IS3513 Information Assurance and Security - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

IS3513 Information Assurance and Security

Description:

IS3513 Information Assurance and Security 5:30-6:45 PM Robert J. Kaufman Background Syllabus and Class Schedule Student Background Information Email robert.kaufman_at_ ... – PowerPoint PPT presentation

Number of Views:1575
Avg rating:3.0/5.0
Slides: 48
Provided by: utsa
Category:

less

Transcript and Presenter's Notes

Title: IS3513 Information Assurance and Security


1
IS3513 Information Assurance and Security
  • 530-645 PM
  • Robert J. Kaufman
  • Background
  • Syllabus and Class Schedule
  • Student Background Information
  • Email robert.kaufman_at_utsa.edu

2
Student Background Information(email to me)
  • Name
  • Reliable email address
  • IS/CS background
  • Security background if any
  • Why you are taking this course
  • What do you expect out of this course

3
Syllabus
  • Assumed Background
  • It is assumed that students in this class have a
    basic understanding of Operating Systems and
    Networks and that they have access to the
    Internet and a UNIX- or Windows- based PC.
  • Textbook
  • Principles of Computer Security, Conklin, White,
    Cothren, Williams, and Davis, McGraw Hill, 2004.
    ISBN0-07-225509-9
  • Good Reference
  • Hackers Beware, Eric Cole, New Riders
    Publishing, 2001, ISBN0-7357-1009-0.

4
Syllabus -- grading
  • Graded Assignments
  • The grades for this course will be based on a
    standard 70 C, 80 B, 90A grading scheme.
    The final grades will be based on the following
    graded assignments
  • Paper 1 100 points
  • Lab 1 100 points
  • Exam 1 100 points
  • Exam 2 100 points
  • Lab 2 100 points
  • Lab 3 100 Points
  • Lab 4 150 Points
  • Final Exam 250 points
  • TOTAL 1000 points

5
Who relies on computers?
  • Transportation Systems
  • Personal and corporate financial records and
    systems
  • Banking and financial institutions
  • Hospitals and the medical community
  • The public telephone network
  • Air Traffic Control
  • Power systems and other utilities
  • The government and the military
  • Just about everybody

6
NSAs First Major Policy Address Focused On The
Need For More Cyber-Security
  • "The very technology that makes our economy so
    dynamic and our military forces so dominating
    also makes us more vulnerable."
  • Computer reliance is the soft underbelly of
    American national security
  • US high technology firms need to join with the US
    government to fight cyber terrorism

National Security Advisor Condoleeza Rice
We are talking about a collaborative partnership
between the public and private sectors that is
unprecedented in our history
7
Solar Sunrise
January 1998 tensions between the U.S., the UN,
and Iraq are on the rise. Hussein has expelled
the UN inspectors. UN discussing renewing
military action.
February 4 AFCERT detects additional intrusions
8
Solar Sunrise
- Turned out to be 2 teenagers in California and
their mentor in Israel - Involved systems owned
by the Air Force, Navy, NASA, DOE, MIT and
several others - At least 47 FBI agents were
involved in this case as well as individuals
from the OSI and members of the Israeli Ministry
of Justice - Exploited a known bug in Solaris,
sniffed passwords - 500 systems involved,
thousands of passwords compromised.
9
Citibank
  • Probably the largest and most famous publicly
    acknowledged theft
  • Occurred in 1994
  • Vladimir Levin, a 30-year old Russian hacker
    stole more than 10M
  • All but a few hundred thousand dollars recovered
  • The actual dollar figure lost was minimal to an
    organization as large as Citibank, what was more
    important is how this affected peoples
    impression of the bank. How many accounts were
    lost as a result of this public incident?

10
Worcester Airport
  • Occurred in early 1997
  • 14 year old hacker broke into a NYNEX digital
    loop carrier system through a dial-in port
  • The individual, who called himself jester,
    disrupted telephone service for over 600
    residents of Rutland, Mass as well as
    communications at Worcester Airport
  • Communication to the tower and emergency services
    was disrupted as well as the main radio
    transmitter and an electronic system which
    enables aircraft to send a signal to activate the
    runway lights

11
Omega Engineering
  • Timothy Lloyd was convicted in May 2000 of
    causing an estimated 12 million in damages to
    his former employer.
  • Back in 1996, Lloyd discovered he was about to be
    fired
  • He planted a logic bomb that systematically
    erased all of Omegas contracts and the
    proprietary software used by the companys
    manufacturing tools.
  • Lloyds act of insider cyberterrorism cost Omega
    its competitive position in the electronics
    manufacturing market. At Lloyds trial, plant
    manager Jim Ferguson said, We will never
    recover.

12
And probably the most widely known security
problem
  • In March 1999, David Smith, a New Jersey
    resident, released the Melissa virus. The
    estimated damage it caused 80 million.
  • In May 2000, 23-year old Philippine college
    student, Onel de Guzman, released the Love Bug
    virus which proceeded to cause an estimated 8
    Billion in damages worldwide.

13
Information Intrusion Threat
CNN, 8,9,10 Feb 00
Cyber-attacks batter Web heavyweights
CERT/CC, Carnegie Mellon, Apr 01
Reported Incidences
30000
25000
buy.com
20000
15000
5 May 00
FBI investigates 'ILOVEYOU' virus millions of
computers affected
10000
5000
0
1988
1990
1992
1994
1996
1998
2000
Love Bug caused an estimated 8 billion in
damage. WP, 11 May 00
War in Kosovo cost the United States 6.7
billion. UPI, 2 Feb 00
14
Some Attack Statistics
  • In January, Riptech announced it had culled more
    than 128,000 attempted attacks on 300 Riptech
    customers over six months. And in March,
    Predictive Systems amassed more than 12 million
    malicious-looking events from 54 sensors around
    the world in just three months. (That's about 90
    attempted attacks per second)
  • The Riptech study found 30 percent of all attacks
    came from computers in the U.S. next was South
    Korea, at 9 percent. In fact, five of the top 10
    sources of attacks were computers in Pacific Rim
    countries. In terms of intensity (attacks per
    Internet user), Israel far outdid any other
    nation.
  • From Missed Opportunity By Scott Berinato,
    www.cio.com, Apr 2002

15
Hack Attack New Global Way Of War
Washington TimesApril 23, 2001, Front
Page China Warns Of Hack Attack
To date, Chinese hackers already have unlawfully
defaced a number of U.S. web sites, replacing
existing content with pro-Chinese or anti-U.S.
rhetoric. In addition, an Internet worm named
"Lion" is infecting computers and installing
distributed denial of service (DDOS) tools on
various systems.
Collateral Damage May Soon Have A New Definition
16
You have to have security, or else
  • 1999 CSI/FBI Computer Crime Security Survey
  • 521 security practitioners in the U.S.
  • 30 reported system penetrations from outsiders,
    an increase for the third year in a row
  • 55 reported unauthorized access from insiders,
    also an increase for the third year in a row
  • Losses due to computer security breaches totaled
    (for the 163 respondents reporting a loss)
    123,779,000
  • Average loss 759,380

17
You have to have security, or else
  • 2000 CSI/FBI Computer Crime and Security Survey
  • 643 security practitioners in the U.S.
  • 90 reported computer security breaches within
    the previous 12 months
  • 70 reported unauthorized use
  • 74 suffered financial losses due to breaches
  • Losses due to computer security breaches totaled
    (for the 273 respondents reporting a loss)
    265,589,940
  • Average loss 972,857

18
You have to have security, or else
  • 2001 CSI/FBI Computer Crime and Security Survey
  • 538 security practitioners in the U.S.
  • 91 reported computer security breaches within
    the previous 12 months
  • 70 reported their Internet connection as a
    frequent point of attack (up from 59 in 2000)
  • 64 suffered financial losses due to breaches,
    35 could quantify this loss.
  • Losses due to computer security breaches totaled
    (for the 186 respondents reporting a loss)
    377,828,700
  • Average loss 2,031,337
  • Source Computer Security Institute
    http//www.gocsi.com

19
And the hits just keep coming
  • 2002 CSI/FBI Computer Crime Security Survey
  • 503 security practitioners in the U.S.
  • 90 detected computer security breaches
  • 40 detected penetrations from the outside
  • 80 acknowledged financial losses due to breaches
  • 455,848,000 in losses due to computer security
    breaches totaled (for the 223 respondents
    reporting a loss)
  • 26 reported theft of proprietary info
    (170,827,000)
  • 25 reported financial fraud (115,753,000)
  • 34 reported intrusions to law enforcement
  • 78 detected employee abuse of internet access
    privileges, i.e. pornography and inappropriate
    email use
  • Source Computer Security Institute
    http//www.gocsi.com

20
And coming
  • A 2003 FBI/CSI Computer Crime and Security Survey
    revealed the following
  • 60 had a security breach in the last year.
  • 78 detected employee abuse of internet
    privileges.
  • 85 admitted to being infected by a computer
    virus.
  • Average loss from insider access was 300,000
  • Average loss due to virus attack 283,000
  • Average loss from Telecom eavesdropping is
    1,205,000
  • Average loss from outsider penetration was
    226,000
  • The average reported loss from net abuse was
    536,000
  • Source Computer Security Institute
    http//www.gocsi.com

21
A sampling of activity from a security perspective
  • March 1999 - EBay gets hacked
  • March 1999 - Melissa virus hits Internet
  • April 1999 - Chernobyl Virus hits
  • May 1999 - Hackers shut down web sites of FBI,
    Senate, and DOE
  • June 1999 - Worm.Explore.Zip virus hits
  • July 1999 - Cult of the Dead Cow (CDC) releases
    Back Orifice
  • Sept 1999 - Hacker pleads guilty to attacking
    NATO and Gore web sites
  • Oct 1999 - teenage hacker admits to breaking into
    AOL
  • Nov 1999 - BubbleBoy virus hits
  • Dec 1999 - Babylonia virus spreads
  • Feb 2000 - several sites experience DOS attacks
  • Feb 2000 - Alaska Airlines site hacked
  • May 2000 - Love Bug virus ravages net
  • July 2001 Code Red Worm
  • Sept 2001 Nimda Worm
  • Jan 2003 Slammer Worm

22
Attacks on the DoD
  • In 1999, a total of 22,144 "attacks" were
    detected on Defense Department networks, up from
    5,844 in 1998, Air Force Maj. Gen. John Campbell,
    then vice director of the Defense Information
    Systems Agency (DISA), told Congress in March
    2000.
  • In 2000 through August 4, a total of 13,998 such
    "events" were reported, according to Betsy Flood,
    a spokeswoman for Arlington, Virginia-based DISA,
    which provides worldwide communication, network
    and software support to the Defense Department.

23
DISA VAAP Results
P R O TECTION
D E T E C T I O N
REACTION
24
Government Focus
  • NSA Executive Agent for Information Assurance
  • Committee on National Security Systems
  • National Information Assurance Acquisition Policy
  • National Security Telecommunications and
    Information Systems Security Policy (NSTISSP) No.
    11

Reference http//www.cnss.gov/policies.html
25
Statutes and Policy
  • Clinger-Cohen Act (CCA), 1996
  • Federal Information Security Management Act
    (FISMA), 2002
  • OMB Circular A-130
  • DoDD 8500.1 Information Assurance
  • DoDI 8580.2 IA Implementation
  • DoDI 5200,40 DoD Information Technology Security
    Certification and Accreditation Process
    (DITSCAP), 1997

26
FISMA
  • The Federal Information Security Management Act
    of 2002 (FISMA) is contained within the
    E-Government Act of 2002 (Public Law 107-347),
    replacing the government Information Security
    Reform Act (GISRA).
  • FISMA, effective throughout the federal
    government, places requirements on government
    agencies and components, with the goal of
    improving the security of federal information and
    information systems.

27
FISMA Purpose
  • Provide a framework for enhancing the
    effectiveness of information security in the
    federal government. This means protecting
    information and information systems from
    unauthorized access, use, disclosure, disruption,
    modification or destruction to ensure integrity,
    confidentiality and availability.
  • Provide effective government-wide management of
    risks to information security.
  • Provide for the development and maintenance of
    minimum controls required or protecting federal
    information and information systems.
  • Provide a mechanism for effective oversight of
    federal agency information security programs.

28
DoD IA Policy
  • All IA or IA-enabled IT must be compliant with
    NSTISSP 11
  • DoD Info Systems must be DITSCAP certified
  • DoD Info Systems must be assigned a mission
    assurance category
  • IA shall be a visible investment in all
    portfolios
  • IA requirements included in all info system
    acquisitions or
  • upgrades

29
Certification
A comprehensive evaluation of the technical and
non-technical security features of an AIS and
other safeguards, made in support of the
accreditation process, to establish the extent to
which a particular design and implementation
meets a set of specified security
requirements. NSTISSI 4009
30
Accreditation
A formal declaration by a designated approving
authority (DAA) that an AIS is approved to
operate in a particular security mode using a
prescribed set of safeguards. NSTISSI 4009
31
DOD Information Technology Security Certification
and Accreditation Process DODI 5200.40 (1997)
  • DITSCAP
  • Life cycle approach to Certification and
    Accreditation (CA)
  • Establish a DoD standard infrastructure-centric
    approach
  • Protects and secures the entities compromising
    the Defense
  • Information Infrastructure



32
DITSCAP Phases
  • Phase I Definition
  • System Security Authorization Agreement (SSAA)
  • Phase II Verification
  • SSAA Compliance Verification
  • Phase III Validation
  • Realistic Evaluation of Integrated System
  • Phase IV Post Accreditation
  • Operational Monitoring

33
Common Criteria
34
Policy
  • NSTISSP 11
  • National Policy Governing the Acquisition of
    Information Assurance (IA)
  • and IA Enabled Information Technology Products
    that protect Information
  • Technology Products that protect national
    security information
  • Effective 1 July 2002, all COTS IA and IAEnabled
    products must be
  • evaluated by
  • - International Common Criteria Mutual
    Recognition Arrangement
  • - NIAP Evaluation and Validation Program
    (CCEVS)
  • - NIST FIPS validation program
  • Does not specify any particular evaluation level
    (EAL) for a product
  • for a product
  • Does not require a Protection Profile to be used



31
35
Policy
  • DOD Directive 8500.1, 24 OCT 2002
  • All IA or IA-enabled products incorporated into
    DoD information
  • systems must comply with NSTISSP 11
  • Products must be satisfactorily evaluated and
    validate either
  • -- Prior to purchase or
  • -- As a condition of purchase the vendors
    products will be satisfactorily
  • evaluated and validated
  • Purchase contracts shall specify that product
    validation will be
  • maintained for subsequent releases

-
36
Common Criteria Version 2.1
  • International vs. U.S. standard
  • U.S. Canada, France, Germany, U.K. Russia.
  • ISO Standard 15408, Evaluation Criteria
    forInformation Technology Security (June 1999)
  • Provides common vocabulary for describing
    requirements and product features
  • Validated products listed
  • http//niap.bahialab.com/cc-scheme/

-
33
37
CC Benefits
  • Specification of security features and
    assurances based
  • on an international standard
  • Evaluation methodology based on an international
  • standard leading to comparability of test
    results
  • Security testing laboratory expertise assessed
    by
  • recognized national bodies quality technical
    oversight
  • provided by government experts
  • Testing results recognized by many nations
  • Reduced testing costs to sponsors of evaluations

38
CC Terminology
  • Target of Evaluation (TOE) - An IT product or
    system and its associated administrator and user
    guidance documentation that is the subject of an
    evaluation
  • Protection Profile (PP) - An implementation
    independent set of security requirements for a
    category of TOEs that meet specific consumer
    needs
  • Security Target (ST) - A set of security
    requirements and specifications to be used as the
    basis for evaluation of an identified TOE.

36
39
Evaluation Assurance Levels (EAL)
  • EAL NAME TCSEC
  • EAL 1 Functionally tested
  • EAL 2 Structurally Tested C1
  • EAL 3 Methodically Tested and Checked C2
  • EAL 4 Methodically Designed, Tested and
    Reviewed B1
  • EAL 5 Semi-formally Designed and Tested
    B2
  • EAL 6 Semi-formally Verified Designed and
    Tested B3
  • EAL 7 Formally Verified Designed and Tested
    A1

TCSEC Trusted Computer Security
EvaluationOrange Book
40
CA Summary
Processes Requirements Categories
DITSCAP
DoD 8500.2
MAC I, II, III
DIACAP
NIACAP
DoDIIS
DNI CA
DCID 6/3
PL 1,2,3,4,5
NISCAP
NIST SP800-37
NIST SP800-37
NIST SP800-37
ISO 17799
ISO 17799
41
What are our goals in Security?
  • The CIA of security
  • Confidentiality
  • Integrity
  • Availability
  • (authentication)
  • (nonrepudiation)

42
The root of the problem
  • Most security problems can be grouped into one of
    the following categories
  • Network and host misconfigurations
  • Lack of qualified people in the field
  • Operating system and application flaws
  • Deficiencies in vendor quality assurance efforts
  • Lack of qualified people in the field
  • Lack of understanding of/concern for security

43
Computer Security Operational Model
Protection Prevention
(Detection Response)
44
Proactive vs- Reactive Models
  • Most organizations only react to security
    threats, and, often times, those reactions come
    after the damage has already been done.
  • The key to a successful information security
    program resides in taking a pro-active stance
    towards security threats, and attempting to
    eliminate vulnerability points before they can be
    used against you.

45
Types of Vulnerabilities

5
46
Vulnerability Sources

fired employee

foreign intelligence agents

disgruntled employee

terrorists

subverted employee

criminals

service providers

corporate raiders

contractors

crackers
6
47
Summary
  • Administrevia
  • Course Introduction
  • Basic IA principles
Write a Comment
User Comments (0)
About PowerShow.com