CSCE 548 Security Standards Awareness and Training - PowerPoint PPT Presentation

Loading...

PPT – CSCE 548 Security Standards Awareness and Training PowerPoint presentation | free to download - id: 3e531b-M2JjM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

CSCE 548 Security Standards Awareness and Training

Description:

CSCE 548 Security Standards Awareness and Training Problems with SSE-CMM Does not guarantee good results Need to ensure uniform evaluation Need good understanding of ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 44
Provided by: far1
Learn more at: http://www.cse.sc.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: CSCE 548 Security Standards Awareness and Training


1
CSCE 548Security Standards Awareness and
Training
2
Cyber Attacks
  • Takes advantage of weakness in
  • Physical environment
  • Computer system
  • Software bugs
  • Human practices
  • Need to identify, remove, and tolerate
    vulnerabilities

3
Secure Programs
  • How do we keep programs free from flaws?
  • How do we protect computing resources against
    programs that contain flaws?

4
What is Secure?
  • Characteristics that contribute to security
  • Who defines the characteristics?
  • Assessment of security
  • What is the basis for the assessment?
  • IEEE Standard for Software Verification and
    Validation, 2005
  • Bug, error, fault,

5
Proof of Program Correctness
  • Correctness a given program computes a
    particular result, computes it correctly, and
    does nothing beyond what it is supposed to do.
  • Program verification
  • Initial assertion about the inputs
  • Checking if the desired output is generated
  • Problems correctness depends on how the program
    statements are translated into logical
    implications, difficult to use and not intuitive,
    less developed than code production

6
Standards of Program Development
  • Software development organizations specified
    software development practices
  • Administrative control over
  • Design
  • Documentation, language, coding style
  • Programming
  • Testing
  • Configuration management

7
Process Management
  • Human aspects difficult to judge in advance
  • How to assure that software is built in an
    orderly manner and that it leads to correct and
    secure product?
  • Process models examine how and organization does
    something

8
Reading
  • Reading for this lecture
  • Carnegie Mellon, Software Engineering Institute
    (SEI) Capability Maturity Model Integration
    (CMMI), http//www.sei.cmu.edu/cmmi/
  • US National Security Agency System Security
    Engineering CMM (SSE CMM), http//www.sse-cmm.org/
    index.html
  • Recommended
  • DOD 8570.01-M, Information Assurance Workforce
    Improvement Program, http//www.dtic.mil/whs/direc
    tives/corres/pdf/857001m.pdf
  • Certified Information Systems Security
    Professional (CISSP), http//www.isc2.org/cissp/de
    fault.aspx

9
National Training Standards
  • Committee on National Security Systems (CNSS) and
    the National Security Agency (NSA) ? National
    Training Standards
  • NSTISSI-4011, National Training Standard for
    Information Systems Security (INFOSEC)
    Professionals
  • CNSSI-4012, National Information Assurance
    Training Standard for Senior Systems Managers
    (SSM)
  • NSTISSI-4013, National Information Assurance
    Training Standard For System Administrators (SA)
  • NSTISSI-4014, Information Assurance Training
    Standard for Information Systems Security
    Officers (ISSO)
  • NSTISSI-4015, National Training Standard for
    Systems Certifiers (SC)
  • CNSSI-4016, National Information Assurance
    Training Standard For Risk Analysts (RA)

10
National Standardsand Certifications
11
NSTISSI-4011
  • National Training Standard for Information
    Systems Security (INFOSEC) Professionals
  • Provides the minimum course content for the
    training of information systems security
    (INFOSEC) professionals in the disciplines of
    telecommunications security and automated
    information systems (AIS) security.

12
NSTISSI-4011
  • National Security Telecommunications and
    Information Systems Security Directive No. 501
    establishes the requirement for federal
    departments and agencies to implement training
    programs for INFOSEC professionals.
  • INFOSEC professionals responsible for the
    security oversight or management of national
    security systems during phases of the life cycle

13
NSTISSI-4011
  • Training Standards two levels
  • Awareness Level Creates a sensitivity to the
    threats and vulnerabilities of national security
    information systems, and a recognition of the
    need to protect data, information and the means
    of processing them and builds a working
    knowledge of principles and practices in
    INFOSEC.

14
Awareness-level
  • Instructional Content
  • Behavioral Outcomes
  • Topical Content

15
Program of Instructions
  • a. COMMUNICATIONS BASICS (Awareness Level)
  • b. AUTOMATED INFORMATION SYSTEMS (AIS) BASICS
    (Awareness Level)
  • c. SECURITY BASICS (Awareness Level)
  • d. NSTISS BASICS (Awareness Level)
  • e. SYSTEM OPERATING ENVIRONMENT (Awareness Level)
  • f. NSTISS PLANNING AND MANAGEMENT (Performance
    Level)
  • g. NSTISS POLICIES AND PROCEDURES (Performance
    Level)

16
Information Systems Security Model
  • Acknowledges information, not technology, as the
    basis for our security efforts
  • The actual medium is transparent
  • Eliminates unnecessary distinctions between
    Communications Security (COMSEC), Computer
    Security (COMPUSEC), Technical Security
    (TECHSEC), and other technology-defined security
    sciences
  • Can model the security relevant processes of
    information throughout an entire information
    system

17
Security Model
Characteristics
Confidentiality
Third Dimension
Integrity
Education, training, awareness
Policy
Availability
Technology
State
Transmission
Storage Processing
18
Performance Level
  • Skill or ability to design, execute, or evaluate
    agency INFOSEC security procedures and practices
  • Employees are able to apply security concepts
    while performing their tasks

19
Meeting National Standards at USC
  • Current certifications
  • NSTISSI-4011, National Training Standard for
    Information Systems Security (INFOSEC)
    Professionals
  • NSTISSI-4013, National Information Assurance
    Training Standard For System Administrators (SA)
  • NSTISSI-4014, Information Assurance Training
    Standard for Information Systems Security
    Officers (ISSO)
  • Courses to take
  • CSCE 522, CSCE 715, CSCE 727

20
Government and industry certifications
21
Computer Security Certifications
  • International Information Systems Security
    Certification Consortium, (ISC)2
  • CISSP Certified Information Systems Security
    Professional
  • ISSAP Information Systems Security Architecture
    Professional
  • ISSEP Information Systems Security Engineering
    Professional
  • Computing Technology Industry Association
    (CompTIA)
  • Security (2008) security topics, e.g., access
    control, cryptography, etc.
  • Information Systems Audit and Control Association
    (ISACA)
  • CISA Certified Information Systems Auditor
  • CISM Certified Information Security Manager

22
Certified Information Systems Security
Professional (CISSP)
  • June, 2004, the CISSP program earned the ANSI
    ISO/IEC Standard 170242003 accreditation
  • Formally approved by DoD in categories
    Information Assurance Technical (IAT) and
    Managerial (IAM) categories
  • Has been adopted as a baseline for the U.S.
    National Security Agency's ISSEP program

23
CISSP Common Body of Knowledge
  • Based on the CIA triad
  • Ten areas of interest (domains)
  • Access Control
  • Application Security
  • Business Continuity and Disaster Recovery
    Planning
  • Cryptography
  • Information Security and Risk Management
  • Legal, Regulations, Compliance and Investigations
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

24
Specialized Concentrations
  • Information Systems Security Architecture
    Professional (ISSAP), Concentration in
    Architecture
  • Information Systems Security Engineering
    Professional (ISSEP), Concentration in
    Engineering
  • Information Systems Security Management
    Professional (ISSMP), Concentration in Management

25
Other (ISC)2 Certifications
  • SSCP - Systems Security Certified Practitioner
  • CAP - Certification and Accreditation
    Professional
  • CSSLP - Certified Secure Software Lifecycle
    Professional

26
Security Engineering
27
Security Process Models
  • Capability Maturity Model (CMM) address
    organizations not products
  • ISO 9001 similar to CMM
  • U.S. NSA System Security Engineering CMM
    (SSE-CMM)

28
SEE-CMM
  • Aims to advance the Security Engineering
    discipline
  • Goals
  • Enable the selection of qualified security
    engineering providers
  • Support informed investment in security
    engineering practices
  • Provide capability-based assurance

29
Maturity Levels
  • Define ordinal scale for measuring and evaluating
    process capability
  • Define incremental steps for improving process
    capability

30
Capability Levels
  • Initial
  • Repeatable Requirements management, Software
    project planning, Software project tracking and
    oversight, Software quality assurance, etc.
  • Defined Organization process focus, Organization
    process definition, Training program, Integrated
    software management, Software product
    engineering, etc.
  • Managed Quantitative process management,
    Software quality management
  • Optimizing Defect prevention, Technology change
    management, Process change management

31
Maturity Levels
  1. Informal base practices, ad-hoc process, success
    depends on individual effort
  2. Planned, tracked plan, track and verify
    performance, disciplined performance
  3. Well defined define and perform standard
    process, coordinate practices
  4. Quantitatively controlled establish measurable
    quality goals, objectively manage performance
  5. Continuously improving improve organizational
    capability, improve process effectiveness

32
Security Engineering ProcessAreas
  • Administer System Security Controls
  • Assess Operational Security Risk
  • Attack Security
  • Build Assurance Argument
  • Coordinate Security
  • Determine Security Vulnerabilities
  • Monitor System Security Posture
  • Provide Security Input
  • Specify Security Needs
  • Verify and Validate Security

33
Evaluation
  • Phases
  • Planning Phase scope and plan
  • Preparation Phase prepare evaluation team,
    questionnaire, collect evidence, analyze results
  • On-site phase interview, establish findings,
    rating, report
  • Post-evaluation phase report findings needs for
    improvement, manage results
  • Use of evaluation
  • Organizations to hire developers

34
Problems with SSE-CMM
  • Does not guarantee good results
  • Need to ensure uniform evaluation
  • Need good understanding of model and its use
  • Does not eliminate the need for testing and
    evaluation
  • No guarantee of assurance

35
National Security
36
National Security and IW
  • U.S. agencies responsible for national security
    large, complex information infrastructure
  • Defense information infrastructure supports
  • Critical war-fighting functions
  • Peacetime defense planning
  • Information for logistical support
  • Defense support organizations
  • Need proper functioning of information
    infrastructure
  • Digitized Battlefield

37
National Security and IW
  • Increased reliance on information infrastructure
  • Information Dominance
  • Un-manned weapons
  • Communication infrastructure
  • Vital human services (e.g., transportation, law
    enforcement, emergency, etc.)
  • Heavily connected to commercial infrastructure
  • 95 of DODs unclassified communication via
    public network
  • No boundaries, cost effectiveness, ambiguous

38
Strategic Warfare (SW)
  • Cold War single class of weapons delivered at a
    specific range (Rattray)
  • E.g., use of nuclear weapons with
    intercontinental range
  • Current variety of means can create
    strategic effects, independent of
    considerations of distance and range.
  • Center of gravity
  • Those characteristics, capabilities, or sources
    of power from which a military force derives its
    freedom of action, physical strength, or will to
    fight (DOD)

39
Strategic Information Warfare (SIW)
  • means for state and non-state actors to
    achieve objectives through digital attacks on an
    adversarys center of gravity. (Rattray)

40
Strategic Warfare vs. SIW
  • Similar challenges
  • Historical observation centers of gravity are
    difficult to damage because of
  • Resistance
  • Adaptation

41
Dimensions of Strategic Analysis
  • Threads
  • Need to related means to ends
  • Interacting with opponent capable of independent
    action
  • Distinction between
  • Grand Strategy achievement of political object
    of the war (includes economic strength and man
    power, financial pressure, etc.)
  • Military Strategy gain object of war (via
    battles as means)

42
Necessary conditions for SW
  • Offensive freedom of action
  • Significant vulnerability to attack
  • Prospects for effective retaliation and
    escalation are minimized
  • Vulnerabilities can be identified, targeted, and
    damage can be assessed

43
SIW
  • Growing reliance ? new target of concern
  • Commercial networks for crucial functions
  • Rapid change
  • Widely available tools
  • Significant uncertainties
  • Determining political consequences
  • Predicting damage, including cascading effects
About PowerShow.com