sample security model. security model secure: identity management & authentication filtering and...
TRANSCRIPT
Sample Security Model
Security Model
Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s
Monitor: Intrusion Detection and Response Content-Based Detection and Response Employee monitoring
Audit: Security Posture Assessment Vulnerability Scanning Patch verification/Application audit
Manage: Secure Device Management Event / Data Analysis and Reporting Network Security Intelligence
POLICYM
anag
e Monitor
Audit
Secure
Information Warfare Definition
"Actions taken to achieve information superiority by affecting adversary information, information-based processes, information system, and computer-based networks while defending one's own information, information-based systems, information systems and computer-based systems."
Information Warfare Definition(s)
Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own.
Such actions are designed to achieve advantages over military or business adversaries.(Dr Ivan Goldman)
Skill vs Technology
Decreasing
Skill and Knowledge and resources
Increasing Tools, Power and
Sophistication
1940 2004
• Code cleanup
• License selection
• Development environment & portal
• Training
Implementation
• Objective
• Metrics
• Architecture
• Cost / Benefit Analysis
• Community Relevance
• Risk Mitigation
Business Case
• Launch Planning
• Community Awareness
• Competitive Participation
Marketing
• Measuring
• Ongoing Marketing
• Strategic Direction
Maintenance
Outbound Open Source
Levels of Concern (Low, Moderate, High)
Level of concern for confidentiality Based on the tolerance for unauthorized disclosure or compromise of
information on the system
Level of concern for integrity Based on the tolerance for unauthorized modification or destruction
of information on the system
Level of concern for availability Based on the tolerance for delay in the processing, transmission, or
storage of information on the system or the tolerance for the disruption or denial of a service provided by the system
Levels of Concern (Low, Moderate, High)
Level of concern for external exposure Based on the definitions in SP 800-37 (user access methods, backend
connections, number of users)
Level of concern for internal exposure Based on the definitions in SP 800-37 (security background
assurances/clearances, access approvals, need-to-know)
Level of concern for total system exposure Based on the values assigned to both external and internal exposure
factors as defined in SP 800-37
System Characterization
Levels of concern for confidentiality, integrity,availability and system exposure determine:
Security controls for the IT system Security certification level
Classes of Security Controls
Management Controls Controls that address the security management aspects of the IT system
and the management of risk for the system
Operational Controls Controls that address the security mechanisms primarily implemented
and executed by people (as opposed to systems)
Technical Controls Controls that address security mechanisms contained in and executed
by the computer system
A Comprehensive ApproachLinking Critical Assessment Activities
INFORMATION ASSURANCE (IA) Objectives of the IA Program
• Employ efficient and cost-effective security features to protect information system resources
• Adopt a risk-based life cycle management approach• Conduct an assessment of threats, identify and apply
appropriate safeguards
Security Risks =(Threats x Vulnerabilities) - Countermeasures Exposure
Objectives of the IA Program (Continued)
Protect the information with regard to:
Confidentiality
Integrity
Availability
Authentication
Non-repudiation
What is the threat?
• Internal– Intentional (Disgruntled Employee)
– Unintentional (Employee Error)
• External– Intentional (Terrorists, Hackers)
– Unintentional (Natural Disaster)
IA Program Personnel
• Designated Approving Authority (DAA)• Information Systems Security Manager (ISSM)• Network Security Officer (NSO)• Information Systems Coordinator (ISC)• Information Systems Security Coordinator (ISSC)• YOU
YOUR Responsibilities
• Computer & Network Security• Information Security• Software Security• Physical Security• Communications & Emanations
Security• Personnel / Administration Security
YOUR Responsibilities Computer & Network Security
• Log-On Information • Warning Banner• Use of Corporate Systems
YOUR ResponsibilitiesComputer & Network Security
P A
S
S
W
L O G O F F
R
D
YOUR ResponsibilitiesComputer & Network Security
• System Configuration Information• Virus Detection• Firewalls
YOUR Responsibilities Information Security
• Classification level of information
• Back-ups
• Off-Site Storage
• Media Protection
YOUR Responsibilities Software Security
• DO NOT install unapproved software
• Software Accountability / Inventory
• Software Copyright
YOUR Responsibilities Physical Security
• DRMO/Destruction
• Housekeeping
• Media Protection
• Ensure adequate physical controls
YOUR Responsibilities Communications & Emanations Security
• Sending Sensitive data over the Internet
• Encryption
• TEMPEST
YOUR Responsibilities Personnel & Administration Security
• Operating Procedures
• Training
• System Accreditation
• Incident Reporting
• Need-to-know
• Audit Trails
• Contingency Planning• Adequate Environmental Controls
SUMMARY
• We must incorporate a security mindset in our day-to-day operations
• You are the most important asset in the fight to provide adequate security of our Information Systems