Nebraska University Consortium on Information Assurance - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Nebraska University Consortium on Information Assurance

Description:

Nebraska University Consortium on Information Assurance Information Assurance: Where We ve Been and Where We re Going Prepared for INFRAGARD – PowerPoint PPT presentation

Number of Views:97
Avg rating:3.0/5.0
Slides: 38
Provided by: BlainB
Category:

less

Transcript and Presenter's Notes

Title: Nebraska University Consortium on Information Assurance


1
Nebraska University Consortium on Information
Assurance
  • Information Assurance
  • Where Weve Been and Where Were Going
  • Prepared for
  • INFRAGARD
  • Knoxville, Tenn.
  • 15 December 2005
  • Blaine W. Burnham, PhD
  • Executive Director,
  • Nebraska University Consortium for Information
    Assurance,(NUCIA)
  • College of IST
  • Peter Kiewit Institute
  • University of Nebraska, Omaha

2
IA Been There, Done That
  • Outline
  • What is Information Assurance
  • Threat
  • What are the Parts, a Taxonomy
  • What have we Learned and When
  • Where are we Now
  • Where are we Going
  • To Be Informed
  • Management Challenges
  • Credentials

3
IA Been There, Done That
  • What is Information Assurance
  • A triple ( Users, Information Objects, Policy)
  • An Environment
  • A Threat
  • Technologies, Practices, Procedures
  • The attenuation of the threat to an acceptable
    level of risk

4
IA Been There, Done That
  • Is Information Assurance a NEW idea?
  • Very Old Concept / Practice
  • People have Needs Information has Value
  • Well developed solutions
  • Pre literate The Oral Tradition
  • Literate India ink, multiple copies, notaries
  • People have long developed instincts
  • How do you know if your car is stolen

5
IA Been There, Done That
  • Why is it so Difficult?
  • We need to understand that Security is a Global
    System property
  • Need to secure the whole system
  • A Non Observable Property
  • Generally can not tell if it is working correctly
  • And we need to understand what is happening the
    physics of information has changed
  • Our way of thinking has not changed - enough

6
IA Been There, Done That
  • Why is there Information Assurance?
  • In the computing environment the needs and value
    persist, the Instincts Fail
  • How do you know if your data is stolen, changed?
  • The Environment is not an extension of what we
    are use to
  • The physics of information is different
  • Information Binding
  • What is it and how does it work
  • Oral Tradition
  • Paper
  • Electronics
  • Something very different must happen to enable us
    as a culture / society to get to what we need!

7
IA Been There, Done That
  • Threat
  • The Wedge
  • Whatever Works
  • Technology
  • Simple to very Sophisticated
  • Social Engineering
  • Weak and Flawed Software ( Viruses, Worms, BOF,
    other)
  • Access ( War Driving )
  • Hardware Reverse Engineering
  • Software Reverse Engineering

8
IA Been There, Done That
  • Threat
  • Three Levels
  • Low End Ankle Biters - Stop These
  • High End State Sponsorship - Get Help
  • Mid Range - The Mercs THE Problem
  • Wild Cards
  • Terrorists
  • Competition
  • Considerable Overlap
  • Tech transfer
  • Leverage
  • Motivation

9
IA Been There, Done That
  • What are the Parts
  • A Taxonomy
  • Policy
  • Membership
  • Boundary
  • Secure System Management
  • Damage detection and recovery
  • Secure System management
  • Connection and Separation
  • Assurance

10
IA Been There, Done That
  • An IA Taxonomy
  • Membership
  • Users
  • Software
  • Hardware
  • Policy
  • Well-defined / Consistent / Implementable
  • Clear / Unambiguous
  • Boundary
  • Who / What / Where

11
IA Been There, Done That
  • An IA Taxonomy (cont)
  • Damage Detection and Recovery
  • Will Happen
  • Prepare in Advance
  • Who do You Call
  • Incident Handling / Forensics / Disaster
    Recovery
  • Connection / Separation
  • Policy Level Negotiation
  • Consequence of Connectivity
  • A Risk Accepted by ONE is a Risk Shared by ALL
    (and ALL may not know it)
  • Not All Equals are Equal
  • How Do You Decide

12
IA Been There, Done That
  • An IA Taxonomy
  • Secure System Management
  • This is not other duties as assigned
  • Requires special attention
  • Out Sourcing is popular / Lets talk about that
  • Assurance
  • The Really Hard Part
  • How do You decide Good Enough
  • Lots of Parts
  • Deserves its own segue

13
IA Been There, Done That
  • About Assurance
  • What is it?
  • Circular Definitions
  • Confidence Assurance Confidence
  • Not a lot of help
  • Complicated Definitions
  • Trustworthy Trust(ed) Security Assurance
    Information Assurance
  • Throw in High Assurance just to clarify Things
  • Parts
  • Policy Assurance, Design Assurance,
    Implementation Assurance, Operational or
    Administrative Assurance

14
IA Been There, Done That
  • More About Assurance
  • What is it?
  • None of these attempts is wrong.
  • Some not too useful / not too much insight.
  • How about?
  • Assurance is the basis for the belief that a
    system will behave as expected.
  • Assurance is about Behavior
  • Assurance is Operational
  • A side benefit is Assurance can be accumulative
    and have scope.

15
IA Been There, Done That
  • What is not Assurance
  • The Classical exceptions
  • Empathic Assertion (aka Rivers of Impassioned
    Rhetoric (Dan Edwards))
  • Security Through Obscurity
  • I couldnt find any Flaws
  • Challenges / Contests
  • Any of this sound familiar ( E-Voting machines?)
  • Somewhat at odds with the SR community
  • Not Probabilistic
  • Generally cannot build a High Assurance System
    out of Low Assurance Components
  • The Problem / Perception of Testing

16
IA Been There, Done That
  • Why Should Anyone Care?
  • Malicious Code is THE weapon of choice.
  • Schell Science, Pseudoscience, Flying Pigs
  • Very Subtle
  • The Ken Thompson Paper
  • Understand the potential economic consequences
  • The Pipeline
  • The Problem with Western Code
  • Understand the Technical Consequences
  • Petes Paper
  • We know and understand the feature set, we lack
    high assurance

17
IA Been There, Done That
  • The COTS Conundrum
  • DOD IT uses Commodity technology as much as
    possible
  • Alternatives are hugely expensive, slow to
    acquire, costly tails, dont tend to roll
    forward.
  • DOD captive of Commercial Assurance Needs
  • Commercial Assurance needs top out at EAL4
  • DOD assurance needs (the critical ones start at
    EAL4 and UP)
  • Cant get to High Assurance with COTS

18
IA Been There, Done That
  • Yet More About Assurance
  • An Aside
  • High Assurance and the Marketplace
  • Claim Market Forces will eventually drive the
    Assurance Demands of the marketplace to levels
    commensurate with the needs of Government.
  • Active words Eventually, Commensurate, Needs
  • Actors Insurers, Underwriters
  • Do we need to Consider Risk Models

19
IA Been There, Done That
  • Why High Assurance?
  • The Risk Model is Changing
  • We are putting more at Risk
  • All in favor of Tele-Medicine (HU)
  • All in favor of Internet Voting (HU)
  • The Threat Model is Changing
  • Progressively Less Control over the Computing
    Undercarriage.
  • More bad actors have greater Access
  • Very Strong Verification (High Assurance) is THE
    ONLY VIABLE OPTION
  • ALL Other approaches have been Compromised.

20
IA Been There, Done That
  • What have we learned and when?
  • Automation of Protected Information in the late
    1960s ( USAF)
  • Was this a good idea?
  • Is the Information Adequately Protected?
  • Is the Information Equivalently Protected?
  • How would you decide?
  • Tiger teams
  • Not Good News

21
IA Been There, Done That
  • What have we learned and when?
  • Need to better understand the problem and begin
    codifying approached to solutions
  • Rand Study ( the Ware Report) 1970 gets it right.
  • http//www.rand.org/publications/R/R609.1/R609.1.h
    tml
  • Points out the problem and general direction to
    remedies with amazing insight
  • Probably the most serious risk in system
    software is incomplete design, in the sense that
    inadvertent loopholes exist in the protective
    barriers and have not been foreseen by the
    designers.

22
IA Been There, Done That
23
IA Been There, Done That
  • What have we learned and when?
  • How to get it Done
  • The Anderson Report (72)
  • An Advanced development and Engineering program
    to obtain an open-use, multilevel secure
    computing capability is described
  • Gets it right
  • Introduces the concept of the reference monitor
  • The second of the two protection mechanisms we
    have
  • Recommends extensions of use for the other
    protection mechanism CRYPTOGRAPHY
  • Whoop!
  • Work done piecemeal over the next 15 years
  • Multics showed How (early 70s)
  • DEC came Close (early 80s) See Morries book
  • http//nucia.unomaha.edu8080/dspace/bitstream/123
    456789/61/1/gasserbook.pdf
  • Gemini got it right

24
IA Been There, Done That
  • What have we learned and when?
  • SS (74) Design Analysis and Understanding
  • In the absence of methodical techniques,
    experience has provided some useful principles
    that can guide the design and contribute to an
    implementation without security flaws
  • The DEFCON experience and the relation to the SS
    Principles
  • SS got it right
  • 100 References
  • http//www.cs.virginia.edu/evans/cs551/saltzer/

25
IA Been There, Done That
  • What happened and why?
  • The Money went Away
  • And so did the people
  • No funding for academic research
  • No funding for graduate students
  • No continuity of people
  • No continuity of knowledge
  • For three generations of researchers
  • So It is not in the schools yesterday and today
  • The knowledge is not with the vendors!!!

26
IA Been There, Done That
  • What happened and why?
  • Early 80s qualified that specified the core
    technology Trusted OS
  • The Orange Book and TPEP
  • Build very smart CS designers researchers and
    evaluators in the Government and FFRDCs
  • The Vendors more or less clueless start to hire
    from Government
  • Clear opportunity for consultants and several
    very good consulting firms appear ( TIS, Sytek,
    SCC )
  • Consulting turns out to be a badly leveraged
    business model
  • Consulting firms turn to products to improve
    business model
  • Consulting firms caught in the ambiguity of
    honesty and sales
  • Consulting firms melt down and become product
    firms and work for hire.
  • Good / Great advice give way to product marketing
  • Which Products the LHF guards, firewalls,
    IDS
  • Careful design and thoughtful engineering gives
    way to marketing snakeoil
  • We have lots of stuff and in the main most of it
    is only marginally helpful
  • Heavily weighted toward reactive response
  • Symptomatic relief not systemic solutions
  • A Tremendous market position for the Vendors

27
IA Been There, Done That
  • Where are we now and why?
  • The Buffer Overflow accounts for 85 of attacks.
  • C Sucks. Yet Language of Choice for O/S and
    Services
  • Huge bloated OSs that are internally completely
    fragile
  • More recent released with 65000 known problems
    Oh Well!!
  • We know better
  • Patch and Pray is the Mantra
  • We accept this behavior in NO other segment of
    our society
  • We know better
  • No Coherent view of Secure System Architecture
  • Societally Unacceptable
  • We know better

28
IA Been There, Done That
  • Where are we now and why?
  • No prevalent Understanding of Foundations
  • Moving toward Phrenology and Rattles
  • We know better
  • Hostage to the 18 month wonder and the last
    Salesman
  • A plethora of products of dubious value, clouded
    pedigree, rarely interoperable
  • Seriously Muddy Thinking
  • A flood of books that leave a lot to be desired

29
IA Been There, Done That
  • Where are we now and why?
  • Muddy thinking (example)
  • The Books
  • New Book - just today
  • Computer Security Fundamentals / Eastton
  • FYI Old Encryption
  • PGP is more that ten years old. Some readers
    might wonder whether it is old and outdated.
    Cryptography is unlike other technological
    endeavors in this regard older is better. It
    is usually unwise to use the latest thing in
    encryption for the simple reason that is is
    unproven. An older encryption method, provided
    it has not yet been broken, is usually a better
    choice because it has been subjected to years of
    examination by experts and to cracking attempts
    by both experts and less honorably motivated
    individuals. This is sometimes hard for computer
    professionals to understand since the newest
    technology is often preferred in the computer
    business.
  • There is so much wrong with this statement that
    it hard to know where to start.

30
IA Been There, Done That
  • Where are we now and why?
  • Law a Segue
  • Piecemeal at Best
  • Banking Secrecy Act
  • Cable TV Privacy act of 1984
  • Electronic Communications Privacy Act
  • Fair Credit Reporting Act
  • Family Educational Right ot Privacy Act
  • Privacy Act of 1974
  • Right to Financial Privacy Act of 1978
  • Video Privacy Protection Act of 1988
  • GLB
  • HIPAA
  • SOX
  • Online Personal Privacy Act 2002 ( not passed)

31
IA Been There, Done That
  • Where are we now and why?
  • The Law a Segue
  • Piecemeal at Best
  • Anti Spyware Act
  • DMCA 1998
  • Computer Security Act of 1987
  • Paperwork Reduction Act of 1995
  • Information Technology Management Reform Act of
    1996
  • Federal Information Security Act of 2002
  • NSD 42
  • PDD63
  • Counterfeit Access Device and Computer Fraud and
    Abuse Act of 1984
  • USA PATRIOT Act
  • Homeland Security Act of 2002
  • This is nuts.

32
IA Been There, Done That
  • Where are we going from Here?
  • Much greater penetration of computers into
    societal fabric
  • Everything that costs over 100 with be IP
    addressable
  • Phones
  • Viruses and assorted hacks underway as we speak
  • The Fly-by-wire automobile
  • The unprotected consolidation of information
  • The Matrix
  • MATRIX Project a pilot effort to increase and
    enhance the exchange of sensitive terrorism and
    other criminal activity information between
    local, state, and federal law enforcement
    agencies. Looks a lot like TIA
  • And the losses from same
  • Personal data on 32,000 Americans is stolen from
    Seisint
  • ChoicePoint revealed that scam artists had gotten
    access to personal data on about 145,000 people

33
IA Been There, Done That
  • Where are we going from Here?
  • More gimmicks and gadgets
  • Information Security Products
  • Google 30,700,000
  • More marginal advice
  • Information Security Consultants
  • Google 4,900,000
  • Much greater risk
  • We are going to insist on computer enabling the
    foundational processes of the country
  • E-voting

34
IA Been There, Done That
  • Management Challenges
  • Strategies
  • You need to Lead
  • E.g. Defense in Depth
  • Multiple Layers
  • Good idea expensive
  • The People Part of the Equation
  • You need to Lead
  • Dont Expect More Than YOU Are Willing to Give
  • Dont Be Afraid to Get Help
  • Becoming Harder in the Market Place
  • Too Much Snake oil
  • IA is a 2-5 Billion Dollar Snakeoil Business

35
IA Been There, Done That
  • To Be Informed
  • Conferences
  • Good ones and not good ones and how to tell the
    Difference
  • Workshops
  • Hacker du Jour and Others
  • Training and Short Courses
  • NBDC and Others
  • Academic Programs
  • UNO and Others

36
IA Been There, Done That
  • Where are we going from Here?
  • People will have to exercise there political
    muscle to start to rectify the problem
  • Software Liability
  • Professional Standards
  • Demand Much Greater Accountability
  • It is a societal issue that needs to be treated
    as such

37
IA Been There, Done That
  • Credentials
  • CISSP
  • Certification
  • SANS
  • Microsoft
  • Cisco
  • Novell
  • Other?
Write a Comment
User Comments (0)
About PowerShow.com