for security professionals
DESCRIPTION
INFORMATION SYSTEM SECURITY. For Security Professionals. Objectives. Discuss the principles of Computer Security Identify required IS security documentation Identify the purpose of a System Security Plan (SSP). C. I. A. Foundations of Computer Security. Confidentiality - PowerPoint PPT PresentationTRANSCRIPT
For Security Professionals
For Security Professionals
1
INFORMATION SYSTEM
SECURITY
INFORMATION SYSTEM
SECURITY
ObjectivesObjectives
oDiscuss the principles of Computer Security
o Identify required IS security documentation
o Identify the purpose of a System Security Plan (SSP)
oDiscuss the principles of Computer Security
o Identify required IS security documentation
o Identify the purpose of a System Security Plan (SSP)
Foundations of Computer Security
Foundations of Computer Security
Confidentiality
Integrity
Availability
Confidentiality
Integrity
Availability
C
I
A
Paragraph 8-401 NISPOM
CONFIDENTIALITYCONFIDENTIALITY
PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE
PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE
4
INTEGRITYINTEGRITY
Protection of data software used or processed on classified systems.
FROM: MANIPULATION DELETION
Protection of data software used or processed on classified systems.
FROM: MANIPULATION DELETION
5
AVAILABILITYAVAILABILITY
Protecting the computer from malicious logic
or natural disasters
Protecting the computer from malicious logic
or natural disasters
Protection LevelsNISPOM 8-402
Protection LevelsNISPOM 8-402
7
PL-3
Compartmented
PL-2System High
PL-1 Dedicated
Protection Level (PL) 1Dedicated Security ModeProtection Level (PL) 1
Dedicated Security Mode Clearance, N-T-K and, if
applicable, all formal access approvals for all information
Clearance, N-T-K and, if applicable, all formal access approvals for all information
TS
TS
Protection Level (PL) 2 System High Security Mode
Protection Level (PL) 2 System High Security Mode
Clearance and access approvals for all information but with different N-T-K
Clearance and access approvals for all information but with different N-T-K
TS TSa b
Protection Level (PL) 3Compartmented Security Mode
Protection Level (PL) 3Compartmented Security Mode
Clearance for most restrictive information, but different formal access approvals
Clearance for most restrictive information, but different formal access approvals
TOP SECRET TS- NATOSAP
CRYPTONATO
CNWDI
Confidentiality MatrixConfidentiality Matrix
Requirements (Paragraph) P L 1 PL 2 PL 3
Audit Capability (8-602) Audit 1, Audit 2, Audit 3 Audit 4
Data Transmission (8-605) Trans 1, ISL62 Trans 1 Trans 1
Access Controls (8-606) Access 1, Access 2 Access 3
Identification & Authentication (8-607) I&A 1, I&A 2,3,4 I&A2,4,5
Resource Control (8-608) ResrcCtrl 1, ResrcCtrl 1 Session Controls (8-609) SessCtrl 1, SessCtrl 2 SessCtrl 2
Security Documentation (8-610) Doc 1, Doc 1 Doc 1
Separation of Functions (8-611) Separation
System Recovery (8-612) SR 1 SR 1 SR 1
System Assurance (8-613) SysAssur 1, SysAssur 1 SysAssur 2
Security Testing (8-614) Test 1, Test 2 Test 3
11
TABLE 5 - Protection Profile Table for Confidentiality
Levels of Concern 8-403Confidentality
Levels of Concern 8-403Confidentality
Level of Concern Qualifiers
HighTOP SECRET and SECRET Restricted Data
(SIGMAs 1,2,14,15)
Medium
SECRETSECRET Restricted Data
BasicCONFIDENTIAL
12
Integrity Matrix Integrity Matrix
13
Must be contractually imposed.
Levels of Concern 8-403Integrity
Levels of Concern 8-403Integrity
Level of Concern
Qualifiers
High
Absolute accuracy required for mission accomplishment; or loss of life might result from loss of integrity; or loss of integrity will have an adverse effect on national-level interests; or loss of integrity will have an adverse effect on confidentiality.
Medium
High degree of accuracy required for mission accomplishment, but not absolute; or bodily injury might result from loss of integrity; or loss of integrity will have an adverse effect on organizational-level interests.
Basic Reasonable degree of accuracy required for mission accomplishment.
14
Must be contractually imposed.
Availability Matrix Availability Matrix
15
Must be contractually imposed.
Levels of Concern 8-403Availability
Levels of Concern 8-403Availability
Level of Concern Qualifiers
High
Information must always be available upon request, with no tolerance for delay; or loss of life might result from loss of availability; or loss of availability will have an adverse effect on national-level interests; or loss of availability will have an adverse effect on confidentiality.
Medium
Information must be readily available with minimum tolerance for delay; or bodily injury might result from loss of availability; or loss of availability will have an adverse effect on organizational-level interests.
Basic Information must be available with flexible tolerance for delay.
16
Must be contractually imposed.
Cognizant Security AgencyCognizant Security Agency
Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC.
Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC.
8-101a, NISPOM
Cognizant Security OfficeCognizant Security Office
The entity
designated by the Head of a CSA to administer industrial security on behalf of the CSA.
The entity
designated by the Head of a CSA to administer industrial security on behalf of the CSA.
8-101a, NISPOM
Performs oversight, program review, training, and certification and accreditation of ISs used by its contractors
Contractor RoleContractor Role
Publish and promulgate an IS Security Policy
Appoint and train an Information Systems Security Manager (ISSM)
Publish and promulgate an IS Security Policy
Appoint and train an Information Systems Security Manager (ISSM)
8-101b, NISPOM
IS Security Manager (ISSM)
IS Security Manager (ISSM)
o Not necessarily theFacility Security Officer(FSO)
o Designated by Managemento The CSA’s point of
contact for IS securityo Generally a very nice guy
o Not necessarily theFacility Security Officer(FSO)
o Designated by Managemento The CSA’s point of
contact for IS securityo Generally a very nice guy
IS Security Officer (ISSO)IS Security Officer (ISSO)
Appointed by ISSM in facilities with multiple accredited IS
Assists in day-to-day IS security operations
Has PCL, NTK, and formal access approvals for all information processed on accredited IS
Not so nice
Appointed by ISSM in facilities with multiple accredited IS
Assists in day-to-day IS security operations
Has PCL, NTK, and formal access approvals for all information processed on accredited IS
Not so nice21
Security Documentation8-610 NISPOM
Security Documentation8-610 NISPOM
System Security Plan Profile Configuration Plan Risk Acceptance Letter Memorandum of
Understanding Protected Distribution
System
System Security Plan Profile Configuration Plan Risk Acceptance Letter Memorandum of
Understanding Protected Distribution
System
Basis for AccreditationBasis for Accreditation
Safeguards
Documentation(SSP)
Policy
Evaluationof security risks
System Security Plan System Security Plan
Defines Security Policy Includes Configuration Management
Plan Covers the life-cycle of system Target audience includes users,
system administrative, government, and security staff
Best single security tool
Defines Security Policy Includes Configuration Management
Plan Covers the life-cycle of system Target audience includes users,
system administrative, government, and security staff
Best single security tool
24
8-610
Self-Certification Master/Profile Concept
Self-Certification Master/Profile Concept
Master/Profile Master/Profile System Security Plan System Security Plan
MSSP
PP PP PP
SSP
PP
Self-Certification ConceptProfile Requirements
Self-Certification ConceptProfile Requirements
o Same classificationo Same PL levelo Same Level of
Concerno Same Environmento Approved O/So Same system type
o Same classificationo Same PL levelo Same Level of
Concerno Same Environmento Approved O/So Same system type
o Approved TDo Approved Periods
Processingo Approved Mobile
Systemso Approved Test
Equipment
o Approved TDo Approved Periods
Processingo Approved Mobile
Systemso Approved Test
Equipment
Self-Certification ConceptNot Authorized
Self-Certification ConceptNot Authorized
o SIPRNETo WAN self-certso Systems requiring
variances o Audit varianceso Alternate TD
procedures o Legacy O/S
o SIPRNETo WAN self-certso Systems requiring
variances o Audit varianceso Alternate TD
procedures o Legacy O/S
SSP INCLUDESSSP INCLUDES
System Identification Purpose Security personnel System description Mission or purpose Architecture Classification Level Formal Access Approvals
System Identification Purpose Security personnel System description Mission or purpose Architecture Classification Level Formal Access Approvals
System requirements Personnel Clearance
Level of Users Need to Know of Users Protection Level Physical controls Marking requirements
System requirements Personnel Clearance
Level of Users Need to Know of Users Protection Level Physical controls Marking requirements
288-610a.(1)(a)
SSP-Protection MeasuresSSP-Protection Measures
Audit Capabilities Access Controls Resource
Controls System Recovery Security Testing
Audit Capabilities Access Controls Resource
Controls System Recovery Security Testing
Data Transmission I & A Session Controls System Assurance Physical Security
Data Transmission I & A Session Controls System Assurance Physical Security
29
Trusted Downloading Software controls Media controls Maintenance Clearing and sanitization Self Inspections
Trusted Downloading Software controls Media controls Maintenance Clearing and sanitization Self Inspections
30
SSP-Protection Measures
SSP-Variances and RAL letters
SSP-Variances and RAL letters
o Description of approved variances from protection measuresoAttach documentation
o Documentation of any unique threat or vulnerabilities to systemoDocument if none exists
o Description of approved variances from protection measuresoAttach documentation
o Documentation of any unique threat or vulnerabilities to systemoDocument if none exists
31
o MOU for connections to separately accredited networks & systems
o Special purpose type systemso embedded systems
o Other contractual issues
o MOU for connections to separately accredited networks & systems
o Special purpose type systemso embedded systems
o Other contractual issues
32
SSP-May Also Include
Audit RecordsAudit Records
o Who fills out what?o ISSOs & Users
o What logs are required? - Manualo Maintenance
o Hardware & Softwareo Upgrade/Downgradeo Sanitizationo Weekly Audit Logo Seal Log (If Applicable)o Receipt/Dispatch (If Applicable)
o Who fills out what?o ISSOs & Users
o What logs are required? - Manualo Maintenance
o Hardware & Softwareo Upgrade/Downgradeo Sanitizationo Weekly Audit Logo Seal Log (If Applicable)o Receipt/Dispatch (If Applicable)
33
Audit Records - cont’dAudit Records - cont’d
o What logs are required - Automatedo if technically capable
o Successful and unsuccessful logons and logoffs
o Unsuccessful accesses to security-relevant objects and directories, including:o creationo openo modification and deletion
o What logs are required - Automatedo if technically capable
o Successful and unsuccessful logons and logoffs
o Unsuccessful accesses to security-relevant objects and directories, including:o creationo openo modification and deletion
34
Audit Records - cont’dAudit Records - cont’d
o Changes in user authenticators, i.e., passwords
o Denial of system access resulting from an excessive number of unsuccessful logon attempts.
o If not technically capable, the Authorized Users list will be retained as an audit record
o Changes in user authenticators, i.e., passwords
o Denial of system access resulting from an excessive number of unsuccessful logon attempts.
o If not technically capable, the Authorized Users list will be retained as an audit record
35
Re-Accreditation &Protection MeasuresRe-Accreditation &
Protection Measureso Re-Accreditationo Every Three Years
o Major Changeso If no changes updatedo SSP may not be required.
o Re-Accreditationo Every Three Years
o Major Changeso If no changes updatedo SSP may not be required.
36
PasswordsPasswords
o Minimum 8* Characters
o Classified to the highest level of the system
o Changed at least every 365* days
o Changed when compromised
o Automated generation when possible
o Minimum 8* Characters
o Classified to the highest level of the system
o Changed at least every 365* days
o Changed when compromised
o Automated generation when possible
37
DoD Warning BannerDoD Warning Banner
o Requiredo Positive User Actiono Prominently displayed
o Requiredo Positive User Actiono Prominently displayed
38
DoD Warning Banner Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.
This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.
Login AttemptsLogin Attempts
o Maximum of 5* attempts
o Lockout for 15* minutes
o Maximum of 5* attempts
o Lockout for 15* minutes
39
Special CategoriesSection 5, Chapter 8
May not meet all NISPOM Requirements
Special CategoriesSection 5, Chapter 8
May not meet all NISPOM Requirements
o Single-users Stand-aloneso Only one users accesses
system
o Pure Serverso No user code on system
o Tactical, Embedded Special-Purpose Systemso Configured as directed by
customer
o Single-users Stand-aloneso Only one users accesses
system
o Pure Serverso No user code on system
o Tactical, Embedded Special-Purpose Systemso Configured as directed by
customer
40Customer can require additional requirements above NISPOM
Clearing and SanitizationClearing and Sanitization
41
ClearingClearing
Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes).
DCID 6/3
Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes).
DCID 6/3
SanitizationSanitization
The process of removing information from media or equipment such thatdata recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings.
DCID 6/3
The process of removing information from media or equipment such thatdata recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings.
DCID 6/3
Clearing and Sanitization Matrixwww.dss.mil
Clearing and Sanitization Matrixwww.dss.mil
o Hard driveso May be degaussed or
destroyed at end of life cycle
o CPUs o Remove power for one
minuteo Printers
o Print one page (font test) then power down
o Hard driveso May be degaussed or
destroyed at end of life cycle
o CPUs o Remove power for one
minuteo Printers
o Print one page (font test) then power down
44
Configuration Management Plan
Configuration Management Plan
o Formal change control procedures for security-relevant hardware and software
o Management of all documentation
o Implement, test and
verify CM plan
o Formal change control procedures for security-relevant hardware and software
o Management of all documentation
o Implement, test and
verify CM plan
45
CM Plan Documents:CM Plan Documents:
o Procedures to identify and document type, model and brand of IS hardware
o Procedures to identify and document product names and version or release numbers and location of security relevant software
o System connectivity
o Procedures to identify and document type, model and brand of IS hardware
o Procedures to identify and document product names and version or release numbers and location of security relevant software
o System connectivity
46
8-311
Periods ProcessingPeriods Processing
o Separate Sessions
o Different Classification
o Levels
o Different Need-To-Know
o Removable Media for each
processing session
o Separate Sessions
o Different Classification
o Levels
o Different Need-To-Know
o Removable Media for each
processing session
47
SummarySummary
o Principals of Computing Security
o System Security PlanoPurposeoContents
oNISPOM = Whato SSP = How
o Principals of Computing Security
o System Security PlanoPurposeoContents
oNISPOM = Whato SSP = How
49