mike davis [email protected] 858-537-8778 information assurance (ia) what every manager...
TRANSCRIPT
Mike [email protected]
Information Assurance (IA) What Every Manager Should Know
5 March 2008
Presented by the IA Technical Authority
SecureIT - 2008 conference
“EASY”button
Statement A: Approved for public release; distribution is unlimited (10 JANUARY 2008)
2
What’s Wrong With This Picture?
What level of security is provided here? I couldn’t get through the gate because it was completely locked. It was properly installed and
configured. I could not get through it. But....
3
Summary(Preview)
“Gotchas” “Assuming” you don’t need IA (Standalone, have a firewall, etc…) Not adding in IA cost, schedule and performance
Major resources https://infosec.navy.mil/ http://iase.disa.mil/ http://www.sse-cmm.org/lib/lib.asp
KEY Success elements Build IA in up front (Requirements, ISSE, SEP, ISP, IAS, TEMP, etc) Start C&A early (C&A plan, CRR) Risk Management, Risk Management, Risk Management
CAC cards needed,
You will be, or already are, penetrated – are you prepared?
4
“Measures that Protect and Defend Information and Information Systems by Ensuring Their Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information
Systems by Incorporating Protection, Detection, and Reaction Capabilities.”
• Timely, Reliable Access to Data and Information Services for Authorized Users
• Timely, Reliable Access to Data and Information Services for Authorized UsersAvailability Availability
• Quality of Information System Reflecting Logical Correctness and Reliability of Operating System
• Quality of Information System Reflecting Logical Correctness and Reliability of Operating SystemIntegrity Integrity
• Security Measure Designed to Establish Validity of Transmission, Message, or Originator
• Security Measure Designed to Establish Validity of Transmission, Message, or OriginatorAuthentication Authentication
• Assurance that Information is Not Disclosed to Unauthorized Entities or Processes
• Assurance that Information is Not Disclosed to Unauthorized Entities or ProcessesConfidentialityConfidentiality
• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity
• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s IdentityNon-RepudiationNon-Repudiation
What is
Information Assurance (IA)?
INF
OS
EC
Info
rmatio
n A
ssuran
ceDATA is your most critical asset – is it adequately protected?
5
IA is a Critical National Issue
Presidential DecisionDirective 63 (May 1998)
“… a national effort to ensure the security of the increasingly vulnerable and interconnected
infrastructure of the United States, especially the cyber-
based infrastructure.”
Many companies are part of CIP in some manner – are you ready?
6
Why is IA so Important?
The Threat is Real, Pervasive, and IncreasingThe Threat is Real, Pervasive, and Increasing
WE all operate in a highly interactive environment Global Networks Interconnected Applications and Services Powerful Computing Devices
Components routinely interact with Other Services, Governments, Allied/Coalition
Partners, Agencies, Commercial Partners Incident trend increasing - NCDOC
reported 1,540 confirmed incidents between Jun06 - Jun07
CND activities: Cyber Asset Reduction and Security (CARS) –
response to recent DoD-wide incidents Effective training (8570.1M)
7
Secure Enough?
UNCLASSIFIED
Appearances of security can be deceiving, have hidden effects
8
Defense-in-Depth
UNCLASSIFIED
But at what level - which methods, capabilities MUST we have?
9
IA is an Enabler for all IT/IS
We Count on Information Superiority to Improve Combat Effectiveness Full Spectrum Dominance Network Centric Warfare
IA Enables Information Superiority in a Network-Centric Paradigm Global Secure, Interoperable
Network State-of-the Art Protection for
Information InfrastructureInformation Assurance
Tru
sted
A
pp
lica
tio
ns
Sec
ure
N
etw
ork
s
Dyn
am
ic
Op
erat
ion
s
Tra
ined
W
ork
forc
e
Naval Transformation
Power Projection Precision Engagement
Focused Logistics Assured Access
Network Centric WarfareInfo Sharing Virtual Collaboration
Streamlined Planning Better Awareness
Information SuperiorityDecision Superiority Knowledge Management
Uninterrupted Info Flow Integrated C4ISR
IA must protect, but not encumber the user
10
Who’s Against Us ? Espionage & Sabotage Disasters & Accidents Passive Intercept
Attacks
Malicious Outsider Attacks Insider Attacks Hardware/Software
Distribution Attacks
EVERYONE – Especially criminals “for their profit / your loss”
11
Unintentional• Poorly trained administrator
• Accidents
• Lazy or untrained employee
• Fired employee
• Disgruntled employee
• Subverted employee
• Service providers
• Contractors
Source
• Fires
• Floods
• Power failures
NaturalIntentional
InsiderOutsider
• Foreign intelligence agents
• Terrorists
• Criminals
• Corporate raiders
• Crackers
Threat Vectors(review – note MOST are operational, not technical *)
* Lack of adequate “CM” (including useable, reportable audits) are “THE” main IA control most often not met
12
Top 10 Incident Source Countries
US
China
Japan
CanadaFrance
Italy
UK
Taiwan
South Korea
Germany
Some Sources of Threat(we have met the enemy, and they are us…;-((
Naturaland Physical
Naturaland Physical
UnintentionalUnintentionalIntentionalIntentional
Source: Computer Security Institute6Example: IAVA 2006-A-0012 – MS Office vulnerability
Impact: Someone can use to create new accounts with rights of logged in user
Threats Resulting from Crime or Loss
55%
25%
20%
Your Risk Management Plan should address ALL this
13
Attack Sophistication is on the Rise Increased speed and automation Increased sophistication Attacks are increasingly asymmetric Increased threats from Infrastructure attacks
Asymmetrical cyber warfare – we fix many holes, they find one
14
Statutes Clinger-Cohen Act (CCA), 1996
Requires an Information Assurance strategy consistent with the Department’s Global Information Grid
Government Information Security Reform Act (GISRA), 2000
Requires federal agencies to assess the security of their non-classified information systems and to provide risk assessment and report the security needs of all systems
Federal Information Security Management Act (FISMA), 2002
Requires each agency to develop, document, and implement an agency-wide information security program
IT Security policy recently incorporated into FAR
OMB Circular A-130, 2000 Establishes a minimum set of controls to be included in
Federal automated information security programs
O M B Ho m e W hi te H ou s e W e bs i te
S e ar c h :
A bo u t O MB
D ire c to r J os h ua B o l ten D ep . D i r ec t or J oe l K a p la n D ep . D i r ec t or C lay J o hn s on O r ga n iz a tion C ha rt O M B Ne w s R ele as e s C on tac t U s
P r esid ent's Bu dget
F Y 200 7 B u dg et S u pp lem en ta ls , B u dg et A m en dm e nts ,
an d Re lea s es
M an a gem e nt
P r e s id en t' s M an ag em en t A ge nd a R es u l ts .g ov & S c or ec a r ds P r o gr am P er for m an c e/ P A R T E -go v F ed . F in an c ia l M an ag em en t F ed . P ro c ur e m e nt Po l ic y
In fo rm a tio n & R egu la to ry A ffa ir s
R eg ula t or y M at te rs O I RA A d m in is tr a t or P a pe rw o r k R eq u i r em en ts S t atis t ic a l P r o g. & S tan da rd s In for m at io n P o l ic y , E- go v & IT
L egi s lati ve In fo rm a tio n
S t ate m ent s o f A dm in. P o l ic y T es t im o ny
C IR C U L A R N O . A-1 30 R e v is ed T ra n s m i tt a l M e m o ra n d u m N o . 4
M E M O RANDUM FO R H EAD S OF E XE CU TIV E DE P ARTM E NTS AND AG ENC IE S S UBJ E CT: Ma n a g em en t o f F ed e ra l In fo rm a tio n Re so u rce s
1 . P urp o se 2 . Re sc is sio ns 3 . A ut h orit ie s 4 . A pp lica b ility an d S co p e 5 . B ac kg rou n d 6 . De fin itio n s 7 . B as ic C on sid e rat ion s a nd Ass um pt ion s 8 . P olic y 9 . A ssig n m e nt o f Re sp on sib ilitie s 1 0 . O ve rs ig ht 1 1 . E ffe c tive n es s 1 2 . In q u irie s 1 3 . S un s et Re vie w D at e
A pp e n d ix I , Fe d era l A g en c y Re sp o n sib ilit ie s fo r M a in ta in ing R ec o rd s A bo u t In d ivid ua ls A pp e n d ix II , Im p le m e nt a tio n o f t he Go ve rn m e nt P ap e rwo rk E lim in at ion A ct A pp e n d ix II I , Se c urity o f Fe de ra l A u to m a te d In fo rm a tio n Re so u rce s A pp e n d ix IV , An a lys is o f Ke y Se c tio ns
1 . Pu rpos e : Th is C ircu lar es ta blis he s p olicy fo r t h e m an a g em en t o f F ed e ra l in fo rm a tio n res o urce s. O M B in clu de s p ro ce d u ral an d a n a lytic gu id e lin e s fo r im p le m en t in g s pe cif ic a sp e cts o f th e se p olic ie s a s a p p en d ice s. 2 . Re sc is s io ns : T his C ircu la r res cin ds O M B M e m o ran d a M -9 6 -2 0 , "Im ple m e n ta tio n o f th e In fo rm a tio n Te ch n o lo g y M an a g e m en t Re fo rm A ct o f 19 9 6 ;" M -9 7-0 2 , "F u nd in g In fo rm a tio n S yst em s I nv es tm e n ts; " M -9 7 -0 9 , "I n te rag e n cy S up p o rt f o r In fo rm a tio n Te ch n olo g y; " M -9 7-1 5 , "L o ca l Te le co m m u n ica tio ns S erv ice s P o licy;" M -9 7-1 6 , " In fo rm a tio n Te ch n olo g y A rch ite ct ure s". 3 . Author itie s : OM B is su e s t his C ircu la r p urs ua n t to th e P a p erwo rk Re du ct ion Ac t (P RA) of 1 9 8 0, a s am e n d ed by th e P a pe rwo rk Red u ct ion A ct o f 1 99 5 (4 4 U.S . C. Ch a p te r 3 5); th e C lin g e r -Co h en Ac t (a lso k no wn a s "In fo rm a tio n Te ch n olo g y M a n ag e m e n t R ef o rm A ct of 1 9 96 ") (P u b. L . 1 04 -1 0 6, D ivis io n E ); th e P riv ac y A ct , a s am e n d ed (5 U.S .C. 5 5 2a ); th e Ch ie f F in a n cia l O ffic ers A ct (3 1 U .S .C. 3 5 12 e t se q .); th e Fe d e ra l Pro p ert y a n d A dm in ist rat ive S erv ic e s A ct , a s am en d e d (40 U .S .C . 4 8 7 ); t h e Co m pu t er Se cu rity A ct o f 1 9 8 7 (P u b . L . 1 0 0 -2 3 5); th e B u dg e t a nd A cco u n tin g Ac t, a s a m e n d ed (3 1 U. S. C. Ch ap t er 11 ); th e G ov ern m e n t P erf o rm a n ce a n d Re su lts A ct of 1 9 9 3(G PR A); th e O ff ice o f F e de ra l P roc ure m e n t
O M B Ho m e W hi te H ou s e W e bs i te
S e ar c h :
A bo u t O MB
D ire c to r J os h ua B o l ten D ep . D i r ec t or J oe l K a p la n D ep . D i r ec t or C lay J o hn s on O r ga n iz a tion C ha rt O M B Ne w s R ele as e s C on tac t U s
P r esid ent's Bu dget
F Y 200 7 B u dg et S u pp lem en ta ls , B u dg et A m en dm e nts ,
an d Re lea s es
M an a gem e nt
P r e s id en t' s M an ag em en t A ge nd a R es u l ts .g ov & S c or ec a r ds P r o gr am P er for m an c e/ P A R T E -go v F ed . F in an c ia l M an ag em en t F ed . P ro c ur e m e nt Po l ic y
In fo rm a tio n & R egu la to ry A ffa ir s
R eg ula t or y M at te rs O I RA A d m in is tr a t or P a pe rw o r k R eq u i r em en ts S t atis t ic a l P r o g. & S tan da rd s In for m at io n P o l ic y , E- go v & IT
L egi s lati ve In fo rm a tio n
S t ate m ent s o f A dm in. P o l ic y T es t im o ny
C IR C U L A R N O . A-1 30 R e v is ed T ra n s m i tt a l M e m o ra n d u m N o . 4
M E M O RANDUM FO R H EAD S OF E XE CU TIV E DE P ARTM E NTS AND AG ENC IE S S UBJ E CT: Ma n a g em en t o f F ed e ra l In fo rm a tio n Re so u rce s
1 . P urp o se 2 . Re sc is sio ns 3 . A ut h orit ie s 4 . A pp lica b ility an d S co p e 5 . B ac kg rou n d 6 . De fin itio n s 7 . B as ic C on sid e rat ion s a nd Ass um pt ion s 8 . P olic y 9 . A ssig n m e nt o f Re sp on sib ilitie s 1 0 . O ve rs ig ht 1 1 . E ffe c tive n es s 1 2 . In q u irie s 1 3 . S un s et Re vie w D at e
A pp e n d ix I , Fe d era l A g en c y Re sp o n sib ilit ie s fo r M a in ta in ing R ec o rd s A bo u t In d ivid ua ls A pp e n d ix II , Im p le m e nt a tio n o f t he Go ve rn m e nt P ap e rwo rk E lim in at ion A ct A pp e n d ix II I , Se c urity o f Fe de ra l A u to m a te d In fo rm a tio n Re so u rce s A pp e n d ix IV , An a lys is o f Ke y Se c tio ns
1 . Pu rpos e : Th is C ircu lar es ta blis he s p olicy fo r t h e m an a g em en t o f F ed e ra l in fo rm a tio n res o urce s. O M B in clu de s p ro ce d u ral an d a n a lytic gu id e lin e s fo r im p le m en t in g s pe cif ic a sp e cts o f th e se p olic ie s a s a p p en d ice s. 2 . Re sc is s io ns : T his C ircu la r res cin ds O M B M e m o ran d a M -9 6 -2 0 , "Im ple m e n ta tio n o f th e In fo rm a tio n Te ch n o lo g y M an a g e m en t Re fo rm A ct o f 19 9 6 ;" M -9 7-0 2 , "F u nd in g In fo rm a tio n S yst em s I nv es tm e n ts; " M -9 7 -0 9 , "I n te rag e n cy S up p o rt f o r In fo rm a tio n Te ch n olo g y; " M -9 7-1 5 , "L o ca l Te le co m m u n ica tio ns S erv ice s P o licy;" M -9 7-1 6 , " In fo rm a tio n Te ch n olo g y A rch ite ct ure s". 3 . Author itie s : OM B is su e s t his C ircu la r p urs ua n t to th e P a p erwo rk Re du ct ion Ac t (P RA) of 1 9 8 0, a s am e n d ed by th e P a pe rwo rk Red u ct ion A ct o f 1 99 5 (4 4 U.S . C. Ch a p te r 3 5); th e C lin g e r -Co h en Ac t (a lso k no wn a s "In fo rm a tio n Te ch n olo g y M a n ag e m e n t R ef o rm A ct of 1 9 96 ") (P u b. L . 1 04 -1 0 6, D ivis io n E ); th e P riv ac y A ct , a s am e n d ed (5 U.S .C. 5 5 2a ); th e Ch ie f F in a n cia l O ffic ers A ct (3 1 U .S .C. 3 5 12 e t se q .); th e Fe d e ra l Pro p ert y a n d A dm in ist rat ive S erv ic e s A ct , a s am en d e d (40 U .S .C . 4 8 7 ); t h e Co m pu t er Se cu rity A ct o f 1 9 8 7 (P u b . L . 1 0 0 -2 3 5); th e B u dg e t a nd A cco u n tin g Ac t, a s a m e n d ed (3 1 U. S. C. Ch ap t er 11 ); th e G ov ern m e n t P erf o rm a n ce a n d Re su lts A ct of 1 9 9 3(G PR A); th e O ff ice o f F e de ra l P roc ure m e n t
There are mandates, laws, acts, regulations we MUST follow
15
DoDD 8500.1- Information Assurance (IA), Oct 02
DoDI 8500.2 - IA Implementation, Feb 03
DoDI 8580.1 - IA in the Defense Acquisition System, July 04
Directives and Instructions
DoDD 5000.1 - The Defense Acquisition System, May 03
DoDI 5000.2 - Operation of the Defense Acquisition System, May 03
DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP)
DoDI 5200.40 - DITSCAP, Dec 97
Other references in backup – DIACAP is now the one!
16
Serious Recognition of CyberCrime Federal Criminal Code Related to
Computer Crime 18 U.S.C. § 1029. Fraud and Related
Activity in Connection with Access Devices
18 U.S.C. § 1030. Fraud and Related Activity in Connection with Computers
18 U.S.C. § 362. Communication Lines, Stations, or Systems
18 U.S.C. § 2511. Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited
18 U.S.C. § 2701. Unlawful Access to Stored Communications
18 U.S.C. § 2702. Disclosure of Contents
18 U.S.C. § 2703. Requirements for Governmental Access
Other related crimes Copyright Offenses
17 U.S.C. 506, 18 U.S.C. 2319, 18 U.S.C. 2318 Copyright Management Offenses
17 U.S.C. 1201, 17 U.S.C. 1202, 17 U.S.C. 1203, 17 U.S.C. 1204, 17 U.S.C. 1205
Bootlegging Offenses 18 U.S.C. 2319A
Trademark Offenses 18 U.S.C. 2320
Trade Secret Offenses 18 U.S.C. 1831, 18 U.S.C. 1832, 18 U.S.C.
1833, 18 U.S.C. 1834, 18 U.S.C. 1835, 18 U.S.C. 1836, 18 U.S.C. 1837, 18 U.S.C. 1838, 18 U.S.C. 1839
Offenses Relating to the Integrity of IP Systems
17 U.S.C. 506(c-d), 17 U.S.C. 506(e), 18 U.S.C. 497, 35 U.S.C. 292
Offenses Relating to the Misuse of Dissemination Systems
18 U.S.C. 1341, 18 U.S.C. 1343, 18 U.S.C. 2512, 47 U.S.C. 553, 47 U.S.C. 605
LOTS of laws, many more crimes!
17
IA covers more than Networks Land-mobile radio cryptographic and key
management systems (high and medium assurance)
SONAR buoy and other disposable sensor clandestine communications
Aircraft wireless intercom systems Software cryptography (medium & basic)
assurance Software anti-tamper systems RF identification devices (RFID) security OPSEC/COMSEC monitoring systems (i.e., email
monitoring software) Spectrum management inclusion of TRANSEC Emanations security (TEMPEST and other
vulnerability assessments) VoIP integration with E-911 services Security markings standards & software Open Source software security (freeware and
shareware) Secure CHAT (XMPP) systems
WE need an enterprise “protections” risk management approach
Complex needs, complex systemscomplex security
18
GIG IA Protection Strategy Evolution
Manual Review to Release Information Classified at Less than Sys-high
Manual Analysis and Procedures determine allowed interconnects
Information “authority” determines required level of protection (QoP) for the most sensitive information in the sys-high environment – high water mark determines IT/IA/“Comms” Standards for all information
Privilege gained by access to environment and rudimentary roles
Common User Trust Level (Clearances) across sys-high environment
Automated mechanisms allow information to be Shared (“Released”) when users/devices have proper privilege and Transaction can meet QoP requirements
Information “authority” determines required level of end-to-end protection (QoP) required to access information – translates to a set of IT/IA/“Comms” Standard that must be met for the Transaction to occur
Privilege assigned to user/device based on operational role and can be changed
User Trust Level sufficient across Transaction/COI – varies for enterprise
Static “Perimeter” Protection Model
Common level of Information Protection provided by System
High Environment
Transactional “Enterprise IA”
Protection ModelRequired level of
Information Protection “Specified” for each
Transaction
We will be loosely connected, sharing information – and protected?
19
PMW 160PMW 160
PMW 160.1: Afloat Networks
PMW 160.1: Afloat Networks 160.4: Network
Security160.4: Network
Security
160.2: CRYPTO & Key Management160.2: CRYPTO & Key Management
160.3: Messaging
160.3: Messaging
ISNS/PC
SCN Implementation
SCI Networks
SubLAN
CENTRIXS
PPL / SSIL
CMPO
Crypto Products
EKMS and KMI
KG-3X APM
KG-40AR & MLCS
PKI
Secure Voice
DMS
DEBS / NREMS
Legacy Systems
Tactical
Messaging /
NAVMACS***
Network Security
CND
CDS JCDX
Radiant Mercury
CDS Boundary
160.5: Future Enterprise Networking
160.5: Future Enterprise Networking
CANES
ADNS and VIXS CANES Core Services
COMPOSE
Network Management:
PLM Tool / EMIO
Interior Communications
PEO C4I provides most IA/Security for the fleet
Program Management Warfare (PMW) 160 is the Navy IA Acquisition agent
Local US Navy IA/Security entity
Buying IA/Security products is “easy” – “CM” is really, really hard
20
Information Communities
Unclassified Network (NIPRNET-like)• voice (PSTN connection)• audio/ video• data streaming• data (as available)• Collaboration tools
Classified Network (SIPRNET-like)• voice (PSTN - STE/STU gateway)• audio/video/• data streaming• data (as available)• Collaboration tools
Tactical Classified Network (SIPRNET-like)• Common Sensor Picture• Tactical Awareness/Exchange• Warfare Profile/Collaboration tools
Intelligence Oriented Network (JWICS-like)• INTEL Picture/TACTICAL INTEL Awareness• Order of Battle/Warfare Profile• Collaboration tools
Special Capabilities Network (SpecCap Net)• Weapons Picture/control (SAP)
TOP SECRET Exchange Area• All GENSER TS collaboration/messaging
Coalition Nets
SBU - community of interest isolation
SBU
Careful Info Exchange
Coalition Nets
Coalition Nets
Coalition Nets
Careful Info Exchange
Reliable & Assured Info Exchange
While the Federal government has many levels of data classification needs and access control,So do you (public, admin, proprietary, business confidential, B2B, etc)
What types and levels of data, hence security, do you NEED?
21
Systems SecurityEngineering Implementations
Computer Security COMPUSEC - Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware, and information being processed, stored, and communicated.
Communications Security COMSEC – Measures and controls taken to deny unauthorized individuals information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes
cryptosecurity, transmission security (TRANSEC), emission security (EMSEC or TEMPEST), and physical security of COMSEC material.
Electronic Security ELSEC - Protection resulting from measures designed to deny unauthorized individuals information derived from the interception and analysis of non-communications electromagnetic radiations.
22
IA Across the Stack
Physical
Data Link
Network
Transport
Session
Presentation
Application
Event Detect/Correlation
Event Response
Electronic Warfare
Computer Network Defense
Operations Security
COMSEC
ELSEC & EMSEC
COMPUSEC
SIGSEC/COMSEC MonitoringComputer Network Sensors
InformationOperations
InformationAssurance
**ISO/IEC 7489 - Open Systems Interconnection Reference Model
23
IA 10 Distinct Activities IA1 - Defend the Network & Infrastructure IA2 - Defend the Enclave Boundary IA3 - Defend the Computing Environment IA4 - Supporting Infrastructures IA5 - System Security Methodology IA6 - Security Management IA7 - Defensive Information Operations IA8 - Training and Awareness IA9 - Management and Operations IA10 - Tactical Environment
24
Defend the Network / Infrastructure
Zone 2 Security
Zone 3 Security
Zone 4 Security
NetworkInfrastructureAppliances
Workstationor
Server
Ship/Shore/CommandNetworks
Naval Communications& Networks
MAN, BANLAN
NetworkOperating Center
Interconnect
Interconnect
Interconnect
Interconnect
Global Networks
25
Crypto High Assurance Type-1 Modular Crypto System Imbedded Crypto Unclassified Crypto (FIPS
140-2)
Virtual Private Network High Assurance Guards
Cross Domain Systems Radiant Mercury
Secure Voice Telephone and Tactical
STU, STE
Secure Voice Gateways Voice Over IP (VoIP)
Wireless LAN
Network Defense Products/Services
Networks
26
Router BlockFilter
Ship/ShoreGateway Firewall
N/MCIIntrusionDetection
Fleet EnclaveIntrusionDetection
DISAFirewall
Group 1
LocalFirewalls
DoD DefenseInfo NetworkInternet
N/MCIFirewall
DISA IntrusionDetection
Group 2
Group 3
Group N..
NIPRNET
LAN
DOD GlobalInformation
Grid
NavyMarine Corps
IntranetShip/Shore
Enclave
USNUser
Enclaves
Information Assurance Boundaries ExtendThroughout the Enterprise – “Defense In Depth”
Defend the Enclave Boundary
27
Computer Network Defense (CND) Shore and Afloat Infrastructure
Extending the Security Boundaries Beyond the NOC Comprehensive IA Suite at all Fleet NOCs Defense in depth strategy at the afloat unit level Protection, detection, reaction capabilities end-to-end
Trusted Navy Networks
Trusted Navy NetworksDISNDISN
Fleet NOC
FW FW
VPN
VSCAN
DNS
Outer Security Screening Router
Load Leveler
Load Leveler
Packet Shaper
External Attacks
Host
HIPS (HBSS)
NIDS
Ship Router
Information Assurance Security Tools (SCCVI/SCRI)
Computer Network Defense in DepthComputer Network Defense in Depth
Malevolent Insider
IASM
NIDS/IPS
Fleet Router
Inner Security Screening Router
NIF
Premise Router
Host-Based Intrusion Protection Sensors
Network Intrusion Detection Sensor (Force Level Only)
28
• EKMS Provides: • Automated ordering, generation, distribution, and destruction of electronic KEY MATerial
(KEYMAT); accounting for cryptographic items; and reduced risk of mishandling or compromising KEYMAT
Electronic Key Management System (EKMS): Architecture Overview
• EKMS provides;
29
HIDS: Host Based Intrusion Detection
Operational Strategy Provide the ISSM IDS Afloat RealSecure Host Based Intrusion
Detection System (HIDS) on All ISNS Servers
Address the Insider Threat
Implementation Strategy COTS With Central Management
Hierarchical and Auditing Installed on All ISNS Servers and
High Value Workstations Detects Attempted Attacks on the
Targeted PlatformAccomplishments and Efforts• IT-21 Interoperability Test and Evaluation Completed• Request for Addition to the Preferred Products List Underway
Ethernet
ISNS IT21 Workstation withRealSecure Workgroup Manager
Existing ServersExisting Servers
Install RealSecure ServerSensor on existing IT21ISNS Servers and otherhigh value shipboardservers.
Install RealSecure WorkgroupManager on the same LAN as
the Servers to be protected butdo not join the Windows domain
The RealSecureWorkgroup Managerwould have the followingcapabilities installed: -- RealSecure Console -- Asset Database -- Event Collector -- Enterprise Database
30
Supporting Infrastructures
31
Defensive Information Operations (IO)
This medium is classifiedSECRET
US Government property
Trinitron GCCSGCCSIA COPIA COP
DII INFOCON Red Team
CINCS
EUCOMSPACECOMSTRATCOMTRANSCOM
SOCOMSOUTHCOM
PACOMACOM
CENTCOM
Components
ARFORNAVFORAFFOR
MARFORDISA-GOSC
CYBERWATCH
Intell
INTELLINK
NSIRC
MID
WATCHCON
NMCC
Info AssuranceCommon Operating Picture
Common Intrusion Detection
Framework
IO = CNE + CAN + EW + OPSEC
32
Certification: “Comprehensive evaluation of the technical and non-technical security features of an Automated Information System (AIS) and other safeguards, made in support of the accreditation process to establish the extent to which a particular design and implementation meets a set of specified security requirements.” ** DoDI 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) 12/30/97
Accreditation: “Formal declaration by a Designated Approving Authority (DAA) that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.” *
* CNSS No. 4009, National Information Systems Security (INFOSEC)
Glossary
Certification and Accreditation(C&A) Terminology
These terms often get inter-changed, not well understood
33
USN Compliance Roadmap
Navy Information Assurance (IA) Program
OPNAVINST 5239.1B Nov 9, 1999
Department of the Navy Information Systems Security
(INFOSEC)SECNAVINST 5239.3A Dec 20, 2004
Information Assurance Implementation
DODI 8500.2 Feb 6, 2003
Information AssuranceDODD 8500.1 Oct 24, 2002
Security of Federal Automated Information Resources
Appendix III, OMB Circular A-130Management of Federal Information
Resources
Protecting Sensitive Compartmented Information Within Information Systems DCID 6/3 June 5, 1999
Path is well established, yet programs have a hard time following, complying
34
Designated Approving Authority (DAA) Formally assumes responsibility for operating a system at an acceptable level of risk
(often said they have 51% of the vote) Program Manager (PM) (or System Manager – SM)
Responsible for the overall procurement, development, integration, modification, or operation and maintenance of the IT system
Senior IA Official (SIAO) Establish and enforce C&A process, act as or delegate CA oversight
Certification Authority (CA) Responsible for making a technical judgment of the system’s compliance with stated
requirements, assessing the system’s security risk, and coordinating certification activities
DoD IS User Representative (UR) Represents the user community in defining operational requirements
IA Managers (IAMs) Support PM/SM, provide C&A status, direction to IAOs
DITSCAP / DIACAPRoles and Responsibilities
35
DIACAP ProcessThe DoD Information Assurance Certification and Accreditation Process (DIACAP) is a dynamic, information assurance (IA) certification and accreditation (C&A) process that supports and complements the net-centric, Global Information Grid (GIG)-based environment.
The DIACAP establishes a standard process for: • Identifying, implementing, and validating standardized IA Controls• Authorizing the operation of DoD information systems• Managing an IA posture across the DoD information system life cycle
The core activities of the DIACAP are consistent with DoDD 8500.1, DoDI 8500.2, DoDI 8580.1, the acquisition life cycle requirements of DoDD 5000.1 and DoDI 5000.2, FISMA security requirements, Appendix III of OMB A-130, industry best practices, and lessons learned.
(DoDI 8510.01 supersedes the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) (defined in DoDI 5200.40 and DoD 8510.1-M).)
36
DIACAP Process
“C&A” - Now more automated, IA controls based, but still a pain…
37
DoDD 8500.1 IA requirements shall be included in all information system
acquisitions or upgrades IA shall be “a visible element of all investment portfolios”
including competitively-sourced IS All DoD IS shall be assigned an appropriate Mission
Assurance Category Community risk shall be assessed and measures taken to
mitigate that risk prior to interconnecting systems All DoD IS shall be certified and accredited IAW 5200.40 All IA or IA-enabled IT must be validated in compliance
with NSTISSP 11 Systems enabling coalition operations shall be approved
by the responsible Combatant Commander and DAAs
One of the government's major IA / C&A directives
38
NSTISSP 11Mandates the use of Common Criteria evaluated
products in national security systems for IA or IA-Enabled products/systems
IA Products Firewall Virtual Private Network (VPN) Intrusion Detection Systems
(IDS) Anti-Virus
IA Enabled Products Operating Systems (e.g., NT,
XP, Linux) Database Management
systems Network Management
systems Web Browsers (e.g.,
Netscape or IE)
Another major technical reference to understand
39
QDR Identified IA Gaps Trusting the Edge
Distributed Trust Model – nodes and users High assurance platforms
Security Management Infrastructure Automated and adaptable dynamic policy applications Risk adaptive access control
Secure mobility for future GIG warfighter networks Wireless security architectures Authenticated User/Devices
Assured Information Sharing Cross Domain Solutions
Situational Awareness and Response/Enterprise Health Node-based situational assessment Automated network reconfiguration, recovery, and reconstitution
What our senior leadership thinks is lacking (circa 2006)
40
Acquisition perspective on IA issues
Lack of overall IA Compliance Minimal C&A effectiveness (can’t inspect in security) IA / CND Products need modernization / evolution IA designed in better – SETR process Need an Enterprise Risk Management approach Lack of an IA Master Plan / Strategy Poor IA/Security Configuration Management Need more enterprise IA/Security Solutions IA training at all levels… lacking PEO / PMW IAM guidance
Install process cumbersome, non-user-friendly
Sound familiar - you have them, are resolutions in work?
41
IA/Security Axioms to consider / accommodate / educate
Security and complexity are often inversely proportional.
Security and usability are often inversely proportional.
Good security now is better than perfect security never.
A false sense of security is worse than a true sense of insecurity.
Your security is only as strong as your weakest link.
It is best to concentrate on known, probable threats.
Security is an investment, not an expense.
42
IA / Security “Best Practices” Best practices are not a panacea, complete or what YOU need to do Do you even know your business protection needs? Do you have a
current asset inventory? Determine what is “good enough” or “minimally acceptable? Quantify your environment’s threats and vulnerabilities
your list should have 10 – 50 or so threats assessed Have a security policy that’s useful, complete, VIP endorsed
yes, that’s HAVE A POLICY, choose a model, then enforce it too! Run self-assessment on security measures (use accepted tests,
STIGs, etc) and compliance (HIPAA, PCI, CFR, SOX, etc) Training and awareness programs – needed, but not a black hole TEST your continuity, recovery plans, backup – can you restore? Encrypt where you can (do you need it for: IM, Chat, e-mail, file transfer, online
meetings, storage, backup, etc) Be familiar with the “NIST” IA/Security series – they are great! Always use capabilities off the preferred products lists (PPLs) A risk management plan should roll all these into one effort
You can somewhat control what you plan, but get what you enforce…
43
Overall IA/Security ApproachALL IA/security environments should include the below top-ten elements to ensure a
well-integrated, effective, and “best value” data protection approach.1 - Comprehensive security policy - must have, and strictly enforce, a rule set and
execution process that accommodates dynamic priorities, compliance, auditing, leadership changes and enforcement methods, while detailing policy at the required levels with specific ownership.
2 - Distribute clear governance - technical, administrative and operational “chain of commands” must be delineated, including rules of engagement and communication paths between them and all stakeholders.
3 - Build in defense-in-depth - maintain multiple protection fronts - operations center, gateway, network access control (NAC), desktop, storage centers, remote access, etc.
4 - Develop, maintain and follow a strategy, master plan - use an enterprise architecture to capture and track all requirements and capabilities.
5 - Strict configuration management - automated, tracking and reporting to enable enforcement. You must have an inventory management knowledge that covers all elements: hardware, software and “settings” - where a mis-configured system causes a false sense of security.
6 - Develop an effective tool suite - stress automation where possible, and KISS, for SLAs, testing, metrics, etc.
IA/Security is more leadership, strategic direction, than technical!
44
Overall IA/Security Approach7 - Guard against major hacker entry points - stealing passwords, trojan horses,
software defaults, man-in-the-middle attacks, numerous wireless vulnerabilities, social engineering (general awareness and PII info), using vulnerability research against you (zero day, etc), phased attacks (slow, multi-level, methodical, engineered), lack of user education/awareness and apathy, un-enforced time-outs and failed access tries, and multiple insider threats (gain access as an employee), etc…
8 - Actively guard malware entry points / methods:a - Monitor all web traffic - assess trends - on forums, file-sharing, blogs, corporate drives, portals, etcb - Use content filters - assess / scan ALL file types - zip, word, etc - including uploaded files and instant messenger (and don’t trust file extensions, as “txt” can be renamed to “exe”) - prevent downloading executables, shareware, etc…c - Block rouge URLs/inappropriate web sites dynamically and use URL filtering on both in and out bound traffic
9 - Test critical elements - continuity and recovery plans, training programs, compliance levels, key vulnerabilities, etc…
10 - Develop and periodically update an enterprise “protections” risk assessment. Always understand your current threats, vulnerabilities and impacts to business and warfighter effectiveness… Establish what is “good enough” or minimally acceptable… minimize what you don’t know you don’t know…
IA/Security is more leadership, strategic direction, than technical!
45
Anti-Virus
NCDOC
Fleet Internet Security
Handbook
Advisories
Training
IA Publicationsand Policies
IAVM
“Ask The Expert” IA Bulletin
Board
Help with INFOSECProducts & Services
(i.e., VPN, FORTEZZA, Firewalls, Intrusion Detection,
Secure Voice, EKMS, TEMPEST)
Customer Service
Online Services - INFOSEC Web Site
https://infosec.navy.mil/https://infosec.navy.smil/
https://infosec.navy.mil/https://infosec.navy.smil/
INFOSEC Chat
46
DISA IA Web Resources
http://iase.disa.mil/policy.html#Acquisition
47
other IA/Security sites (cont):
http://www.cert.org/
http://www.sse-cmm.org/lib/lib.asp
http://www.commoncriteriaportal.org/
http://www.amc.army.mil/amc/ci/matrix/policy/policy_new.htm
https://www.sans.org/about/sans.php
http://iac.dtic.mil/iatac/
http://www.cerias.purdue.edu/
http://security.sdsc.edu/
http://iase.disa.mil/stigs/index.html
IA/security resourcesMain sites
https://infosec.navy.mil/docs/index.jsp
https://www.fleetforces.navy.mil/netwarcom/navycanda.
http://iase.disa.mil/ditscap/
other IA/Security sites:
https://www.us.army.mil/suite/portal/index.jsp
http://csrc.nist.gov/
http://www.nsa.gov/ia/index.cfm
http://www.iatf.net/
Great ISSE / SSE Site
This site has almost everything you need
PPL sites in backup
Great Sites too
48
Summary(Review)
“Gotchas” “Assuming” you don’t need IA (Standalone, have a firewall, etc…) Not adding in IA cost, schedule and performance
Major resources https://infosec.navy.mil/ http://iase.disa.mil/ http://www.sse-cmm.org/lib/lib.asp
KEY Success elements Build IA in up front (Requirements, ISSE, TEMP, etc) Start C&A early (C&A plan, CRR) Risk Management, Risk Management, Risk Management
CAC cards needed, BUT much is on the CD ROM provided
[email protected] “EASY”button
49
BACKUP
50
Why Should You Care About IA?In a net-centric world, a risk taken by one is a risk shared by all
Without adequate IA/Security – our organizations will fail
51
Program Protection Overview(one perspective (Anti-Tamper))
PPP
CPI
Threat Vuln. Risk
OPSEC SCG INFOSEC
PERSEC PHYSEC COMSEC
INFO ASSURANCE SECED
SSE/AT FOREIGN DISCLOSURE
PUBLIC AFFAIRS TA/CP
Building Blocks
Program Protection Planning: The overarching security process for an acquisition program
Critical Program Information: What to Protect ‘program unique”
Threat, Vulnerability & Risk Analysis
Countermeasures
Documents
PPP
PPP
PPP
PPPSCGOPSEC Plans (as needed)Policy (DoD, AF, NISPOM) Local Operating Instructions, Security Manuals, etc.
However you parse it, “IA” threads/interfaces are pervasive
52
Preferred Product Lists (PPL)Generally programs should strive to use PPL devices / processes in building their
systems. Other than the type-1 COMSEC devices, which require individual certification letters held by the companies, the list below is probably the 90% solution without getting industry groups such as ICSA labs.
NIST FIPS 140 certifications: http://csrc.nist.gov/groups/STM/cmvp/index.html NIST algorithm certifications: http://csrc.nist.gov/groups/STM/cavp/index.html NIAP/Common Criteria: http://niap.bahialab.com/cc-scheme/ DISA IASE: http://iase.disa.mil/index2.html NSA IAD: http://www.nsa.gov/ia/index.cfm
NOTE - A PPL list can range from algorithms to specific equipment configurations. For example, one radio might have FIPS approval when ordered using model number 123 and an NSA type-1 certification when ordered using model number 456. Same is true for a router, IPS,... Yet even if a device has a CC EAL-4 certification, you still need to ensure that the protection profile used and the security target meets your specific application.
53
Information “Protections” Overview(or why “IA” is so complex / hard…)
IA
CMI/KMI CND
Policy Training
C&A
Typical Acquisition part
Enterprise Risk Mgmt.P = Hard IA Product
P
P
P
P
PP
P
PP
Pp
p
p
p
p
p
p
p
p = Soft IA Product
IA Services
CA Support
Multiple playersMultiple PEs/LinesMultiple threatsMultiple PMW/S/As
“IO” and
CNODefendAttackExploit
Requirements
IA/Security Strategy AND Governance critical to success
CIOFISMA
OperationsIAMs PKI/CAC
ID Mgmt
54
USN IA Issues/Challenges Rapidly evolving Navy threats-vulnerabilites to critical assets
• Crypto Modernization• Data exfiltration• Web based threats
Technology evolution challenges fielding efforts• Provide IA engineering to translate ForceNet capabilities into
Computer Network Defense solutions• Installation processes - SHIPMAIN/FRCB
Integration and coordination between Programs• Remediation of system assests to meet standard baseline builds• Integration of IAVA/B • SSAA / C&A coordination
• Verification of site security compliance • Certification & Accreditation (CA) of systems
Training (at all levels, especially maintenance)
You too will have these challenges at some level
55
SECNAVINST 5239.3, DON Info. Sys. Security Program and SECNAV Manual M-5239 Basic Policy/Guidelines for Security of National Security Systems
OPNAVINST 5239.1B, Navy IA Program Establish Policies and Procedures for Proper Management and
Protection of Information and Information Systems Navy IA Publications Series 5239
5239-01 Introduction to Information Systems Security 5239-02 Terms Abbreviations, and Acronyms 5239-04 Information Systems Security Manager 5239-07 Information Systems Security Officers 5239-08 Network Security Officers 5239-10 Assessed Products List 5239-13 Introduction to C&A
Navy Specific IA Policy Guidance
https://infosec.navy.mil/Documents/doc?type=ia&tab=navyn
56
The recent release of DOD interim guidance for the Defense Information Assurance Certification and Accreditation Program (DIACAP - DoDI 8510.01) supersedes: DoDI 5200.40: DITSCAP Instruction DoDI 8510.1-M: DOD DITSCAP Application Manual
However, Service specific guidance has not been released. Currently signed DITSACP Phase I, II, or III > remains in DITSCAP Navy programs remain in DITSCAP until DON CIO submits their guidance
Joint Programs Are transitioning based on guidance from the lead Service
Navy specific guidance/transition point not finalized, yet, everyone in DOD must develop DIACAP transition plans
DITSCAP to DIACAP
More can be found on the IDSA Web Site at http://iase.disa.mil/ditscap/index.html
Navy specific guidance and updates at https://infosec.navy.mil/ under the documentation tab
57
Security Design & Configuration Identification & Authentication Enclave & Computing Environment Enclave Boundary Defense Physical & Environmental Personnel Continuity Vulnerability & Incident Management
DoD IA Controls Subject Areas
Technical and Non-Technical
58
Mission Assurance Categories
MAC I – vital to operational readiness or mission effectiveness of deployed or contingency forces. Loss of integrity or availability unacceptable. Requires most stringent protective measures.
MAC II – important to the support of deployed or contingency forces. Loss of integrity unacceptable, unavailability tolerable only for short time. Require additional safeguards beyond best practices.
MAC III – necessary to conduct of day-to-day business. Protection commensurate with commercial best practices.
Confidentiality Levels
LEVEL DEFINITION
High Classified Information
MediumSensitive Information, Not Cleared for Public Release
BasicInformation Cleared for Public Release
MAC II and high level = 110 Controls
59
Statutory & Regulatory Compliance SSEE Federal Information Security Management Act
(FISMA) Privacy Act Health Insurance Portability and
Accountability Act (HIPAA) Family Educational Rights and Privacy Act
(FERPA) Government Paperwork Elimination Act
(GPEA) Information Technology Management Reform
Act (Klinger-Cohen) Public Company Accounting Reform and
Investor Protection Act (Sarbanes-Oxley) E-Government Act Computer Security Act National Information Infrastructure Protection
Act Electronic Signature in Global and National
Commerce Act Financial Modernization Act of 1999, (Gramm-
Leach-Bliley)
National Institute of Standards and Technology Act (as applies to IA certifications and broad agency standards)
Presidential Directive 24, "Telecommunications Protection Policy
National Security Directive 145,... Executive Orders 12958, 12333,... Federal Criminal Codes Related to
Computer Crime Federal information protection and
ownership statutes DOD 85xx series Information Assurance
directives DODD C-5200.5, Communications
Security (COMSEC) CJCSI 6510.01C - Information Assurance
and Computer Network Defense SECNAVINST 5239.3A, Department of
the Navy Information Assurance (IA) Policy
OPNAVINST 5239.1B, Navy Information Assurance (IA) Program
60
PEO ACT Documents
Program Protection Plan (PPP) PPP is only required for programs that have Critical
Program Information (CPI). Established to identify and protect classified and other
sensitive information from foreign intelligence collection or unauthorized disclosure.
Clinger-Cohen Act (CCA) CCA applies to programs containing Mission Critical (MC)
or Mission Essential (ME) IT systems including NSS For additional information go to
http://www.doncio.navy.mil/(0ojbauzpozuvmwek3mi0x1ug)/FolderDetail.aspx?ID=82&Rank=1
System Security Authorization Agreement (SSAA)
61
IA Roadmap Correlation to DoD 5000 Lifecycle
Establish an IA organization
Identify IA requirements
Develop an acquisition IA strategy
Secure resources for IA
Initiate DITSCAP
Incorporate IA solutions
Test and evaluate IA solutions
(IATO’s/ATO) Accredit the system
Maintain the system’s security posture throughout its life-cycle
Note: An IATO may be required to support demonstrations, test events, and/or initial fielding
62
IA Roadmap Steps Establish an IA organization Identify IA requirements Develop an acquisition IA strategy Secure resources for IA Initiate DITSCAP Incorporate IA solutions Test and evaluate IA solutions Accredit the system Maintain the system’s security posture
throughout its life-cyclehttp://www.eitoolkit.com/tools/initiation/info_assurance/02_ia_guide.doc
63
Navy DITSCAP Relationships
DAA
CA
Cert.Agents
PM
UserRep.
NETWARCOM
SPAWAR 05
Resourcedby PM
Resource SponsorDefault for PORs
Approval Flow:
Request from the PM to the DAA via the CA
Certification Authority to the DAA
DAA to NETWARCOM
64
System Security Authorization Agreement (SSAA)
Documents All requirements for accreditation All security criteria DITSCAP plan System architecture C&A level of effort Agreement among Government entities
SSAA
65
DoDI 8500.2
E3.3.4. Information assurance shall be traced as a programmatic entity in the Planning, Programming, and Budgeting System (PPBS) and visibility extended into budget execution. Strategic IA goals and annual IA objectives shall be established according to the DoD Information Management Strategic Plan (reference (ai)), and funding and progress toward those objectives shall be tracked, reported, and validated.
66
DoD IA Controls
Combination
NoMAC Confidentiality
DoDI 8500.2 Enclosure 4 Attachments
IA Control Count
1 MAC I Classified 1 and 4 110
2 MAC I Sensitive 1 and 5 104
3 MAC I Public 1 and 6 79
4 MAC II Classified 2 and 4 110
5 MAC II Sensitive 2 and 5 104
6 MAC II Public 2 and 6 79
7 MAC III Classified 3 and 4 107
8 MAC III Sensitive 3 and 5 98
9 MAC III Public 3 and 6 73
67
Common Criteria Version 2.1 International vs. U.S. standard
U.S., Canada, France, Germany, UK, Russia, et al ISO Standard 15408, “Evaluation Criteria for
Information Technology Security” (June 1999) Benefits
Specification of security features and assurances based on an international standard
Provides common vocabulary for describing requirements and product features
Technical oversight provided by government experts Reduced testing costs to sponsors of evaluations
Validated products listed:
http://niap.nist.gov/cc-scheme/ValidatedProducts.html
68
DoD IM/IT Policy Framework
Realigns all DoD IM/IT related issuances to the 8000 Series 8000 – Capstone IM/IT Policy & Procedures 8100 – Information Resources Management 8200 – Mission & Functional Processes 8300 – Information Infrastructure Design & Engineering 8400 – Information Technology 8500 – Information Assurance
69
IA Policy FrameworkRealigns all IA related DoD issuances to the 8500
Series 8500 - General 8510 - Certification and Accreditation 8520 - Security Management (SMI, PKI, KMI, EKMS) 8530 - Computer Network Defense /Vulnerability Mgt 8540 - Interconnectivity/Multi-Level Security (SABI) 8550 - Network/Web (Access, Content, Privileges) 8560 - Assessments (Red Team, TEMPEST Testing &
Monitoring) 8570 - Education, Training, Awareness 8580 - Other (Mobile Code, IA OT&E, IA in Acquisition)
70
Baseline IA Levels - The Process
Step 1: Determine the System Mission Assurance Category:
Category I : Vital to Effectiveness/Readiness of Deployed Forces Any Loss Unacceptable Immediate/Sustained Loss of Mission Effectiveness Most Stringent Protection Measures Required
Category II: Important to Support Deployed Forces Loss of Integrity Unacceptable; Loss of Availability Difficult to Manage Loss/Degradation only tolerable for short term = May Seriously Impact
Mission Effectiveness/Operational Readiness Additional Safeguards Beyond Best Practices Required
Category III: Needed for Day-to-Day business, Does Not Affect Support to Deployed or
Contingency Forces in the short-term Loss Tolerated or Overcome without Significant Impact on Mission
Effectiveness or Operational Readiness Protective Measures Commensurate with Commercial Best Practices
71
Baseline IA Levels - The Process
Step 2: Based on the Mission Category, Determine the Target Levels of Robustness for Integrity and Availability
BasicBasicIII
MediumHighII
HighHighI
Availability Level
Integrity Level
Mission Category
72
Baseline IA Levels - The Process
IA ServiceIA Service: Integrity : Integrity Control ClassControl Class: Security Architecture: Security Architecture
Control NumberControl Number: : ARNR-1ARNR-1 Control NameControl Name: Non-repudiation: Non-repudiation
Implementation of specific non-repudiation capabilities such as digital signatures exists ifImplementation of specific non-repudiation capabilities such as digital signatures exists if
mission accomplishment requires non-repudiation. NIST FIPS validated cryptography (e.g.mission accomplishment requires non-repudiation. NIST FIPS validated cryptography (e.g.
DoD PKI Class 3 or 4 token) is used for encryption, key exchange, digital signature, andDoD PKI Class 3 or 4 token) is used for encryption, key exchange, digital signature, and
hash (AES, 3DES, SKIPJACK, SHA 1, New standards as available, DSA, KEA).hash (AES, 3DES, SKIPJACK, SHA 1, New standards as available, DSA, KEA).
IA ServiceIA Service: Availability : Availability Control ClassControl Class: Personnel Security: Personnel SecurityControl NumberControl Number: PSRB-1: PSRB-1 Control NameControl Name:: Security Rules of BehaviorSecurity Rules of Behavior
or Acceptable Use Policyor Acceptable Use PolicyA set of rules that describe the IA operations of the enclave or DoD information system andA set of rules that describe the IA operations of the enclave or DoD information system and
clearly delineate IA responsibilities and expected behavior of all personnel is in place. Theclearly delineate IA responsibilities and expected behavior of all personnel is in place. The
rules include the consequences of inconsistent behavior or non-compliance. Signedrules include the consequences of inconsistent behavior or non-compliance. Signed
acknowledgement of the rules is a condition of access.acknowledgement of the rules is a condition of access.
Step 3: Step 3: Consult Enclosure 4 Appendix 1, 2 or 3 for Integrity Consult Enclosure 4 Appendix 1, 2 or 3 for Integrity and Availability Controls (Category I Examples Below) and Availability Controls (Category I Examples Below)
73
Baseline IA Levels - The Process
Step 4: Determine the Target Level of Robustness for Confidentiality
BasicPublic
MediumSensitive and Unclassified Not
Cleared for Public Release
HighClassified
Confidentiality Level
Classification, Sensitivity, and Need-to-Know
74
IA Service: IA Service: Confidentiality Confidentiality Control Class: Control Class: AuditAuditControl Number: Control Number: AURR-2AURR-2 Control Name: Control Name: Audit Record RetentionAudit Record Retention
Audit records are retained for at least one (1) year.Audit records are retained for at least one (1) year.
IA Service: IA Service: Confidentiality Confidentiality Control Class: Control Class: Enclave BoundaryEnclave BoundaryControl Number: Control Number: EBBD-2EBBD-2 Control Name: Control Name: Boundary DefenseBoundary Defense
Boundary defense mechanisms to include firewalls and network IDS are deployed at theBoundary defense mechanisms to include firewalls and network IDS are deployed at the
enclave boundary to the WAN, and at layered or internal enclave boundaries as required.enclave boundary to the WAN, and at layered or internal enclave boundaries as required.
All Internet access is proxied through internet access points under the management andAll Internet access is proxied through internet access points under the management and
control of the enclave managercontrol of the enclave manager.
IA Service: IA Service: Confidentiality Confidentiality Control Class: Control Class: Enclave BoundaryEnclave BoundaryControl Number: Control Number: EBPW-1EBPW-1 Control Name: Control Name: Public WAN ConnectionPublic WAN Connection
Connections between DoD enclaves and public WANs require a DMZ.Connections between DoD enclaves and public WANs require a DMZ.
Baseline IA Levels - The Process
Step 5: Step 5: Consult Enclosure 4, Appendix 4, 5, or 6 forConsult Enclosure 4, Appendix 4, 5, or 6 for Confidentiality Controls (Examples for Sensitive or Unclassified Confidentiality Controls (Examples for Sensitive or Unclassified Information Not Cleared for Public Release Below)Information Not Cleared for Public Release Below)
75
IA Control Taxonomy
Each IA Control is Comprised of 4 Elements: Control Class: Acquisition Control Number: ACCS-2 Control Name: Configuration Specifications Control Text: A Departmental reference document such
as a Protection Profile or a Security Technical Implementation Guide (STIG) constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IT assets.
76
Control Classes
CLASS CODE CLASS NAME
AC ACQUISITION
AR SECURITY ARCHITECTURE
AU AUDIT
CC CHANGE CONTROL
CE COMPUTING ENVIRONMENT
CM CONFIGURATION MANAGEMENT
CO CONTINUITY OF OPERATIONS
CU CRITICAL UTILITIES AND SUPPLIES
EB ENCLAVE BOUNDARY
EF ENVIRONMENTAL AND FACILITIES
LA LOGICAL ACCESS
PA PHYSICAL ACCESS
PB PROGRAM & BUDGET
PS PERSONNEL SECURITY
SC SESSION CONTROLS
SD SECURITY DOCUMENTATION
ST SECURITY TESTING
77
Follow Best Commercial Standards
A p p lica tion s G en era l
In te rn e t O p s & M an ag em en t
R ou tin g U s er S ervices
Tran sp ort
O p en P G P A u th . F irew a llT ran svers a l (A F T)
C om m on A u th .Tec h n o log y (C A T)
IP S ec P o lic y
IPSec ID S E xch .
O n e-T im e P WA u th .
P K IX .5 0 9
S /M IM E S ecu re S h e ll
S im p leP K I
Tran sp ortL ayer S ec .
W eb Tran s ac tion X M L S Ig s
IP S ec R em oteA cc es s
Security
IE F T
Areas
Area Working Groups
• Internet Engineering Task Force (IETF)The IETF is the protocol engineering and development arm of the Internet. Though it existed informally for some time, the group was formally established by the IAB in 1986 with Phill Gross as the first Chair.
78
IA Engineering
Electronic Warfare
Computer Network Defense
Psychological Operations
Military Deception
Operations Security
COMSEC
ELSEC
COMPUSEC
SIGSEC/COMSEC Monitoring
Computer Network Sensors