Is3513 information assurance and security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

IS3513 Information Assurance and Security PowerPoint PPT Presentation


  • 56 Views
  • Uploaded on
  • Presentation posted in: General

IS3513 Information Assurance and Security. 6:00-7:15 PM Robert J. Kaufman Background Syllabus and Class Schedule Student Background Information Email robert.kaufman @utsa.edu. Student Background Information (email to me). Name Reliable email address IS/CS background

Download Presentation

IS3513 Information Assurance and Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Is3513 information assurance and security

IS3513 Information Assurance and Security

  • 6:00-7:15 PM

  • Robert J. Kaufman

    • Background

    • Syllabus and Class Schedule

  • Student Background Information

    • Email [email protected]


Student background information email to me

Student Background Information(email to me)

  • Name

  • Reliable email address

  • IS/CS background

  • Security background if any

  • Why you are taking this course

  • What do you expect out of this course


Syllabus

Syllabus

  • Assumed Background

    • It is assumed that students in this class have a basic understanding of Operating Systems and Networks and that they have access to the Internet and a UNIX- or Windows- based PC.

  • Textbook

    • Principles of Computer Security, Conklin, White, Cothren, Williams, and Davis, McGraw Hill, 2004. ISBN:0-07-225509-9

  • Good Reference

    • Hacker’s Beware, Eric Cole, New Riders Publishing, 2001, ISBN:0-7357-1009-0.


Syllabus grading

Syllabus -- grading

  • Graded Assignments

    • The grades for this course will be based on a standard 70% = C, 80% = B, 90%=A grading scheme. The final grades will be based on the following graded assignments:

      • Paper 1 100 points

      • Lab 1 100 points

      • Exam 1 100 points

      • Exam 2 100 points

      • Lab 2 100 points

      • Lab 3 100 Points

      • Lab 4 150 Points

      • Final Exam 250 points

      • TOTAL1000 points


Who relies on computers

Who relies on computers?

  • Transportation Systems

  • Personal and corporate financial records and systems

  • Banking and financial institutions

  • Hospitals and the medical community

  • The public telephone network

  • Air Traffic Control

  • Power systems and other utilities

  • The government and the military

  • Just about everybody


Nsa s first major policy address focused on the need for more cyber security

NSA’s First Major Policy Address Focused On The Need For More Cyber-Security

  • "The very technology that makes our economy so dynamic and our military forces so dominating also makes us more vulnerable."

  • Computer reliance is the “soft underbelly” of American national security

  • US high technology firms need to join with the US government to fight cyber terrorism

National Security Advisor

Condoleeza Rice

“We are talking about a collaborative partnership between the public and private sectors that is unprecedented in our history”


Solar sunrise

Kirtland AFB

Columbus AFB, MS

Lackland AFB

February 3: ASIMS detects intrusion at Andrews AFB

Solar Sunrise

January 1998: tensions between the U.S., the UN, and Iraq are on the rise. Hussein has expelled the UN inspectors. UN discussing renewing military action.

February 4: AFCERT detects additional intrusions:


Solar sunrise1

Solar Sunrise

- Turned out to be 2 teenagers in California and their mentor in Israel

- Involved systems owned by the Air Force, Navy, NASA, DOE,

MIT and several others

- At least 47 FBI agents were involved in this case as well as

individuals from the OSI and members of the Israeli Ministry

of Justice

- Exploited a known bug in Solaris, sniffed passwords

- 500 systems involved, thousands of passwords compromised.


Citibank

Citibank

  • Probably the largest and most famous publicly acknowledged theft

  • Occurred in 1994

  • Vladimir Levin, a 30-year old Russian hacker stole more than $10M

  • All but a few hundred thousand dollars recovered

  • The actual dollar figure lost was minimal to an organization as large as Citibank, what was more important is how this affected people’s impression of the bank. How many accounts were lost as a result of this public incident?


Worcester airport

Worcester Airport

  • Occurred in early 1997

  • 14 year old hacker broke into a NYNEX digital loop carrier system through a dial-in port

  • The individual, who called himself “jester”, disrupted telephone service for over 600 residents of Rutland, Mass as well as communications at Worcester Airport

  • Communication to the tower and emergency services was disrupted as well as the main radio transmitter and an electronic system which enables aircraft to send a signal to activate the runway lights


Omega engineering

Omega Engineering

  • Timothy Lloyd was convicted in May 2000 of causing an estimated $12 million in damages to his former employer.

  • Back in 1996, Lloyd discovered he was about to be fired

  • He planted a logic bomb that systematically erased all of Omega’s contracts and the proprietary software used by the company’s manufacturing tools.

  • Lloyd’s act of insider cyberterrorism cost Omega its competitive position in the electronics manufacturing market. At Lloyd’s trial, plant manager Jim Ferguson said, “We will never recover.”


And probably the most widely known security problem

And probably the most widely known security problem…

  • In March 1999, David Smith, a New Jersey resident, released the Melissa virus. The estimated damage it caused: $80 million.

  • In May 2000, 23-year old Philippine college student, Onel de Guzman, released the “Love Bug” virus which proceeded to cause an estimated $8 Billion in damages worldwide.


Information intrusion threat

Information Intrusion Threat

CNN, 8,9,10 Feb 00

“Cyber-attacks batter Web heavyweights”

CERT/CC,

Carnegie Mellon, Apr 01

“Reported Incidences”

30000

25000

buy.com

20000

15000

5 May 00

10000

“FBI investigates 'ILOVEYOU' virus; millions of computers affected”

5000

0

1988

1990

1992

1994

1996

1998

2000

“Love Bug caused an estimated $8 billion in damage.” WP, 11 May 00

“War inKosovo cost the United States $6.7 billion.” UPI, 2 Feb 00


Some attack statistics

Some Attack Statistics

  • In January, Riptech announced it had culled more than 128,000 attempted attacks on 300 Riptech customers over six months. And in March, Predictive Systems amassed more than 12 million malicious-looking events from 54 sensors around the world in just three months. (That's about 90 attempted attacks per second)

  • The Riptech study found 30 percent of all attacks came from computers in the U.S.; next was South Korea, at 9 percent. In fact, five of the top 10 sources of attacks were computers in Pacific Rim countries. In terms of intensity (attacks per Internet user), Israel far outdid any other nation.

    • From Missed Opportunity By Scott Berinato, www.cio.com, Apr 2002


Is3513 information assurance and security

ADVISORY 01- 009

Issued 04/26/2001

101001000110010010100100010010001000100101001

101001000110010010100100010010001000100101001

Hack Attack: New Global Way Of War

Washington TimesApril 23, 2001, Front Page

“China Warns Of Hack Attack”

To date, Chinese hackers already have unlawfully defaced

a number of U.S. web sites, replacing existing

content with pro-Chinese or anti-U.S. rhetoric.

In addition, an Internet worm named "Lion"

is infecting computers and installing distributed

denial of service (DDOS) tools on various systems.

Collateral Damage May Soon Have A New Definition


You have to have security or else

You have to have security, or else…

  • 1999 CSI/FBI Computer Crime & Security Survey

    • 521 security “practitioners” in the U.S.

      • 30% reported system penetrations from outsiders, an increase for the third year in a row

      • 55% reported unauthorized access from insiders, also an increase for the third year in a row

      • Losses due to computer security breaches totaled (for the 163 respondents reporting a loss) $123,779,000

      • Average loss $759,380


You have to have security or else1

You have to have security, or else…

  • 2000 CSI/FBI Computer Crime and Security Survey

    • 643 security “practitioners” in the U.S.

      • 90% reported computer security breaches within the previous 12 months

      • 70% reported unauthorized use

      • 74% suffered financial losses due to breaches

      • Losses due to computer security breaches totaled (for the 273 respondents reporting a loss) $265,589,940

      • Average loss $972,857


You have to have security or else2

You have to have security, or else…

  • 2001 CSI/FBI Computer Crime and Security Survey

    • 538 security “practitioners” in the U.S.

      • 91% reported computer security breaches within the previous 12 months

      • 70% reported their Internet connection as a frequent point of attack (up from 59% in 2000)

      • 64% suffered financial losses due to breaches, 35% could quantify this loss.

      • Losses due to computer security breaches totaled (for the 186 respondents reporting a loss) $377,828,700

      • Average loss $2,031,337

    • Source: Computer Security Institute http://www.gocsi.com


And the hits just keep coming

And the hits just keep coming…

  • 2002 CSI/FBI Computer Crime & Security Survey

    • 503 security “practitioners” in the U.S.

      • 90% detected computer security breaches

      • 40% detected penetrations from the outside

      • 80% acknowledged financial losses due to breaches

      • $455,848,000 in losses due to computer security breaches totaled (for the 223 respondents reporting a loss)

      • 26 reported theft of proprietary info ($170,827,000)

      • 25 reported financial fraud ($115,753,000)

      • 34% reported intrusions to law enforcement

      • 78% detected employee abuse of internet access privileges, i.e. pornography and inappropriate email use

    • Source: Computer Security Institute http://www.gocsi.com


And coming

And coming

  • A 2003 FBI/CSI Computer Crime and Security Survey revealed the following:

    • 60% had a security breach in the last year.

    • 78% detected employee abuse of internet privileges.

    • 85% admitted to being infected by a computer virus.

    • Average loss from insider access was $300,000

    • Average loss due to virus attack $283,000

    • Average loss from Telecom eavesdropping is $1,205,000

    • Average loss from outsider penetration was $226,000

    • The average reported loss from net abuse was $536,000

    • Source: Computer Security Institute http://www.gocsi.com


A sampling of malicious activity

A Sampling of Malicious Activity

  • March 1999 - EBay gets hacked

  • March 1999 - Melissa virus hits Internet

  • April 1999 - Chernobyl Virus hits

  • May 1999 - Hackers shut down web sites of FBI, Senate, and DOE

  • June 1999 - Worm.Explore.Zip virus hits

  • July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice

  • Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites

  • Oct 1999 - Teenage hacker admits to breaking into AOL


A sampling of malicious activity1

A Sampling of Malicious Activity

  • Nov 1999 - BubbleBoy virus hits

  • Dec 1999 - Babylonia virus spreads

  • Feb 2000 - Several sites experience DOS attacks

  • Feb 2000 - Alaska Airlines site hacked

  • May 2000 - Love Bug virus ravages net

  • July 2001 – Code Red Runs Rampant

  • Sept 2001 – Nimda Explodes


A sampling of malicious activity2

A Sampling of Malicious Activity

  • Jan 2003 – Sapphire/Slammer Worm

  • Aug 2003 – Blaster (LoveSan) Worm

  • Jan 2004 – MyDoom

  • Mar 2004 – Witty Worm

  • May 2004 – Sasser Worm

  • Dec 2006 – TJX Credit/Debit Card Theft

  • Jan 2007 – Storm Worm

  • Mar 2009 - Conficker

  • June 2010 - Stuxnet

http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms


Attacks on the dod

Attacks on the DoD

  • In 1999, a total of 22,144 "attacks" were detected on Defense Department networks, up from 5,844 in 1998, Air Force Maj. Gen. John Campbell, then vice director of the Defense Information Systems Agency (DISA), told Congress in March 2000.

  • In 2000 through August 4, a total of 13,998 such "events" were reported, according to Betsy Flood, a spokeswoman for Arlington, Virginia-based DISA, which provides worldwide communication, network and software support to the Defense Department.


Disa vaap results

988

Detected

267

Reported

24,700

Succeed

38,000

Attacks

721 Not

Reported

23,712

Undetected

13,300

Blocked

DISA VAAP Results

P

R

O

TECTION

D

E

T

E

C

T

I

O

N

REACTION


Government focus

Government Focus

NSA – Executive Agent for Information Assurance

  • Committee on National Security Systems

    • National Information Assurance Acquisition Policy

    • National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11

Reference: http://www.cnss.gov/policies.html


Statutes and policy

Statutes and Policy

  • Clinger-Cohen Act (CCA), 1996

  • Federal Information Security Management Act (FISMA), 2002

  • OMB Circular A-130

  • DoDD 8500.1 Information Assurance

  • DoDI 8580.2 IA Implementation

  • DoDI 5200,40 DoD Information Technology Security Certification and Accreditation Process (DITSCAP), 1997


Fisma

FISMA

  • The Federal Information Security Management Act of 2002 (FISMA) is contained within the E-Government Act of 2002 (Public Law 107-347), replacing the government Information Security Reform Act (GISRA).

  • FISMA, effective throughout the federal government, places requirements on government agencies and components, with the goal of improving the security of federal information and information systems.


Fisma purpose

FISMA Purpose

  • Provide a framework for enhancing the effectiveness of information security in the federal government. This means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction to ensure integrity, confidentiality and availability.

  • Provide effective government-wide management of risks to information security.

  • Provide for the development and maintenance of minimum controls required or protecting federal information and information systems.

  • Provide a mechanism for effective oversight of federal agency information security programs.


Dod ia policy

DoD IA Policy

  • All IA or IA-enabled IT must be compliant with NSTISSP 11

  • DoD Info Systems must be DITSCAP certified

  • DoD Info Systems must be assigned a mission assurance category

  • IA shall be a visible investment in all portfolios

  • IA requirements included in all info system acquisitions or

  • upgrades


Certification

Certification

A comprehensive evaluation of the technical and non-technical security features of an AIS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified security requirements.

NSTISSI 4009


Accreditation

Accreditation

A formal declaration by a designated approving authority (DAA) that an AIS is approved to operate in a particular security mode using a prescribed set ofsafeguards.

NSTISSI 4009


Dod information technology security certification and accreditation process dodi 5200 40 1997

DOD Information Technology Security Certification and Accreditation Process DODI 5200.40 (1997)

  • DITSCAP

  • Life cycle approach to Certification and Accreditation (C&A)

  • Establish a DoD standard infrastructure-centric approach

  • Protects and secures the entities compromising the Defense

  • Information Infrastructure


Ditscap phases

DITSCAP Phases

  • Phase I – Definition

  • System Security Authorization Agreement (SSAA)

  • Phase II – Verification

  • SSAA Compliance Verification

  • Phase III – Validation

  • Realistic Evaluation of Integrated System

  • Phase IV – Post Accreditation

  • Operational Monitoring


Common criteria

Common Criteria


Policy

Policy

  • NSTISSP 11

  • National Policy Governing the Acquisition of Information Assurance (IA)

  • and IA Enabled Information Technology Products that protect Information

  • Technology Products that protect national security information

  • Effective 1 July 2002, all COTS IA and IAEnabled products must be

  • evaluated by

  • - International Common Criteria Mutual Recognition Arrangement

  • - NIAP Evaluation and Validation Program (CCEVS)

  • -NIST FIPS validation program

  • Does not specify any particular evaluation level(EAL) for a product

  • for a product

  • Does not require a Protection Profile to be used

31


Policy1

Policy

  • DOD Directive 8500.1, 24 OCT 2002

  • All IA or IA-enabled products incorporated into DoD information

  • systems must comply with NSTISSP 11

  • Products must be satisfactorily evaluated and validate either

  • -- Prior to purchase or

  • -- As a condition of purchase the vendors products will be satisfactorily

  • evaluated and validated

  • Purchase contracts shall specify that product validation will be

  • maintained for subsequent releases

-


Common criteria version 2 1

Common Criteria Version 2.1

  • International vs. U.S. standard

    • U.S. Canada, France, Germany, U.K. Russia….

  • ISO Standard 15408, “Evaluation Criteria forInformation Technology Security” (June 1999)

  • Provides common vocabulary for describing requirements and product features

  • Validated products listed:

    http://niap.bahialab.com/cc-scheme/

-

33


Cc benefits

CC Benefits

  • Specification of security features and assurances based

  • on an international standard

  • Evaluation methodology based on an international

  • standard leading to comparability of test results

  • Security testing laboratory expertise assessed by

  • recognized national bodies; quality technical oversight

  • provided by government experts

  • Testing results recognized by many nations

  • Reduced testing costs to sponsors of evaluations


Cc terminology

CC Terminology

  • Target of Evaluation (TOE) - An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation

  • Protection Profile (PP) - An implementation independent set of security requirements for a category of TOEs that meet specific consumer needs

  • Security Target (ST) - A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.

36


Evaluation assurance levels eal

Evaluation Assurance Levels (EAL)

EALNAMETCSEC

  • EAL 1 – Functionally tested

  • EAL 2 – Structurally Tested C1

  • EAL 3 – Methodically Tested and Checked C2

  • EAL 4 – Methodically Designed, Tested and Reviewed B1

  • EAL 5 – Semi-formally Designed and Tested B2

  • EAL 6 – Semi-formally Verified Designed and Tested B3

  • EAL 7 – Formally Verified Designed and Tested A1

TCSEC: “Trusted Computer Security Evaluation—Orange Book”


C a summary

C&A Summary

ProcessesRequirementsCategories

DITSCAP

DoD 8500.2

MAC I, II, III

DIACAP

NIACAP

DoDIIS

DNI C&A

DCID 6/3

PL 1,2,3,4,5

NISCAP

NIST SP800-37

NIST SP800-37

NIST SP800-37

ISO 17799

ISO 17799


What are our goals in security

What are our goals in Security?

  • The “CIA” of security

    • Confidentiality

    • Integrity

    • Availability

    • (authentication)

    • (nonrepudiation)


The root of the problem

The “root” of the problem

  • Most security problems can be grouped into one of the following categories:

    • Network and host misconfigurations

      • Lack of qualified people in the field

    • Operating system and application flaws

      • Deficiencies in vendor quality assurance efforts

      • Lack of qualified people in the field

      • Lack of understanding of/concern for security


Computer security operational model

Access Controls

Encryption

Firewalls

Intrusion Detection

Incident Handling

Computer Security Operational Model

Protection = Prevention

+ (Detection + Response)


Proactive vs reactive models

Proactive –vs- Reactive Models

  • “Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.”

  • “The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.”


Types of vulnerabilities

Natural

Physical

HW & SW

Communications

Media

Human

Emanation

Types of Vulnerabilities

5


Vulnerability sources

Source

Intentional

Natural

Unintentional

poorly trained administrator

fires

accidents

floods

lazy or untrained employee

power failures

Outsider

Insider

Vulnerability Sources

fired employee

foreign intelligence agents

disgruntled employee

terrorists

subverted employee

criminals

service providers

corporate raiders

contractors

crackers

6


Summary

Summary

  • Administrivia

  • Course Introduction

  • Basic IA principles


  • Login