1 / 43

CSCE 548 Security Standards Awareness and Training

CSCE 548 - Farkas. 2. Cyber Attacks. Takes advantage of weakness inPhysical environmentComputer systemSoftware bugsHuman practicesNeed to identify, remove, and tolerate vulnerabilities. Secure Programs. How do we keep programs free from flaws?How do we protect computing resources against progr

halia
Download Presentation

CSCE 548 Security Standards Awareness and Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. CSCE 548 Security Standards Awareness and Training

    2. CSCE 548 - Farkas 2 Cyber Attacks Takes advantage of weakness in Physical environment Computer system Software bugs Human practices Need to identify, remove, and tolerate vulnerabilities

    3. Secure Programs How do we keep programs free from flaws? How do we protect computing resources against programs that contain flaws? CSCE 548 - Farkas 3

    4. What is Secure? Characteristics that contribute to security Who defines the characteristics? Assessment of security What is the basis for the assessment? IEEE Standard for Software Verification and Validation, 2005 Bug, error, fault, … CSCE 548 - Farkas 4

    5. Proof of Program Correctness Correctness: a given program computes a particular result, computes it correctly, and does nothing beyond what it is supposed to do. Program verification: Initial assertion about the inputs Checking if the desired output is generated Problems: correctness depends on how the program statements are translated into logical implications, difficult to use and not intuitive, less developed than code production CSCE 548 - Farkas 5

    6. Standards of Program Development Software development organizations: specified software development practices Administrative control over: Design Documentation, language, coding style Programming Testing Configuration management CSCE 548 - Farkas 6

    7. Process Management Human aspects: difficult to judge in advance How to assure that software is built in an orderly manner and that it leads to correct and secure product? Process models: examine how and organization does something CSCE 548 - Farkas 7

    8. CSCE 548 - Farkas 8

    9. CSCE 548 - Farkas 9 National Training Standards Committee on National Security Systems (CNSS) and the National Security Agency (NSA) ? National Training Standards NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals CNSSI-4012, National Information Assurance Training Standard for Senior Systems Managers (SSM) NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA) NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO) NSTISSI-4015, National Training Standard for Systems Certifiers (SC) CNSSI-4016, National Information Assurance Training Standard For Risk Analysts (RA)

    10. National Standards and Certifications

    11. CSCE 548 - Farkas 11 NSTISSI-4011 National Training Standard for Information Systems Security (INFOSEC) Professionals Provides the minimum course content for the training of information systems security (INFOSEC) professionals in the disciplines of telecommunications security and automated information systems (AIS) security.

    12. CSCE 548 - Farkas 12 NSTISSI-4011 National Security Telecommunications and Information Systems Security Directive No. 501 establishes the requirement for federal departments and agencies to implement training programs for INFOSEC professionals. INFOSEC professionals: responsible for the security oversight or management of national security systems during phases of the life cycle

    13. CSCE 548 - Farkas 13 NSTISSI-4011 Training Standards: two levels “Awareness Level: Creates a sensitivity to the threats and vulnerabilities of national security information systems, and a recognition of the need to protect data, information and the means of processing them; and builds a working knowledge of principles and practices in INFOSEC.”

    14. CSCE 548 - Farkas 14 Awareness-level Instructional Content Behavioral Outcomes Topical Content

    15. CSCE 548 - Farkas 15 Program of Instructions a. COMMUNICATIONS BASICS (Awareness Level) b. AUTOMATED INFORMATION SYSTEMS (AIS) BASICS (Awareness Level) c. SECURITY BASICS (Awareness Level) d. NSTISS BASICS (Awareness Level) e. SYSTEM OPERATING ENVIRONMENT (Awareness Level) f. NSTISS PLANNING AND MANAGEMENT (Performance Level) g. NSTISS POLICIES AND PROCEDURES (Performance Level)

    16. CSCE 548 - Farkas 16 Information Systems Security Model Acknowledges information, not technology, as the basis for our security efforts The actual medium is transparent Eliminates unnecessary distinctions between Communications Security (COMSEC), Computer Security (COMPUSEC), Technical Security (TECHSEC), and other technology-defined security sciences Can model the security relevant processes of information throughout an entire information system

    17. CSCE 548 - Farkas 17 Security Model

    18. CSCE 548 - Farkas 18 Performance Level Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices Employees are able to apply security concepts while performing their tasks

    19. Meeting National Standards at USC Current certifications: NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals NSTISSI-4013, National Information Assurance Training Standard For System Administrators (SA) NSTISSI-4014, Information Assurance Training Standard for Information Systems Security Officers (ISSO) Courses to take: CSCE 522, CSCE 715, CSCE 727 CSCE 548 - Farkas 19

    20. Government and industry certifications CSCE 548 - Farkas 20

    21. Computer Security Certifications International Information Systems Security Certification Consortium, (ISC)2 CISSP: Certified Information Systems Security Professional ISSAP: Information Systems Security Architecture Professional ISSEP: Information Systems Security Engineering Professional Computing Technology Industry Association (CompTIA) Security+ (2008): security topics, e.g., access control, cryptography, etc. Information Systems Audit and Control Association (ISACA) CISA: Certified Information Systems Auditor CISM: Certified Information Security Manager CSCE 548 - Farkas 21

    22. CSCE 548 - Farkas 22 Certified Information Systems Security Professional (CISSP) June, 2004, the CISSP program earned the ANSI ISO/IEC Standard 17024:2003 accreditation Formally approved by DoD in categories: Information Assurance Technical (IAT) and Managerial (IAM) categories Has been adopted as a baseline for the U.S. National Security Agency's ISSEP program

    23. CSCE 548 - Farkas 23 CISSP – Common Body of Knowledge Based on the CIA triad Ten areas of interest (domains): Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security

    24. CSCE 548 - Farkas 24 Specialized Concentrations Information Systems Security Architecture Professional (ISSAP), Concentration in Architecture Information Systems Security Engineering Professional (ISSEP), Concentration in Engineering Information Systems Security Management Professional (ISSMP), Concentration in Management

    25. CSCE 548 - Farkas 25 Other (ISC)2 Certifications SSCP - Systems Security Certified Practitioner CAP - Certification and Accreditation Professional CSSLP - Certified Secure Software Lifecycle Professional

    26. Security Engineering CSCE 548 - Farkas 26

    27. Security Process Models Capability Maturity Model (CMM): address organizations not products ISO 9001: similar to CMM U.S. NSA: System Security Engineering CMM (SSE-CMM) CSCE 548 - Farkas 27

    28. SEE-CMM Aims to advance the Security Engineering discipline Goals: Enable the selection of qualified security engineering providers Support informed investment in security engineering practices Provide capability-based assurance CSCE 548 - Farkas 28

    29. Maturity Levels Define ordinal scale for measuring and evaluating process capability Define incremental steps for improving process capability CSCE 548 - Farkas 29

    30. Capability Levels Initial Repeatable: Requirements management, Software project planning, Software project tracking and oversight, Software quality assurance, etc. Defined: Organization process focus, Organization process definition, Training program, Integrated software management, Software product engineering, etc. Managed: Quantitative process management, Software quality management Optimizing: Defect prevention, Technology change management, Process change management CSCE 548 - Farkas 30

    31. Maturity Levels Informal: base practices, ad-hoc process, success depends on individual effort Planned, tracked: plan, track and verify performance, disciplined performance Well defined: define and perform standard process, coordinate practices Quantitatively controlled: establish measurable quality goals, objectively manage performance Continuously improving: improve organizational capability, improve process effectiveness CSCE 548 - Farkas 31

    32. Security Engineering Process Areas Administer System Security Controls Assess Operational Security Risk Attack Security Build Assurance Argument Coordinate Security Determine Security Vulnerabilities Monitor System Security Posture Provide Security Input Specify Security Needs Verify and Validate Security CSCE 548 - Farkas 32

    33. Evaluation Phases: Planning Phase: scope and plan Preparation Phase: prepare evaluation team, questionnaire, collect evidence, analyze results On-site phase: interview, establish findings, rating, report Post-evaluation phase: report findings needs for improvement, manage results Use of evaluation: Organizations to hire developers CSCE 548 - Farkas 33

    34. Problems with SSE-CMM Does not guarantee good results Need to ensure uniform evaluation Need good understanding of model and its use Does not eliminate the need for testing and evaluation No guarantee of assurance CSCE 548 - Farkas 34

    35. National Security CSCE 548 - Farkas 35

    36. CSCE 548 - Farkas 36 National Security and IW U.S. agencies responsible for national security: large, complex information infrastructure Defense information infrastructure supports: Critical war-fighting functions Peacetime defense planning Information for logistical support Defense support organizations Need proper functioning of information infrastructure “Digitized Battlefield”

    37. CSCE 548 - Farkas 37 National Security and IW Increased reliance on information infrastructure Information Dominance Un-manned weapons Communication infrastructure Vital human services (e.g., transportation, law enforcement, emergency, etc.) Heavily connected to commercial infrastructure 95% of DOD’s unclassified communication via public network No boundaries, cost effectiveness, ambiguous

    38. CSCE 548 - Farkas 38 Strategic Warfare (SW) Cold War: “single class of weapons delivered at a specific range” (Rattray) E.g., use of nuclear weapons with intercontinental range Current: “variety of means … can create “strategic” effects, independent of considerations of distance and range.” Center of gravity: Those characteristics, capabilities, or sources of power from which a military force derives its freedom of action, physical strength, or will to fight (DOD)

    39. CSCE 548 - Farkas 39 Strategic Information Warfare (SIW) “…means for state and non-state actors to achieve objectives through digital attacks on an adversary’s center of gravity.” (Rattray)

    40. CSCE 548 - Farkas 40 Strategic Warfare vs. SIW Similar challenges Historical observation: centers of gravity are difficult to damage because of Resistance Adaptation

    41. CSCE 548 - Farkas 41 Dimensions of Strategic Analysis Threads: Need to related means to ends Interacting with opponent capable of independent action Distinction between” “Grand Strategy”: achievement of political object of the war (includes economic strength and man power, financial pressure, etc.) “Military Strategy”: gain object of war (via battles as means)

    42. CSCE 548 - Farkas 42 Necessary conditions for SW Offensive freedom of action Significant vulnerability to attack Prospects for effective retaliation and escalation are minimized Vulnerabilities can be identified, targeted, and damage can be assessed

    43. CSCE 548 - Farkas 43 SIW Growing reliance ? new target of concern Commercial networks for crucial functions Rapid change Widely available tools Significant uncertainties Determining political consequences Predicting damage, including cascading effects

More Related