Sample Security Model
Security Model
Secure:



Identity management & Authentication
Filtering and Stateful Inspection
Encryption and VPN’s
Monitor:
Intrusion Detection and Response
Content-Based Detection and Response
Employee monitoring



Security Posture Assessment
Vulnerability Scanning
Patch verification/Application audit
POLICY
Manage:



Secure Device Management
Event / Data Analysis and Reporting
Network Security Intelligence
Audit
Monitor
Audit:
Manage



Secure
Information Warfare Definition
"Actions taken to achieve information superiority by
affecting adversary information, information-based
processes, information system, and computer-based
networks while defending one's own information,
information-based systems, information systems and
computer-based systems."
Information Warfare Definition(s)
Information warfare is the offensive and defensive use of
information and information systems to deny, exploit, corrupt, or
destroy, an adversary's information, information-based processes,
information systems, and computer-based networks while protecting
one's own.
Such actions are designed to achieve advantages over military or
business adversaries.(Dr Ivan Goldman)
Skill vs Technology
Decreasing
Skill and Knowledge
and resources
1940
Increasing Tools,
Power and
Sophistication
2004
Outbound Open Source
Business Case
Implementation
• Objective
• Code cleanup
• Launch Planning
• Measuring
• Metrics
• License selection
• Architecture
• Development
environment &
portal
• Community
Awareness
• Ongoing
Marketing
• Competitive
Participation
• Strategic
Direction
• Cost / Benefit
Analysis
• Community
Relevance
• Risk Mitigation
• Training
Marketing
Maintenance
Levels of Concern (Low, Moderate, High)
 Level of concern for confidentiality
 Based on the tolerance for unauthorized disclosure or compromise of
information on the system
 Level of concern for integrity
 Based on the tolerance for unauthorized modification or destruction
of information on the system
 Level of concern for availability
 Based on the tolerance for delay in the processing, transmission, or
storage of information on the system or the tolerance for the
disruption or denial of a service provided by the system
Levels of Concern (Low, Moderate, High)
 Level of concern for external exposure
 Based on the definitions in SP 800-37 (user access methods, backend
connections, number of users)
 Level of concern for internal exposure
 Based on the definitions in SP 800-37 (security background
assurances/clearances, access approvals, need-to-know)
 Level of concern for total system exposure
 Based on the values assigned to both external and internal exposure
factors as defined in SP 800-37
System Characterization
Levels of concern for confidentiality, integrity,
availability and system exposure determine:


Security controls for the IT system
Security certification level
Classes of Security Controls
 Management Controls
 Controls that address the security management aspects of the IT system
and the management of risk for the system
 Operational Controls
 Controls that address the security mechanisms primarily implemented
and executed by people (as opposed to systems)
 Technical Controls
 Controls that address security mechanisms contained in and executed
by the computer system
A Comprehensive Approach
Linking Critical Assessment Activities
INFORMATION ASSURANCE (IA)
Objectives of the IA Program
Security Risks =
(Threats x Vulnerabilities) - Countermeasures
Exposure
• Employ efficient and cost-effective security features to
protect information system resources
• Adopt a risk-based life cycle management approach
• Conduct an assessment of threats, identify and apply
appropriate safeguards
Objectives of the IA Program (Continued)
Protect the information with regard to:
Confidentiality
Integrity
Availability
Authentication
Non-repudiation
What is the threat?
• Internal
– Intentional (Disgruntled Employee)
– Unintentional (Employee Error)
• External
– Intentional (Terrorists, Hackers)
– Unintentional (Natural Disaster)
IA Program Personnel
•
•
•
•
•
•
Designated Approving Authority (DAA)
Information Systems Security Manager (ISSM)
Network Security Officer (NSO)
Information Systems Coordinator (ISC)
Information Systems Security Coordinator (ISSC)
YOU
YOUR Responsibilities
•
•
•
•
•
Computer & Network Security
Information Security
Software Security
Physical Security
Communications & Emanations
Security
• Personnel / Administration Security
YOUR Responsibilities Computer & Network Security
• Log-On Information
• Warning Banner
• Use of Corporate Systems
YOUR Responsibilities
Computer & Network Security
P
A
S
S
W
LOGOFF
R
D
YOUR Responsibilities
Computer & Network Security
• System Configuration Information
• Virus Detection
• Firewalls
YOUR Responsibilities Information Security
• Classification level of information
• Back-ups
• Off-Site Storage
• Media Protection
YOUR Responsibilities Software Security
• DO NOT install unapproved software
• Software Accountability / Inventory
• Software Copyright
YOUR Responsibilities Physical Security
• DRMO/Destruction
• Housekeeping
• Media Protection
• Ensure adequate physical controls
YOUR Responsibilities Communications & Emanations Security
• Sending Sensitive data over the Internet
• Encryption
• TEMPEST
YOUR Responsibilities Personnel & Administration Security
• Operating Procedures
• Training
• System Accreditation
• Incident Reporting
• Need-to-know
• Audit Trails
• Contingency Planning
• Adequate Environmental Controls
SUMMARY
• We must incorporate a security mindset in our day-today operations
• You are the most important asset in the fight to
provide adequate security of our Information Systems