Informations System Security Comprehensive Model NSTISSI 4011 COEN 250 Fall 2007 T. Schwarz, S.J. Information System Security Main Goals: CIA Confidentiality Integrity Availability Information System Security Confidentiality Security Policy: Set of rules that determines whether a given subject can gain access to a specific object Confidentiality: Assurance that access controls are enforced Information System Security Integrity Quality of information that identifies how closely the data represent reality Information System Security Availability Information is provided to authorized users when it is requested Information System Security Information States Transmission Storage Processing Information System Security Security Measures Technology Policy and Practice Policy: Formulation of Security Posture Practice: Procedures followed to enhance security posture. Education, Training, Awareness Information System Security Education, Training, Awareness Procedures and Policies Technology Transmission, Storage, Processing Three axes of ISS NTISSI 4011 Training Standards Awareness Creates sensitivity to threats and vulnerabilities of national security information systems Recognition of the need to protect data, information, and the means of processing Building working knowledge of principles and practices of INFOSEC Performance Level Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices Elements of Computer Security Computer security should support the mission of the organization Computer security is an integral element of sound management Computer security should be cost effective Computer security responsibilities and accountability should be made explicit System owners have computer security responsibilities outside their own organizations Computer security requires a comprehensive and integrated approach Computer security should be periodically reassessed Computer security is constrained by societal factors. NIST 800-12 Common Threats Errors and Omissions Fraud and Theft Insiders / outsiders Computer as tools / targets Employee sabotage Loss of physical / infrastructure support Malicious hacking Espionage Users Entry clerks System operators Software engineers Industrial / foreign government Malicious codes Privacy Management Controls Computer Security Policy Definition of term “Documentation of computer security decisions.” But term encompasses wide range of meanings. Three basic types Program policy Issue specific policies creates an organization’s computer security program address specific issues such as use of crypto, private use of equipment, software installation, etc. System specific policies focuses on a single system Management Controls Tools to implement policy Standards specify uniform use of specific technologies e.g. organization-wide identification badges Guidelines assists users, systems personnel, etc in effectively securing a system Procedures normally assist in complying with applicable security policies, standards, and guidelines Management Controls Program Policy Head of organization issues program policy to establish the org.’s computer security program. Basic Components Purpose Scope Responsibility assigned to a newly created or existing office establishes roles of officials and offices in the org. Compliance General compliance, e.g. specifying an oversight office Use of specific penalties and disciplinary actions A policy usually only creates the structure Management Controls Issue-specific Policy Applies to a specific issue such as Internet Access E-mail Privacy Use of unofficial software Basic Components Issue statement Define issue with any relevant terms, distinctions, conditions Statement of org.’s position on issue Applicability Roles and responsibilities Compliance Points of contact and supplementary information Management Controls System Specific Policies Components Security objectives Operational security rules concrete well defined Rules for operating a system: Who can do what to which specific classes and records of data, under what conditions Often accompanied by implementing procedures and guidelines Management Controls System specific policy implementations Technology plays not the sole role in enforcing system-specific policies Technology: limits printing of confidential information to a specific printer Non-technology: access to printer output is guarded Management Controls Computer Security Program Management OMB Circular A-130 establishes requirement for federal agencies to establish computer security programs Federal agencies are complex: Management occurs at different levels, at least Centralized level System level Management Controls Computer Security Program Management Sources of (Some) Requirements for Federal Unclassified Computer Security Programs A federal agency computer security program is created and operates in an environment rich in guidance and direction from other organizations. The figure illustrates some of the external sources of requirements and guidance directed toward agency management with regard to computer security. While a full discussion of each is outside the scope of this chapter, it is important to realize that a program does not operate in a vacuum; federal organizations are constrained - by both statute and regulation - in a number of ways. Management Controls Computer Security Program Management Example for placement of computer security program level and system level functions Management Controls Computer Security Risk Management Basic assumption: Computers can never be fully secured Risk Assessment Process of analyzing and interpreting risk 3 basic activities Determining assessment scope and methodology Collecting and analyzing data Interpreting risk analysis results Management Controls Computer Security Risk Management Components of Risk Assessment Asset Valuation Consequence Assessment Threat Identification Vulnerabilities Safeguards Likelihood Management Controls Assurance Assurance Degree of confidence that the security measures work as intended to protect system and information Not a measurement Accreditation Management official’s formal acceptance of adequacy of a system’s security Components Technical features Operational practices Is the system operated according to stated procedures? Overall security Do they operate as intended? Are there threats that are not addressed? Remaining risks Acceptability? Operational Controls Personnel / User Issues Two principles Separation of duties Least privilege Staffing Job definition Sensitivity determination Filling position Screening applicants Selecting individual Training and Awareness Creation Operational Controls Personnel / User Issues User Administration User account management Identification Authentication Access Verification Auditing Verify periodically legitimacy of current accounts and access authorizations Modification / Removal of Access Contractor Access Management Public Access Considerations Operational Controls Contingency & Disaster Preparation Contingency planning in six steps Identification of mission-critical functions Identification of resources that support critical functions Anticipation of potential contingencies / disasters Selecting contingency planning strategies Implementing contingency strategies Testing and revisiting strategies Operational Controls Incident Response Incident Response: Actions taken to deal with an incident. Detection Countermeasures Incident Response: Containment & Repair Operational Controls Incident Response Establishment of Successful Incident Handling Capability Components Understanding of constituency Education of constituency Centralized communication Expertise in requisite technology Links to other groups assisting in incident handling, as needed Technical support Nationwide / worldwide reporting facility for incidents Rapid communications Secure communications for incidents involving national security Operational Controls Awareness, Training, & Education Basic premise: people are fallible Two main benefits Improvement Buy-in Knowledge and skills Increased of employment behavior ability to hold employees accountable Dissemination and enforcement of policies presupposes awareness Operational Controls Awareness, Training, & Education Awareness “What” Information Training “How” Knowledge Education “Why” Insight Operational Controls Security Considerations in Computer Support and Operations Computer Support and Operations Everything done to run a computer system User support – Help desk Needs to recognize which problems are security related Example: Failed login can result from logout caused by hacker running a password guessing attack Software support Control of software used on a system Software can only be modified with proper authorization Operational Controls Security Considerations in Computer Support and Operations Configuration Management Goal: to ensure that changes to the system do not unintentionally or unknowingly diminish security Backups critical for contingency planning Media control Provide physical and environmental protection and accountability for removable media Documentation Maintenance Operational Controls Physical and Environmental Security Protect computer systems from Interruptions in providing computer services Physical damage Unauthorized access of information Example: Tempest program Loss of control over system Physical theft Mobile and portable systems present new range of issues Technical Controls Identification and Authentication Identification: Authentication Means by which a user provides a claimed identity to the system Means of establishing the validity of the claim Identification and Authentication based on What you know. What you have. Physical key, smart card. What you are. E.g. password, pass-phrase, (secret key, private key). Biometrics. Where you are. E.g. trusted machine, access to room, … Technical Controls Logical Access Control Access Ability to do something with a computing resource Access control Means by which this ability is explicitly enabled or restricted Not to be confused with Authorization Permission to use computer resource Authentication Proof of identity Technical Controls Logical Access Control Access Criteria typically based on Identity Roles Location Time Personnel files only accessible during normal business hours Transactions Phone inquiry answered by computer Computer authenticates inquirer If too complicated, requires human clerk to answer Computer grants clerk permission to access inquirer’s record for the duration of the transaction Technical Controls Audit Trails Audit Trail Series of records of computer events Auditing Review and analysis of management, operational, and technical controls Establishing audit trails helps to establish Individual accountability Reconstruction of events Intrusion detection Problem analysis Technical Controls Cryptography Tool to establish C, I, & A Relies on technology and key management