cybersecurity and information assurance - itea · definition: information assurance assurance -...

Cybersecurity and Information Assurance

An Introduction to the ITEA Short Courseto be held 11-12 June 2013

2 May 2013Instructor: John [email protected]

ITEA Professional Development Center4400 Fair Lakes Court (Suite 104)

Fairfax, VA 22033

Purpose of This Webinar

Discuss Cybersecurity and Information Assurance in the Professional Tester’s Context

Provide an Overview of the Short Course by this Name, Offered by ITEA

Give Participants Another View of Cybersecurity to Inform T&E Activities

Cybersecurity and Information Assurance 2

Objectives of The CourseThis two-day course has been designed for the system engineer, program manager, and IA manager. This course is positioned as a mid-level introduction to cybersecurity and information assurance, and it covers a variety of topics in these areas.

High-risk and labor-intensive processes such as security test & evaluation, and certification and accreditation procedures are covered in detail.

IA risk management is covered across the spectrum of system, C&A, program protection and platform risks, illustrating a useful method of aggregation for comprehensive understanding of IA risk.

The course concludes with a detailed exposition of secure network design and construction principles and techniques that can be applied immediately to existing and new networks and systems.


Today's Agenda

0. Introduction and Definitions1. The Need for System Security2. Risk3. System Development and the DoD

Acquisition Process4. Controls and Compliance5. System Test Process6. Conclusion


Defining Terms

Definition of CybersecurityFrom NIST IR 7298 rev 1, Glossary of Key Information Security Terms

Cybersecurity – The ability to protect or defend the use of cyberspace from cyber attacks. Cyberspace – A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

SOURCE: CNSSI-4009


Intr

oduc

tion

Definition: Information Assurance

Assurance - Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

SOURCE: CNSSI-4009


Core Documents – The Universe

Source: http://iac.dtic.mil/iatac/download/ia_policychart.pdfCybersecurity and Information Assurance 7

Source: http://iac.dtic.mil/iatac/download/ia_policychart.pdf

Intersection: IA and Cybersecurity

Access Control Systems and Methodology

Telecommunications and Network Security

Business Continuity Planning and Disaster Recovery Planning

Security Management Practices

Security Architecture and Models

Law, Investigation, and Ethics

Application and Systems Development Security

Cryptography

Computer Operations Security

Physical Security


Cybersecurity: ability to protect and defend the use of cyberspace from cyber attacks.

Information Assurance: measures that protect and defend information and IS by ensuring Confidentiality-Integrity-Availability-Authentication-NonRepudiation, including restoration of info systems.

Activities Can Be Catalogued as Common Processes

• Cyber Security Policy• Access Control• Personnel Security• Physical and Environmental

Security• Cyber Security Awareness and

Training• Monitoring and Incident

Response• Disaster Recovery and Business

Continuity• System Development and

Acquisition• Configuration Management• Risk and Vulnerability

Management


SOURCE: FEMA 2009 Cybersecurity Guidance

SOURCE: ISO 27002: 2005

Exa

mpl

e U

S G

over

nmen

t Pro

cess

esE

xample International S

tandard Processes

• Security Policy• Organization of Information

Security• Asset Management• Human Resources Security• Physical Security• Communications and Ops

Management• Access Control• Information Systems Acquisition,

Development, Maintenance• Information Security Incident

management• Business Continuity• Compliance

1 – The Need for Cybersecurity


Cybersecurity Topics in the News

• IT Consumerization and BYOD• Supply Chain Security• Intelligent Threat Management• Application Security Threats• Cloud Security• Big Data & Protecting Your

Assets• Building Meaningful Talent

Pipelines• Effective Privacy Programs• Social Media and Other Tools

for Security Intelligence BUT…they’re waitingfor you out there…


Recent News & Events

AP’s Twitter Account Used in Hoax – Affected Stock Market

Dutch Man Held, Charged with DDoS AttackLivingSocial Hack Exposed 50M Customer

AccountsLebanese Witness List in ex-Premier’s Death

Posted by HackersUS Chamber of Commerce Warns Against Data

Thefts Against US Firms in China


The Latest Revelation

• APT Found at Qinetiq USA

• Intrusions may have begun in 2007

• Lack of follow-up and poor inter-incident communications could be contributing factors


Source: http://www.theregister.co.uk/2013/05/02/china_us_hacking_qinetiq_apt/

http://www.theregister.co.uk/2013/05/02/china_us_hacking_qinetiq_apt/

A Catalog of (Recent) Common Attack Methods

•Denial of Service (DoS) / Distributed Denial of Service (DDoS) Attack•Attacker sends more data to target machine than it can handle, thereby limiting its ability to operate properly

•SQL Injection Attack•Attack the a badly designed website with specially-formatted SQL statements to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer

•Mobile code (Java/JavaScript/ActiveX)•Programming languages that let web developers write code that is executed by your web browser. Although the code is generally useful, it can be used by intruders to gather information (such as which web sites you visit) or to run malicious code on your computer.

•Cross-site scripting•A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser.

•Spear phishing•Pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to penetrate that company or organization.


Verizon Report Findings


Source: Verizon Report 2013

2 – Risk


RMF: A Structured Approach to Risk

NIST SP 800-30/37/39 series provides a structured, yet flexible approach for managing risk that is supported by other NIST security standards and guidelines. This publication discusses the basic concepts of risk management as four components: How organizations frame risk, and the context in which risk-

based decisions are made;

How organizations assess risk within that context;

How organizations respond to risk after assessment is made; and

How organizations monitor risk over time.

Source: NIST 800-30 Rev1Cybersecurity and Information Assurance 17

Tiered Risk ApproachNIST SP800-30 introduces a three-

tiered risk management approach that allows organizations to establish an enterprise-wide risk management strategy as part of a mature governance structure, involving senior leaders and executives, and including a risk executive (function). The three-tiered approach addresses risk at: The organization level; The mission/business process

level; and The information system level.


Risk Management Process

Risk Management ProcessFrame the risk

Establish context within which to make risk-based decisionsGenerates risk

management strategyAddress the risk

Assessing the riskResponding to the riskMonitoring the risk


3 – System Development and the DoD Acquisition Process

Requirements Development When developing system

requirements, have user define operational context of system

Include security as part of the system functional and non-functional requirements

Consider how user processes will interact with system, and how system will change user processes – and iterate

Map user processes to use cases AND test cases

Consider user modes, define constraints Consider security needs, define restraints

Match system functions to user needs for mission


Figure Source: OpenGroup.org


System Development Process

Source: DoDI 5000.02

The Acquisition

Process


DoD acquisition, governedby the DoDD 5000.01process, and by DoDI5000.02 requirements.

4 – Controls and Compliance

Governing US GovernmentGuidance: NIST Special Publication 800-53 rev 4

“The selection and implementation of security controls for information systems and organizations are important tasks that can have major implications on the operations and assets of organizations as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed,stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.”


New Document Paths

• SP800-18r1 (2/06) Guide for Developing Security Plans for Federal IS• SP800-23 (08/00) Guidelines to Federal Organizations on Security Assurance and

Acquisition/Use of Tested/Evaluated Products• SP800-34r1 (05/10) Contingency Planning Guide for Federal IS• SP800-35 (10/03) Guide to IT Security Services• SP800-36 (10/03) Guide to Selecting IT Security Products• SP800-40r3 (09/012) Guide to Enterprise Patch and Vulnerability Mgmt Technologies• SP800-41r1 (09/09) Guidelines on Firewalls and Firewall Policy• SP800-44r2 (09/07) Guidelines on Security Public Web Servers• SP800-45r2 (02/07) Guidelines on Electronic Mail Security• SP800-48r1 (07/08) Guide to Securing Legacy IEEE 802.11 Wireless Networks• SP800-50 (10/03) Building an IT Security Awareness and Training Program• SP800-55r1 (07/08) Performance Measurement Guide for InfoSec• SP800-61r2 (08/12) Computer Security Incident Handling Guide• SP800-64r2 (10/08) Security Considerations in the SDLC• SP800-65r1 (07/09) Integrating IT Security in CPIC Process• SP800-82 (06/11) Guide to ICS Security• SP800-83r1 (07/12) Guide to Malware Incident Prevention and Handling• SP800-92 (09/06) Guide to Computer Security Log Mgmt• SP800-94 (07/12) Guide to Intrusion Detection and Prevention Systems (IDPS)• SP800-123 (07/08) Guide to General Server Security• SP800-128 (08/11) Guide for Security-Focused Conf Mgmt of IS• SP800-137 (09/11) ISCM for Federal IS and Organizations• SP800-144 (12/11) Guidelines on Security and Privacy in Public Cloud Computing• SP800-145 (09/11) NIST Definition of Cloud Computing 24

DoDI 8500.01

(cybersecurity)

DoDI 8510.01 (Risk Mgmt Framework)

CNSSI 1253 (categorization)

FIPS 199 (categorization)

FIPS 200 (min rqmts)NIST SP800-

53r4 (catalog)

NIST SP800-53A

(measurements)

DoD side

Federal sideNIST SP800-

39 (IS Risk)

NIST SP800-37r1 (applying

RMF)NIST SP800-

30 (risk assessments)

DoDI 5200.40

(TSN)NIST SP800-

137 (Continuous Monitoring)

CNSSP 22 (NSS Policy)

Cybersecurity and Information Assurance

Common

5 – System Test Process


• IA Cannot Be Tested – But System Quality CanBe Tested

• IA-Related Testing Must Occur With Functional Test• System security considerations (status quo)• System maintenance and upkeep requirements that

periodically verify security status• Networked environment depends on all segments

• If a system is incapable of supporting and maintaining its secure status in the network milieu, it cannot be considered as making a positive mission impact

• Not all systems deserve to be networked

An Ideal View of Activity Relationships


Controls RelationshipsActivities to Controls to Critical Control Sets


Controls RelationshipsActivities to Controls to Critical Control Sets to Attacks


Testing Across the Acquisition Life Cycle

Cybersecurity and Information Assurance 29Source: JTEM PM’s Handbook for Testing in a Joint Environment, Apr 2009

Protect• Are information systems and their information protected against attacks

through the application of security services distributed among multiple locations and address multiple defensive areas, including networks and infrastructures, enclave boundaries and local computing environments?


• Attack vectors• Weakness

categories exploited• Numbers of

attempts (tried / allowed)

• Numbers of targets• Time of attack

injection / penetration

• Attack results• System impacts

• “Crown Jewels” (opposition objectives and targets)

• Classification of network / component

• Network areas targeted

• Class of attack• Adversary skill level

required for attacks• Exploitation methods

Source: DOT&E Core Metrics Manual, 2009

Detect

• Is continuous monitoring of connected networks and users effective in detecting attacks, and does monitoring include both passive (audit logs of access, patches and configuration changes) and active (device scanning) mechanisms to accurately determine the status of assets?• Nodes and components monitored• Monitoring mechanisms employed• Personnel available for monitoring• Baseline configurations and assumptions

Cybersecurity and Information Assurance 31Source: DOT&E Core Metrics Manual, 2009

React

• Is accurate analysis conducted to determine if unauthorized activity is occurring or imminent, how widespread it is or likely to be, and what the potential impact is if defensive response actions are not executed? • Incidents and reportable events• Observed impacts of events• Coordination during events • Reporting procedures


Restore

• Can systems be effectively restored, which includes the coordination and direction necessary to implement courses of action, including the development, implementation and monitoring of solutions and their effectiveness?• Eradication and recovery operations• Data restoration• Final reporting


6 - ConclusionsAn hour for this topic is just enough to whet the

appetite for more. Risk assessment, management and control must

flow from planning, through design, into implementation, for measurement in test processes.

Any system that connects to other systems – by any means – is vulnerable, and that’s why we use risk and vulnerability assessment methods.

Testing CAN and MUST make the final difference in a system’s life cycle.


Questions?

Instructor: John [email protected]

James GaidryDirector, ITEA4400 Fair Lakes Court, Suite 104Fairfax, VA [email protected]
