Informations System
Security
Comprehensive Model
NSTISSI 4011
COEN 250
Fall 2007
T. Schwarz, S.J.
Information System Security

Main Goals: CIA
 Confidentiality
 Integrity
 Availability
Information System Security

Confidentiality
 Security
Policy: Set of rules that determines
whether a given subject can gain access to a
specific object
 Confidentiality: Assurance that access
controls are enforced
Information System Security

Integrity
 Quality
of information that identifies how
closely the data represent reality
Information System Security

Availability
 Information
is provided to authorized users
when it is requested
Information System Security

Information States
 Transmission
 Storage
 Processing
Information System Security

Security Measures
 Technology
 Policy
and Practice
Policy: Formulation of Security Posture
 Practice: Procedures followed to enhance security
posture.

 Education,
Training, Awareness
Information System Security
Education,
Training,
Awareness
Procedures and
Policies
Technology
Transmission, Storage, Processing
Three axes of ISS
NTISSI 4011 Training Standards

Awareness
 Creates
sensitivity to threats and vulnerabilities of
national security information systems
 Recognition of the need to protect data, information,
and the means of processing
 Building working knowledge of principles and
practices of INFOSEC

Performance Level
 Skill
or ability to design, execute, or evaluate agency
INFOSEC security procedures and practices
Elements of Computer Security








Computer security should support the mission of the
organization
Computer security is an integral element of sound
management
Computer security should be cost effective
Computer security responsibilities and accountability
should be made explicit
System owners have computer security responsibilities
outside their own organizations
Computer security requires a comprehensive and
integrated approach
Computer security should be periodically reassessed
Computer security is constrained by societal factors.
NIST 800-12
Common Threats

Errors and Omissions





Fraud and Theft







Insiders / outsiders
Computer as tools / targets
Employee sabotage
Loss of physical / infrastructure support
Malicious hacking
Espionage


Users
Entry clerks
System operators
Software engineers
Industrial / foreign government
Malicious codes
Privacy
Management Controls

Computer Security Policy
 Definition of term
 “Documentation of computer security decisions.”
 But term encompasses wide range of meanings.
 Three basic types
 Program policy


Issue specific policies


creates an organization’s computer security program
address specific issues such as use of crypto, private use of
equipment, software installation, etc.
System specific policies

focuses on a single system
Management Controls

Tools to implement policy
 Standards

specify uniform use of specific technologies

e.g. organization-wide identification badges
 Guidelines

assists users, systems personnel, etc in effectively securing
a system
 Procedures

normally assist in complying with applicable security policies,
standards, and guidelines
Management Controls

Program Policy


Head of organization issues program policy to establish the
org.’s computer security program.
Basic Components



Purpose
Scope
Responsibility



assigned to a newly created or existing office
establishes roles of officials and offices in the org.
Compliance


General compliance, e.g. specifying an oversight office
Use of specific penalties and disciplinary actions
 A policy usually only creates the structure
Management Controls

Issue-specific Policy

Applies to a specific issue such as




Internet Access
E-mail Privacy
Use of unofficial software
Basic Components

Issue statement






Define issue with any relevant terms, distinctions, conditions
Statement of org.’s position on issue
Applicability
Roles and responsibilities
Compliance
Points of contact and supplementary information
Management Controls

System Specific Policies
 Components

Security objectives



Operational security rules


concrete
well defined
Rules for operating a system: Who can do what to which
specific classes and records of data, under what conditions
Often accompanied by implementing procedures and
guidelines
Management Controls

System specific policy implementations
 Technology
plays not the sole role in
enforcing system-specific policies
Technology: limits printing of confidential
information to a specific printer
 Non-technology: access to printer output is
guarded

Management Controls
Computer Security Program Management

OMB Circular A-130
establishes requirement for
federal agencies to
establish computer security
programs

Federal agencies
are complex:
 Management
occurs
at different levels, at
least


Centralized level
System level
Management Controls
Computer Security Program Management
Sources of (Some) Requirements for
Federal Unclassified Computer Security Programs
A federal agency computer security program is created and operates in an environment rich in guidance and direction from other
organizations. The figure illustrates some of the external sources of requirements and guidance directed toward agency
management with regard to computer security. While a full discussion of each is outside the scope of this chapter, it is important to
realize that a program does not operate in a vacuum; federal organizations are constrained - by both statute and regulation - in a
number of ways.
Management Controls
Computer Security Program Management
Example for placement of computer security program level and system level
functions
Management Controls
Computer Security Risk Management
Basic assumption: Computers can never
be fully secured
 Risk Assessment

 Process
of analyzing and interpreting risk
 3 basic activities
Determining assessment scope and methodology
 Collecting and analyzing data
 Interpreting risk analysis results

Management Controls
Computer Security Risk Management

Components of Risk
Assessment
 Asset
Valuation
 Consequence Assessment
 Threat Identification
 Vulnerabilities
 Safeguards
 Likelihood
Management Controls
Assurance

Assurance

Degree of confidence that the security measures work as intended to
protect system and information
 Not a measurement

Accreditation
Management official’s formal acceptance of adequacy of a system’s
security
 Components


Technical features


Operational practices


Is the system operated according to stated procedures?
Overall security


Do they operate as intended?
Are there threats that are not addressed?
Remaining risks

Acceptability?
Operational Controls
Personnel / User Issues

Two principles
 Separation of duties
 Least privilege

Staffing
 Job definition
 Sensitivity determination
 Filling position
 Screening applicants
 Selecting individual
 Training and Awareness Creation
Operational Controls
Personnel / User Issues

User Administration
 User account management
 Identification
 Authentication
 Access Verification
 Auditing
 Verify periodically legitimacy of current accounts and access
authorizations
 Modification / Removal of Access


Contractor Access Management
Public Access Considerations
Operational Controls
Contingency & Disaster Preparation

Contingency planning in six steps
 Identification
of mission-critical functions
 Identification of resources that support critical
functions
 Anticipation of potential contingencies / disasters
 Selecting contingency planning strategies
 Implementing contingency strategies
 Testing and revisiting strategies
Operational Controls
Incident Response

Incident Response: Actions taken to
deal with an incident.
Detection
Countermeasures
Incident Response:
Containment & Repair
Operational Controls
Incident Response

Establishment of Successful Incident Handling Capability

Components






Understanding of constituency
Education of constituency
Centralized communication
Expertise in requisite technology
Links to other groups assisting in incident handling, as needed
Technical support



Nationwide / worldwide reporting facility for incidents
Rapid communications
Secure communications for incidents involving national security
Operational Controls
Awareness, Training, & Education


Basic premise: people are fallible
Two main benefits
 Improvement


Buy-in
Knowledge and skills
 Increased

of employment behavior
ability to hold employees accountable
Dissemination and enforcement of policies presupposes
awareness
Operational Controls
Awareness, Training, & Education

Awareness
 “What”
 Information

Training
 “How”
 Knowledge

Education
 “Why”
 Insight
Operational Controls
Security Considerations in Computer Support and
Operations

Computer Support and Operations
 Everything

done to run a computer system
User support – Help desk
 Needs
to recognize which problems are security
related


Example: Failed login can result from logout caused by
hacker running a password guessing attack
Software support
 Control
of software used on a system
 Software can only be modified with proper
authorization
Operational Controls
Security Considerations in Computer Support and
Operations

Configuration Management
 Goal:
to ensure that changes to the system do not
unintentionally or unknowingly diminish security

Backups
 critical

for contingency planning
Media control
 Provide
physical and environmental protection and
accountability for removable media


Documentation
Maintenance
Operational Controls
Physical and Environmental Security

Protect computer systems from
 Interruptions
in providing computer services
 Physical damage
 Unauthorized access of information

Example: Tempest program
 Loss
of control over system
 Physical theft

Mobile and portable systems present new range
of issues
Technical Controls
Identification and Authentication

Identification:


Authentication


Means by which a user provides a claimed identity to the system
Means of establishing the validity of the claim
Identification and Authentication based on

What you know.


What you have.


Physical key, smart card.
What you are.


E.g. password, pass-phrase, (secret key, private key).
Biometrics.
Where you are.

E.g. trusted machine, access to room, …
Technical Controls
Logical Access Control

Access
 Ability

to do something with a computing resource
Access control
 Means
by which this ability is explicitly enabled or
restricted

Not to be confused with
 Authorization
 Permission to use computer resource
 Authentication
 Proof of identity
Technical Controls
Logical Access Control

Access Criteria typically based on




Identity
Roles
Location
Time


Personnel files only accessible during normal business hours
Transactions




Phone inquiry answered by computer
Computer authenticates inquirer
If too complicated, requires human clerk to answer
Computer grants clerk permission to access inquirer’s record for the
duration of the transaction
Technical Controls
Audit Trails

Audit Trail
 Series

of records of computer events
Auditing
 Review
and analysis of management, operational,
and technical controls

Establishing audit trails helps to establish
 Individual accountability
 Reconstruction of events
 Intrusion detection
 Problem
analysis
Technical Controls
Cryptography
Tool to establish C, I, & A
 Relies on technology and key
management
