INFORMATION SYSTEMS SECURITY OFFICE (ISSO) SERVICES
Download
Report
Transcript INFORMATION SYSTEMS SECURITY OFFICE (ISSO) SERVICES
One Team, One Mission
Information Superiority for America
INFORMATION SYSTEMS
SECURITY OFFICE (ISSO)
SERVICES
MAJ Carmine Cicalese
CINC INFOSEC Support
INFORMATION SYSTEMS
SECURITY (INFOSEC)
The protection of information
systems against unauthorized
access to or modification of
information, whether in storage,
processing or transit, and
against the denial of service to
authorized users or the provision
of service to unauthorized users,
including those measures
necessary to detect, document,
and counter such threats
GROWING NEED FOR
INFOSEC
Nation has become highly dependent on
networking for military ops, government,
and commerce
Information infrastructure is at risk!
Data and systems are highly vulnerable
to unauthorized access
Information warfare could inflict massive
disruption on military readiness and the
economy
RACE AGAINST TIME:
INFOSEC VS. INFOWAR
Massive Use of Networking Makes U.S. the World’s
Most Vulnerable Target for Information Warfare
Intelligence Exploitation
Disruption of Network Infrastructure
U.S. Has Orders of Magnitude More to Lose to
Information Warfare Attacks Than Our
Adversaries
Reliance on Unprotected Networks Carries Risk of
Military Failure and Catastrophic Economic Loss
INFORMATION
WARFARE
“...the threat to our military and commercial
information systems poses a significant risk
to national security and must be addressed.”
William J. Clinton
President of the United States
1995 National Security Strategy
INFORMATION
WARFARE
“Information in all its forms, information protection,
and the increasingly prominent position of
information in the attack have become central
features in determining the outcome of modern and
future conflicts.”
General John M. Shalikashvili
Chairman of the Joint Chiefs of Staff
Memorandum, Information Warfare Status, 10 October 1995
SANCTUARY -- LOST
PAST
U.S.
U.S.
SOCIETY
MILITARY
PRESENT
ADVERSARY
U.S.
U.S.
SOCIETY
MILITARY
ADVERSARY
INFOSEC
CHALLENGES
Keeping pace with technology
National Information Infrastructure (NII)
Support to military operations
POTENTIAL ISSO
CUSTOMERS
HEALTH PROFESSION
PRIVATE INDUSTRY
JOHN Q. PUBLIC
FINANCIAL COMMUNITY
ACADEMIA
WHAT ARE WE DOING
ABOUT IT?
Key INFOSEC Goal:
Keep Pace with Network Technology and
Security Needs
Criteria for Success:
Solutions that are Secure, Affordable, and
Easy to Use, as Defined by Our Customers
GOALS
Enhance Network Security
Meet All Requirements for Unique, High
Assurance Solutions
Advance INFOSEC Technology
Champion Information Security for the Nation
Forge an Innovative Customer-Driven
Corporate Culture
ISSO MISSION
Provide leadership, products, and services
necessary to enable customers to protect
national security and sensitive information in
information systems pursuant to Federal law
and national policies; and...
Provide technical support to the government’s
efforts to incorporate information systems
security into the National Information
Infrastructure (NII)
SECURITY TERMS
DATA INTEGRITY -
Absolute verification data has not been
modified (Detection of a single bit change)
AUTHENTICATION - Verification of originator (Signature on
check)
NON-REPUDIATION - Undeniable proof-of-participation
(Sender/receiver in bank transaction)
CONFIDENTIALITY - Privacy with encryption (Scrambled text)
AVAILABILITY -
Assurance of service on demand
(Guaranteed dial tone)
INFOSEC BUSINESS
The business of information security comprises a cycle of critical
activities designed to meet constantly changing customer needs in the
emerging information age.
Assess Needs
Customer education, threat awareness, vulnerability assessment,
impact on business, leading national advocacy role.
Deliver Solutions
Product and systems evaluations, risk management, system
security engineering consultancy, new solutions, implementation
assistance, security management infrastructure, life cycle
support, policies and guidelines.
Create Advanced Technologies
Anticipate and enable emerging technologies, conduct and
coordinate research and development, rapid prototyping.
INFOSEC SOLUTIONS
PRODUCTS
INFOSEC
SOLUTIONS
SERVICES
TECHNOLOGIES
PRODUCTS
MISSI/Fortezza
STU-III
KG-84
KG-194
KG-95
CONDOR
Key Management
System (EKMS)
Embedded Modules
Chips
Algorithms
Secure Terminal
Equipment
DEFENSE INFORMATION
INFRASTRUCTURE SECURITY
DII
DISN
DMS
GCCS
EC/EDI
CINC
MLS
DFAS
NETWORK SECURITY MANAGEMENT
Electronic Key
Management System
Fortezza
DOD Directory Service
Fortezza +
Secure
Computing
Firewalls
****
Certification Authority
Workstation (CAW)
High
Assurance
Guards
In-Line
Network
Encryptors
MISSI BUILDING BLOCK PRODUCTS
SECURITY
Availability
Integrity
Confidentiality
Non - Repudiation
Identification & Authentication
SERVICES
MISSI
Mulitlevel Information Systems Security Initiaitive
Workstation Products
FORTEZZA
High Assurance Guards
Secure Network Server (SNS)
» Standard Mail Guard (SMG)
Secret
unclassified e-mail
In-Line Network Encryptors
Network Encryption System (NES) (current)
Tactical End-to-End Device (TEED) (emerging)
Fastlane (multimedia ATM) (emerging)
KG-189 (Synchronous Optical Network (SONET))
ISSO SERVICES
ISSO services is the intellectual
set of activities that assist
customers in protecting the
mission information
ISSO SERVICES
System Security Assessments
Information System Security Education,
Training and Awareness (ISSETA)
Security Engineering and Consulting
Product Evaluation
Clearinghouse for Security Technical
Information
Security Infrastructure
SYSTEM SECURITY
ASSESSMENTS
Threat Assessment
OPSEC Assessment
INFOSEC Assessment
Network Vulnerability Assessments
Technical Security And Facilities
Evaluation
SYSTEM SECURITY
ASSESSMENTS
COMSEC Monitoring
System Security Profiles
System Certification Assistance
System Accreditation Assistance
Risk Assessment
THREAT ASSESSMENT
All source intelligence via SIGINT,
HUMINT, and IMINT
Analytic interface to intel community
Assessments tailored to customer
requirements
Special studies, briefings, and video
Assist in resource and countermeasure
allocations
OPSEC ASSESSMENT
Identify vulnerabilities
Information on
Operations
Supporting operations
Competitors or adversaries
Basis for risk management decisions
INFOSEC ASSESSMENT
High level technical analysis of the security
posture of an organization’s communications
and automated information systems
Determine potential vulnerabilities and identify
countermeasures
Based on known and perceived threats
Present day snapshot of implemented security
Baseline of current security assets
NETWORK
VULNERABILITY ANALYSIS
TECHNICAL SECURITY AND
FACILITIES EVALUATION
COMSEC MONITORING
SYSTEM SECURITY
PROFILES
Support customer’s risk management
process by providing information needed to
make informed trade-offs between systems
security risk, cost, schedule, and mission
requirements
Provide timely mission and configuration
specific analysis
Support certification and accreditation
Document secure system design efforts
SYSTEM SECURITY
PROFILES
Provide future efforts design guidance
Inject security into early design phases
Lower costs
Minimal impact
Improve commercial secure products
Feed lessons learned to vendors
Provide feedback to profiling process
SYSTEM SECURITY
PROFILES
Focuses on developmental systems or those
being upgraded
A system profile:
Presents non-judgemental technical facts
Is not a NSA endorsement
Is a structured presentation of engineering
documentation
Delivers report to customer who controls it
Is time constrained vulnerability search
SYSTEM CERTIFICATION
ASSISTANCE
Make Recommendations Regarding the
Technical and Economic Feasibility of
Additional Countermeasures Which Should
Be Used (or Are Planned to Be Used) to
Further Minimize Risks to the System
SYSTEM ACCREDITATION
ASSISTANCE
The Cost-Effective Approach to Security
Requires DAAs to Lower Risks to
Acceptable Levels While Minimizing Costs
INFORMATION SYSTEMS SECURITY
EDUCATION, TRAINING, AND
AWARENESS (ISSETA)
Conferences
Training Classes
Standards Development
Policy Committees
Doctrine, Policy, and Procedures
Foreign Policy and Relations
Security Awareness
INFOSEC OUTREACH Program
Technology Transfer
CONFERENCES
National Information Systems Security
Conference
AFCEA
IEEE
TRAINING CLASSES
Train-The-Trainer
Teach, Train, and Assist (TTA)
STANDARDS
DEVELOPMENT
ISO
ANSII
POLICY COMMITTEES
NSTISSC
National policies, directives, guidance, etc.,
according to NSD-42
NII
DoD
Military Services
DOCTRINE, POLICY,
AND PROCEDURES
Over-the-air rekeying
Advanced concepts and modeling for
INFOSEC doctrine and risk management
Manages National COMSEC Insecurity
Reporting System
Trended analysis and reports
INFOSEC OUTREACH
PROGRAM
Certified Module Embedment (CME)
Program
SECURITY ENGINEERING
AND CONSULTING
Information Systems Security Engineering
(ISSE)
System Design Guidance
Security Architecture and Frameworks
System Acquisition
Life Cycle Consulting
INFORMATION SYSTEMS
SECURITY ENGINEERING
ISSE Handbook
System Security Engineering Model
(SSEM)
LIFE CYCLE
CONSULTING
Key Management
Privilege Management
Product Installation and Support Training
Design Methodology
Rainbow Series
PRODUCT
EVALUATION
Product Profiles
TEMPEST Endorsement Program (TEP)
Trusted Product Evaluation Program
(TPEP)
Evaluated INFOSEC (COMSEC) Product
Listing
EVALUATED INFOSEC
(COMSEC) PRODUCT LISTING
Commercial COMSEC Endorsement
Program (CCEP)
Authorized Vendor Program (AVP)
CLEARINGHOUSE FOR
INFORMATION
Commercial Product Data Base
Vulnerability Data Base
Information (DOCKMASTER,
TEMPEST Info Center)
Help Desk
INFORMATION
DOCKMASTER
TEMPEST Info Center
SECURITY
INFRASTRUCTURE
Key Management and Provisioning
Doctrine, Policy, and Standards
MISSI Network Security Management
Certification Authentication Workstation (CAW)
Directory System Agent (DSA)
Mail List Agent (MLA)
Rekey Manager (with EKMS)
Audit Manager
STRATEGY FOR PROVIDING
CUSTOMER SUPPORT
DISA
VENDORS
V11
ISSO
ARMY
AIR FORCE
NAVY/MARINES
WHO ARE YOU GOING
TO CALL
CONTRACTOR SUPPORT
(410) 859-4524 (STU-III)
CINCS, JOINT COMMANDS & DEFENSE
AGENCIES
(410) 859-4711 (STU-III)
MILITARY DEPARTMENTS
(410) 859-4391 (STU-III)
CIVIL AGENCIES
(410) 859-4790 (STU-III)
DSN Prefix: 644-0111, Ask Operator for Desired
FAX: (410) 859-6651
STU-III FAX: (410) 859-6665
TOLL FREE: 1-800-688-6115