to a newly created or existing office establishes roles of officials and offices in the org.

Compliance General compliance, e.g. specifying an oversight office Use of specific penalties and disciplinary actions

A policy usually only creates the structure

Management Controls

Issue-specific Policy Applies to a specific issue such as

Internet Access E-mail Privacy Use of unofficial software

Basic Components Issue statement

Define issue with any relevant terms, distinctions, conditions Statement of org.’s position on issue Applicability Roles and responsibilities Compliance Points of contact and supplementary information

Management Controls

System Specific Policies Components

Security objectives concrete well defined

Operational security rules Rules for operating a system: Who can do what to which

specific classes and records of data, under what conditions Often accompanied by implementing procedures and

guidelines

Management Controls

System specific policy implementationsTechnology plays not the sole role in

enforcing system-specific policies Technology: limits printing of confidential

information to a specific printer Non-technology: access to printer output is

guarded

Management ControlsComputer Security Program Management OMB Circular A-130

establishes requirement for federal agencies to establish computer security programs

Federal agencies are complex: Management occurs

at different levels, at least

Centralized level System level

Management ControlsComputer Security Program Management

Sources of (Some) Requirements forFederal Unclassified Computer Security Programs

A federal agency computer security program is created and operates in an environment rich in guidance and direction from other organizations. The figure illustrates some of the external sources of requirements and guidance directed toward agency management with regard to computer security. While a full discussion of each is outside the scope of this chapter, it is important to realize that a program does not operate in a vacuum; federal organizations are constrained - by both statute and regulation - in a number of ways.

Management ControlsComputer Security Program Management

Example for placement of computer security program level and system level functions

Management ControlsComputer Security Risk Management Basic assumption: Computers can never

be fully secured Risk Assessment

Process of analyzing and interpreting risk3 basic activities

Determining assessment scope and methodology Collecting and analyzing data Interpreting risk analysis results

Management ControlsComputer Security Risk Management Components of Risk

Assessment Asset Valuation Consequence

Assessment Threat Identification Vulnerabilities Safeguards Likelihood

Management ControlsAssurance Assurance

Degree of confidence that the security measures work as intended to protect system and information

Not a measurement Accreditation

Management official’s formal acceptance of adequacy of a system’s security

Components Technical features

Do they operate as intended? Operational practices

Is the system operated according to stated procedures? Overall security

Are there threats that are not addressed? Remaining risks

Acceptability?

Operational ControlsPersonnel / User Issues Two principles

Separation of duties Least privilege

Staffing Job definition Sensitivity determination Filling position

Screening applicants Selecting individual

Training and Awareness Creation

Operational ControlsPersonnel / User Issues User Administration

User account management Identification Authentication Access Verification

Auditing Verify periodically legitimacy of current accounts and access

authorizations Modification / Removal of Access

Contractor Access Management Public Access Considerations

Operational ControlsContingency & Disaster Preparation

Contingency planning in six steps Identification of mission-critical functions Identification of resources that support critical

functions Anticipation of potential contingencies / disasters Selecting contingency planning strategies Implementing contingency strategies Testing and revisiting strategies

Operational ControlsIncident Response

Incident Response: Actions taken to deal with an incident.

Incident Response: Containment & Repair

Countermeasures

Detection

Operational Controls Incident Response Establishment of Successful Incident Handling Capability

Components Understanding of constituency Education of constituency Centralized communication Expertise in requisite technology Links to other groups assisting in incident handling, as needed

Technical support Nationwide / worldwide reporting facility for incidents Rapid communications Secure communications for incidents involving national security

Operational ControlsAwareness, Training, & Education Basic premise: people are fallible Two main benefits

Improvement of employment behavior Buy-in Knowledge and skills

Increased ability to hold employees accountable Dissemination and enforcement of policies presupposes

awareness

Operational Controls Awareness, Training, & Education Awareness

“What” Information

Training “How” Knowledge

Education “Why” Insight

Operational ControlsSecurity Considerations in Computer Support and Operations

Computer Support and Operations Everything done to run a computer system

User support – Help desk Needs to recognize which problems are security

related Example: Failed login can result from logout caused by

hacker running a password guessing attack Software support

Control of software used on a system Software can only be modified with proper

authorization

Operational ControlsSecurity Considerations in Computer Support and Operations

Configuration Management Goal: to ensure that changes to the system do not

unintentionally or unknowingly diminish security Backups

critical for contingency planning Media control

Provide physical and environmental protection and accountability for removable media

Documentation Maintenance

Operational ControlsPhysical and Environmental Security Protect computer systems from

Interruptions in providing computer services Physical damage Unauthorized access of information

Example: Tempest program Loss of control over system Physical theft

Mobile and portable systems present new range of issues

Technical ControlsIdentification and Authentication Identification:

Means by which a user provides a claimed identity to the system Authentication

Means of establishing the validity of the claim Identification and Authentication based on

What you know. E.g. password, pass-phrase, (secret key, private key).

What you have. Physical key, smart card.

What you are. Biometrics.

Where you are. E.g. trusted machine, access to room, …

Technical ControlsLogical Access Control Access

Ability to do something with a computing resource Access control

Means by which this ability is explicitly enabled or restricted

Not to be confused with Authorization

Permission to use computer resource Authentication

Proof of identity

Technical ControlsLogical Access Control Access Criteria typically based on

Identity Roles Location Time

Personnel files only accessible during normal business hours Transactions

Phone inquiry answered by computer Computer authenticates inquirer If too complicated, requires human clerk to answer Computer grants clerk permission to access inquirer’s record for the

duration of the transaction

Technical ControlsAudit Trails Audit Trail

Series of records of computer events Auditing

Review and analysis of management, operational, and technical controls

Establishing audit trails helps to establish Individual accountability Reconstruction of events Intrusion detection Problem analysis

Technical ControlsCryptography Tool to establish C, I, & A Relies on technology and key

management