Transcript INFORMATION SYSTEMS SECURITY OFFICE (ISSO) SERVICES

One Team, One Mission
Information Superiority for America
INFORMATION SYSTEMS
SECURITY OFFICE (ISSO)
SERVICES
MAJ Carmine Cicalese
CINC INFOSEC Support
INFORMATION SYSTEMS
SECURITY (INFOSEC)
The protection of information
systems against unauthorized
access to or modification of
information, whether in storage,
processing or transit, and
against the denial of service to
authorized users or the provision
of service to unauthorized users,
including those measures
necessary to detect, document,
and counter such threats
GROWING NEED FOR
INFOSEC
Nation has become highly dependent on
networking for military ops, government,
and commerce
 Information infrastructure is at risk!
Data and systems are highly vulnerable
to unauthorized access
 Information warfare could inflict massive
disruption on military readiness and the
economy

RACE AGAINST TIME:
INFOSEC VS. INFOWAR

Massive Use of Networking Makes U.S. the World’s
Most Vulnerable Target for Information Warfare
 Intelligence Exploitation
 Disruption of Network Infrastructure


U.S. Has Orders of Magnitude More to Lose to
Information Warfare Attacks Than Our
Adversaries
Reliance on Unprotected Networks Carries Risk of
Military Failure and Catastrophic Economic Loss
INFORMATION
WARFARE
“...the threat to our military and commercial
information systems poses a significant risk
to national security and must be addressed.”
William J. Clinton
President of the United States
1995 National Security Strategy
INFORMATION
WARFARE
“Information in all its forms, information protection,
and the increasingly prominent position of
information in the attack have become central
features in determining the outcome of modern and
future conflicts.”
General John M. Shalikashvili
Chairman of the Joint Chiefs of Staff
Memorandum, Information Warfare Status, 10 October 1995
SANCTUARY -- LOST
PAST
U.S.
U.S.
SOCIETY
MILITARY
PRESENT
ADVERSARY
U.S.
U.S.
SOCIETY
MILITARY
ADVERSARY
INFOSEC
CHALLENGES
Keeping pace with technology
 National Information Infrastructure (NII)
 Support to military operations

POTENTIAL ISSO
CUSTOMERS
HEALTH PROFESSION
PRIVATE INDUSTRY
JOHN Q. PUBLIC
FINANCIAL COMMUNITY
ACADEMIA
WHAT ARE WE DOING
ABOUT IT?
Key INFOSEC Goal:
Keep Pace with Network Technology and
Security Needs
Criteria for Success:
Solutions that are Secure, Affordable, and
Easy to Use, as Defined by Our Customers
GOALS





Enhance Network Security
Meet All Requirements for Unique, High
Assurance Solutions
Advance INFOSEC Technology
Champion Information Security for the Nation
Forge an Innovative Customer-Driven
Corporate Culture
ISSO MISSION
Provide leadership, products, and services
necessary to enable customers to protect
national security and sensitive information in
information systems pursuant to Federal law
and national policies; and...
 Provide technical support to the government’s
efforts to incorporate information systems
security into the National Information
Infrastructure (NII)

SECURITY TERMS
DATA INTEGRITY -
Absolute verification data has not been
modified (Detection of a single bit change)
AUTHENTICATION - Verification of originator (Signature on
check)
NON-REPUDIATION - Undeniable proof-of-participation
(Sender/receiver in bank transaction)
CONFIDENTIALITY - Privacy with encryption (Scrambled text)
AVAILABILITY -
Assurance of service on demand
(Guaranteed dial tone)
INFOSEC BUSINESS
The business of information security comprises a cycle of critical
activities designed to meet constantly changing customer needs in the
emerging information age.

Assess Needs
Customer education, threat awareness, vulnerability assessment,
impact on business, leading national advocacy role.

Deliver Solutions
Product and systems evaluations, risk management, system
security engineering consultancy, new solutions, implementation
assistance, security management infrastructure, life cycle
support, policies and guidelines.

Create Advanced Technologies
Anticipate and enable emerging technologies, conduct and
coordinate research and development, rapid prototyping.
INFOSEC SOLUTIONS
PRODUCTS
INFOSEC
SOLUTIONS
SERVICES
TECHNOLOGIES
PRODUCTS






MISSI/Fortezza
STU-III
KG-84
KG-194
KG-95
CONDOR





Key Management
System (EKMS)
Embedded Modules
Chips
Algorithms
Secure Terminal
Equipment
DEFENSE INFORMATION
INFRASTRUCTURE SECURITY
DII
DISN
DMS
GCCS
EC/EDI
CINC
MLS
DFAS
NETWORK SECURITY MANAGEMENT
Electronic Key
Management System
Fortezza
DOD Directory Service
Fortezza +
Secure
Computing
Firewalls
****
Certification Authority
Workstation (CAW)
High
Assurance
Guards
In-Line
Network
Encryptors
MISSI BUILDING BLOCK PRODUCTS
SECURITY
Availability
Integrity
Confidentiality
Non - Repudiation
Identification & Authentication
SERVICES
MISSI
Mulitlevel Information Systems Security Initiaitive
 Workstation Products
 FORTEZZA

High Assurance Guards
 Secure Network Server (SNS)
» Standard Mail Guard (SMG)


Secret
unclassified e-mail
In-Line Network Encryptors
 Network Encryption System (NES) (current)
 Tactical End-to-End Device (TEED) (emerging)
 Fastlane (multimedia ATM) (emerging)
 KG-189 (Synchronous Optical Network (SONET))
ISSO SERVICES
ISSO services is the intellectual
set of activities that assist
customers in protecting the
mission information
ISSO SERVICES

System Security Assessments

Information System Security Education,
Training and Awareness (ISSETA)

Security Engineering and Consulting

Product Evaluation

Clearinghouse for Security Technical
Information

Security Infrastructure
SYSTEM SECURITY
ASSESSMENTS

Threat Assessment

OPSEC Assessment

INFOSEC Assessment

Network Vulnerability Assessments

Technical Security And Facilities
Evaluation
SYSTEM SECURITY
ASSESSMENTS

COMSEC Monitoring

System Security Profiles

System Certification Assistance

System Accreditation Assistance

Risk Assessment
THREAT ASSESSMENT
All source intelligence via SIGINT,
HUMINT, and IMINT
 Analytic interface to intel community
 Assessments tailored to customer
requirements
 Special studies, briefings, and video
 Assist in resource and countermeasure
allocations

OPSEC ASSESSMENT
Identify vulnerabilities
 Information on

 Operations
 Supporting operations
 Competitors or adversaries

Basis for risk management decisions
INFOSEC ASSESSMENT

High level technical analysis of the security
posture of an organization’s communications
and automated information systems
 Determine potential vulnerabilities and identify
countermeasures
 Based on known and perceived threats
Present day snapshot of implemented security
 Baseline of current security assets

NETWORK
VULNERABILITY ANALYSIS
TECHNICAL SECURITY AND
FACILITIES EVALUATION
COMSEC MONITORING
SYSTEM SECURITY
PROFILES
Support customer’s risk management
process by providing information needed to
make informed trade-offs between systems
security risk, cost, schedule, and mission
requirements
 Provide timely mission and configuration
specific analysis
 Support certification and accreditation
 Document secure system design efforts

SYSTEM SECURITY
PROFILES

Provide future efforts design guidance

Inject security into early design phases
 Lower costs
 Minimal impact

Improve commercial secure products
 Feed lessons learned to vendors

Provide feedback to profiling process
SYSTEM SECURITY
PROFILES
Focuses on developmental systems or those
being upgraded
 A system profile:

 Presents non-judgemental technical facts
 Is not a NSA endorsement
 Is a structured presentation of engineering
documentation
 Delivers report to customer who controls it
 Is time constrained vulnerability search
SYSTEM CERTIFICATION
ASSISTANCE

Make Recommendations Regarding the
Technical and Economic Feasibility of
Additional Countermeasures Which Should
Be Used (or Are Planned to Be Used) to
Further Minimize Risks to the System
SYSTEM ACCREDITATION
ASSISTANCE

The Cost-Effective Approach to Security
Requires DAAs to Lower Risks to
Acceptable Levels While Minimizing Costs
INFORMATION SYSTEMS SECURITY
EDUCATION, TRAINING, AND
AWARENESS (ISSETA)
Conferences
 Training Classes
 Standards Development
 Policy Committees
 Doctrine, Policy, and Procedures
 Foreign Policy and Relations
 Security Awareness
 INFOSEC OUTREACH Program
 Technology Transfer

CONFERENCES
National Information Systems Security
Conference
 AFCEA
 IEEE

TRAINING CLASSES
Train-The-Trainer
 Teach, Train, and Assist (TTA)

STANDARDS
DEVELOPMENT
ISO
 ANSII

POLICY COMMITTEES

NSTISSC
 National policies, directives, guidance, etc.,
according to NSD-42
NII
 DoD
 Military Services

DOCTRINE, POLICY,
AND PROCEDURES
Over-the-air rekeying
 Advanced concepts and modeling for
INFOSEC doctrine and risk management
 Manages National COMSEC Insecurity
Reporting System

 Trended analysis and reports
INFOSEC OUTREACH
PROGRAM

Certified Module Embedment (CME)
Program
SECURITY ENGINEERING
AND CONSULTING
Information Systems Security Engineering
(ISSE)
 System Design Guidance
 Security Architecture and Frameworks
 System Acquisition
 Life Cycle Consulting

INFORMATION SYSTEMS
SECURITY ENGINEERING
ISSE Handbook
 System Security Engineering Model
(SSEM)

LIFE CYCLE
CONSULTING
Key Management
 Privilege Management
 Product Installation and Support Training
 Design Methodology
 Rainbow Series

PRODUCT
EVALUATION
Product Profiles
 TEMPEST Endorsement Program (TEP)
 Trusted Product Evaluation Program
(TPEP)
 Evaluated INFOSEC (COMSEC) Product
Listing

EVALUATED INFOSEC
(COMSEC) PRODUCT LISTING
Commercial COMSEC Endorsement
Program (CCEP)
 Authorized Vendor Program (AVP)

CLEARINGHOUSE FOR
INFORMATION
Commercial Product Data Base
 Vulnerability Data Base
 Information (DOCKMASTER,
TEMPEST Info Center)
 Help Desk

INFORMATION
DOCKMASTER
 TEMPEST Info Center

SECURITY
INFRASTRUCTURE
Key Management and Provisioning
 Doctrine, Policy, and Standards
 MISSI Network Security Management

 Certification Authentication Workstation (CAW)
 Directory System Agent (DSA)
 Mail List Agent (MLA)
 Rekey Manager (with EKMS)
 Audit Manager
STRATEGY FOR PROVIDING
CUSTOMER SUPPORT
DISA
VENDORS
V11
ISSO
ARMY
AIR FORCE
NAVY/MARINES
WHO ARE YOU GOING
TO CALL

CONTRACTOR SUPPORT
(410) 859-4524 (STU-III)

CINCS, JOINT COMMANDS & DEFENSE
AGENCIES
(410) 859-4711 (STU-III)

MILITARY DEPARTMENTS
(410) 859-4391 (STU-III)

CIVIL AGENCIES
(410) 859-4790 (STU-III)
DSN Prefix: 644-0111, Ask Operator for Desired
FAX: (410) 859-6651
STU-III FAX: (410) 859-6665
TOLL FREE: 1-800-688-6115