ECE579S Computer and Network Security 8: Certification & Accreditation; Red/Black Professor Richard A. Stanley, P.E.

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #1

Last time…SSL/TLS Summary • SSL/TLS provides a means for secure transport layer communications in TCP/IP networks • SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc.

• The key element of SSL is the handshake protocol

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #2

Formal Evaluation Summary

• Formal security evaluation techniques are academically interesting, but have until recently failed to provide significant practical improvement in fielded systems security • Emphasis is shifting to new evaluation schemes and empirical, policy-based security evaluation for trusted systems • Both approaches offer opportunities for exploitation by malefactors and for real improvement in systems security Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #3

IDS Summary • IDS’s can be useful in monitoring networks for intrusions and policy violations • Up-to-date attack signatures and policy implementations essential • Many types of IDS available, at least one as freeware • Serious potential legal implications • Automated responses to be avoided

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #4

Cyber Threat: Real & Damaging…

• Undermining both our national security and our economic leadership in the world marketplace – Threat started as nuisance activities by isolated bad actors – Threat is now coming from nation states, commercial espionage, terrorist organizations, organized crime groups, and ‘for-hire’ cyber organizations—it’s a business—and often in concert – Our intellectual property is the target • F22 • Oil exploration • Google • The extent of the damage is only beginning to be publicly acknowledged; >$1T and years and years of technology leadership Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #5 5

Advanced Persistent Threats

Exploitation Life Cycle

• • • • • • •

Step 1 - Reconnaissance Step 2 - Initial Intrusion into the Network Step 3 - Establish a Backdoor into the Network Step 4 - Obtain User Credentials Step 5 - Install Various Utilities Step 6 - Privilege Escalation / Lateral Movement /

Data Exfiltration

Step 7 - Maintain Persistence

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #6 6

Vulnerability –External and Internal

Vulnerabilities at all layers

-

Internet connections

-

Email

-

Software (malware, botnets)

-

Hardware

-

Firmware

-

Web pages/banners/pop-ups

-

Databases (SQL injection)

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #7 7

The future wave of access vulnerability

The internet of things… Spring 2011 © 2000-2011, Richard A. Stanley It won’t get any easier!

8 ECE579S/8 #8

Spring 2011 © 2000-2011, Richard A. Stanley

IT Security Roles

Accepts risk, issues ATO for IS Designated Approving Authority (DAA) Certifying Authority (CA) Information Assurance (IA) Manager (IAM) IA Officer (IAO) User Representative (UR) Privileged User with IA responsibilities Authorized User Certifies IS Responsible for the IA program for IS or organization Implements IA program for IAM Represents users in DIACAP System Administrator (for example) Any appropriately authorized individual ECE579S/8 #9 9

IT Security Situation

Spring 2011 © 2000-2011, Richard A. Stanley 10 ECE579S/8 #10

Terms and Definitions

• Cyber Security – Protection of computer systems, computer networks, and electronically stored and transmitted information; network and Internet security • Information Security – Protection of information and information systems, provideng confidentiality , integrity ( including authentication and non-repudiation) , and availability. – Includes cyber security plus non-computer issues • physical security of buildings • personnel security • security of paper files Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #11 11

Terms and Definitions

• Information Assurance – Superset of information security, emphasizes strategic risk management over tools and tactics.

– Also includes: • Privacy • Compliance • Audits • Business continuity • Disaster recovery Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #12 12

Cyber Security

Defense-in-Depth for computers, networks, and electronic information

Information Security

Cyber-Security plus protection for non-electronic Information Ensures: •Confidentiality •Integrity •Availability Spring 2011 © 2000-2011, Richard A. Stanley

Information Assurance

Information Security Plus: •Strategic Risk Management •Privacy Compliance Audits •Business Continuity •Disaster Recovery 13 ECE579S/8 #13 Note : For SRA, Cyber Security = Information Assurance

Threats, Vulnerabilities, Assets

• THREAT - entity, circumstance, event producing intentional or accidental harm by: – Unauthorized access, destruction, disclosure, modification of data – Denial of Service (DoS) affecting mission performance • VULNERABILITY – exploitable weakness in: – Computing, telecommunications system, or network system security procedures – Internal controls or implementation • ASSET - personnel, hardware, software, or information that may possess vulnerabilities and are being protected against threats Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #14 14

• RISK - measure of the

Risk

extent that an entity is threatened by potential circumstance/event, a function of likelihood of circumstance/ event occurring and resulting adverse impacts • RISK can be thought of as where threats, vulnerabilities and assets overlap Spring 2011 © 2000-2011, Richard A. Stanley 15 ECE579S/8 #15

References

• – DoDD 8500.01E- Information Assurance (IA) Establishes policy and assigns responsibilities to achieve Department of Defense (DoD) information assurance (IA) • – DoDI 8500.2 - Information Assurance (IA) Implementation Implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems • • DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP) – Establishes the DIACAP for authorizing the operation of DoD Information Systems DoD 8570.01-M - Information Assurance Workforce Improvement Program – provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance (IA) functions in assigned duty positions • DoDI 8580.1 - Information Assurance (IA) in the Defense Acquisition System – Implements policy, assigns responsibilities, and prescribes procedures to integrate IA into the Defense Acquisition System • – DoD 5220.22-M - National Industrial Security Program Manual (NISPOM) Provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP Spring 2011 © 2000-2011, Richard A. Stanley 16 ECE579S/8 #16

DoDD 8500.01E applies to…

• All DoD owned or controlled information systems • Includes systems covered under National Industrial Security Program (NISP) • Does not apply to weapons systems with no platform IT interconnection Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #17 17

National Security System (NSS) Definition

• National security systems are information systems operated by the U.S. Government, its contractors or agents that contain classified information or that – involve intelligence activities – involve cryptographic activities related to national security – involve command and control of military forces – involve equipment that is an integral part of a weapon or weapons system – are critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #18 18

Cyber Security Considerations

• What type of data ?

– At rest – Transmitted – Processed – Encrypted • Systems that store, process, transmit government data – What is the information flow?

• Upstream • Downstream – Interconnections – Input/output – Information sharing – Mobile media Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #19 19

Mission Assurance Category/Confidentiality Level

• Mission Assurance Category (MAC 1, 2, 3) – Importance of information and information systems – Availability and integrity • Confidentiality Levels – Information classification level and need-to-know • All DoD systems assigned MAC and Confidentiality Level • Required security controls based on MAC and Confidentiality Level Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #20 20

MAC 1,2,3 Compared

Level MAC 1 MAC 2 MAC 3 Importance Integrity Loss Availability Loss Vital to op readiness Unacceptable Unacceptable Important to force support Necessary day-to-day Unacceptable Difficult – short term only Tolerable Tolerable Possible Impact Loss of mission effectiveness Seriously impact mission effectiveness Degradation of routine activities Protection Measures Stringent Beyond best practices Best practices Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #21 21

Confidentiality Levels

• Classified - Official information that has been determined to require, in the interests of national security, protection against unauthorized disclosure – Confidential – Secret – Top Secret – Top Secret SCI, etc • Sensitive - Loss, misuse, unauthorized access, or modification could adversely affect: – National interest – Conduct of Federal programs – Privacy of individuals • Public - Official DoD information that has been reviewed and approved for public release by the information owner Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #22 22

Information System Categories • Enclaves • Automated information system (AIS) application • Outsourced IT-based process • Platform IT interconnection

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #23 23

System Boundary

• DoDD 8500.2 only mentions enclave boundary, does not define resources system boundary • From NIST SP800-37 rev.1, a set of information – Same direct management control – Same function or mission objective – Same operating characteristics – Same information security needs – Same general operating environment (or if distributed, similar operating environments) • In NIST this is security authorization boundary • DIACAP refers to it as accreditation boundary • Applies to production , test , and development Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #24 24

IA Control Subject Areas

Spring 2011 © 2000-2011, Richard A. Stanley 25 ECE579S/8 #25

IA Control Examples

Spring 2011 © 2000-2011, Richard A. Stanley 26 ECE579S/8 #26

DIACAP Overview

• DoDI 8510.01 - DoD Information Assurance Certification and Accreditation Process (DIACAP) – “Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-based software systems and applications”.

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #27 27

DIACAP Applicability

• DoD-owned/controlled Information Systems with DoD information – receive – process – store – display – transmit • Any classification or sensitivity • Must meet the definition of a DoD Information System (enclave, AIS, outsourced IT-based process, or platform IT interconnection) from DoD Directive 8500.01E Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #28 28

DIACAP Team

• Designated Approving Authority – DAA – Incorporates IA in information system life-cycle management processes – Grants Authorization to Operate • Certifying Authority – CA – DoD Component Senior Information Assurance Officer (SIAO) (or designee) – Makes certification determination Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #29 29

DIACAP Team

• IS Program or System Manager - ISPM/SM – Implement DIACAP – Develop, track, resolve, and maintain the DIACAP Implementation Plan (DIP) – Ensure IT Security POA&M development, tracking, and resolution – Ensure that IS has a IA manager (IAM) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #30 30

DIACAP Implementation

• All IT has some information assurance requirements – DoDD 8500.01E requires C&A for all DoD information systems – DoDI 8500.2 implements the requirements of DoDD 8500.01E and defines controls – DoDI 8510.01 defines and implements the DIACAP process for C&A of DoD information systems • DoD Information Systems are: – Enclave – Automated Information System (AIS) application – Outsourced IT-based processes – Platform IT with GIG interconnections ECE579S/8 #31 Spring 2011 © 2000-2011, Richard A. Stanley 31

DIACAP Implementation

• Development and test systems – Create full ATO package with IA Controls based on MAC and CL within development/testing environment – Send ATO package to the field with the completed system – The field organization • Determines MAC and CL in their environment • Reviews development/testing ATO package • Determines which IA Controls are still valid and which must be newly implemented Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #32 32

DIACAP Packages

• Comprehensive package – Includes all the information resulting from the DIACAP process – Used for the CA recommendation • Executive package – Minimum information – Used for an accreditation decision – Provided to others in support of accreditation or other decisions, such as connection approval Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #33 33

DIACAP Packages

Spring 2011 © 2000-2011, Richard A. Stanley 34 ECE579S/8 #34

DIACAP Activities

Spring 2011 © 2000-2011, Richard A. Stanley 35 ECE579S/8 #35

FISMA

E- Government Act of 2002

• Recognized the importance of information security to the economic and national security interests of the United States

Title III of the E-Government Act: FISMA

• FISMA is the Federal Information Security Management Act • Requires federal organizations to provide security for the information and information systems that support the agency Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #36 36

FISMA Requirements

• Applies to all federal agencies, DoD and civil • Periodic assessments of the risk • Policies and procedures based on risk assessment • Component-level plans for providing IT security for networks, facilities, and systems or groups of IT systems • IT security awareness training • Testing and evaluation of IT security policies, procedures, and practices at least annually • Process for planning, implementing, evaluating, and documenting remedial action • Procedures for detecting, reporting, responding to security incidents • Plans and procedures to ensure continuity of operations for IT systems supporting the operations and assets of the organization Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #37 37

Red/Black

• http://www.youtube.com/watch?v=do5ZVohtQxQ • Well, OK, that isn’t really the Red/Black we are going to study, but do I have your attention now?

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #38

Red/Black

• Red – Circuits carrying classified information that is not encrypted – Often used to refer to classified information itself • Black – Circuits carrying information that is encrypted – Often used to refer to unclassified information • Nomenclature comes from the TEMPEST program – A series of government-led approaches to minimize the effects of information leakage through covert channels as a result of signal coupling Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #39

Red/Black Separation

• Owing to the laws of physics, physical separation between Red circuits and Black circuits is required to ensure no (or, in practice, minimal possible) signal leakage.

• Requirements can be found in,

inter alia

, – NSTISSAM TEMPEST 2-95, 12 December 1995, RED/BLACK INSTALLATION GUIDANCE – MIL-HDBK-232A, 24 October 2000, RED/BLACK ENGINEERING - INSTALLATION GUIDELINES – NSTISSI No.7003, 13 December 1996, Protective Distribution Systems • Red and Black circuits CANNOT be interconnected, as we do not how to avoid covert channels in that circumstance Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #40

Summary

• If you are involved with information assurance on government systems, you will be involved with many differing regulations and requirements • Engineering information systems that carry classified information must deal with Red/Black standards Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #41

Student Research Presentations

Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/8 #42