1

A Comprehensive Framework for Information Assurance

Abe Usher, CISSP

2

Agenda

Introduction

Information Assurance defined

What you need to know

A comprehensive (lightweight) framework

Demonstrations

IATAC resources

Questions

3

Introduction: whoami

Deputy Director of the Information Assurance Technology Analysis Center (IATAC)

Certified Information Systems Security Professional (CISSP)

M.S. in Information Systems

Creator of the INFOSEC Zeitgeist

Former infantry officer

Geek

4

Introduction: purpose

To provide an information briefing on a simple, yet comprehensive framework for thinking about Information Assurance (IA) issues

5

IA defined: old perspective

Information Security:

“Protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.[1]”

John McCumber, 1991

6

IA defined: contemporary perspective Information Assurance:

“Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.[2]”

confidentiality- assurance that information is not disclosed to unauthorized individuals, processes, or devices.

integrity- quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.

availability- timely, reliable access to data and information services for authorized users.

NSTISSI No. 4009, "National IA Glossary," May 2003

7

What you “need to know” Technologist perspective

– TCP/IP stack details

– Firewalls

– Intrusion detection

– Anti-virus

– INFOSEC Research Council hard problems list

Policy perspective:– DoD 8500 series documents

– DoD 5200 series documents

– DoD 8100 series documents

– NIST 800 series documents

– National Strategy to Secure Cyberspace

– DoD IA Strategy

– DITSCAP / NIACAP

Operator perspective:– IS Alliance: Common Sense Guide for Home and Individual Users

– IS Alliance: Common Sense Guide for Senior Managers

8

Common criteria

9

What you “need to know”

Do we lose the forest while looking at the trees?

10

Thoughts on classification

“The beginning of all understanding is classification.”

Hayden White

11

A comprehensive, yet “lightweight” framework

12

Thoughts on classification

“Classification is, in fact, a general method used by us all for dealing with information… So by classification we can organize our knowledge of the [plant kingdom] into a system which stores and summarizes our information for us in a convenient manner…

Clearly, some systems by which we can organize this knowledge, make generalizations and predictions, and simply reduce the sheer bulk of data with which we have to deal, is not only desirable but essential.”

Charles Jefferies An Introduction to Plant Taxonomy

13

A comprehensive, yet lightweight framework

14

A comprehensive, yet lightweight framework

15

A comprehensive, yet lightweight framework

16

A comprehensive, yet lightweight framework

17

Case study: confidentiality of information in transmission

Alice views an information resource belonging to Bob using a plain text protocol

Information state: transmission

Security service: confidentiality

Security countermeasure: encryption [3], secure transmission medium, frequency hopping, obscure system interface, access controls

18

Case study: confidentiality of information in transmission

19

Interactive Web based version

20

Case study: availability of net based resources

Bob wants to view a Web resource belonging to Alice

Information state: storage, transmission

Security service: availability

Security countermeasure: traffic filtering/blocking [4], rate limiting, functional redundancy, data redundancy, load balancing, acceptable use policy, business continuity of operations plan

21

Case study: availability of net based resources

22

A comprehensive, yet lightweight framework

23

IATAC Resources

IAnewsletter

IA Digest

Technical inquiries

Technical repository

On the Web at:

– http://iac.dtic.mil/iatac

– https://iatac.dtic.smil.mil

24

Questions

25

Backup slides

26

References[1] McCumber, John. "Information Systems Security: A Comprehensive Model". Proceedings 14th National

Computer Security Conference. National Institute of Standards and Technology. Baltimore, MD. October 1991.

[2] NSTISSI No. 4009, "National INFOSEC Glossary," January 1999.

[3] OpenSSH protocol. Designed through the OpenBSD project at http://www.openbsd.org/. Latest release September 2003.

[4] Linux Planet. Traffic filtering by IP Address. http://www.linuxplanet.com/linuxplanet/tutorials/1527/5/. February 2000.

[5] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A Model for Information Assurance: An Integrated Approach". Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. U.S. Military Academy. West Point, NY. June 2001.

27

Information Security Zeitgeist

Provides a graphical depiction of the emergence and disappearance of hot topics in information security over time

Inspired by the Google Zeitgeist report

On the Web:

http://www.sharp-ideas.net/research/infosec_zeitgeist.html

http://www.google.com/press/zeitgeist.html

28

Information Security Zeitgeist

29

Information Security Zeitgeist