slide1
Download
Skip this Video
Download Presentation
N ational I NFOSEC E ducation and T raining P rogram

Loading in 2 Seconds...

play fullscreen
1 / 35

N ational I NFOSEC E ducation and T raining P rogram - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

Educational Solutions. N ational I NFOSEC E ducation and T raining P rogram. for a Safer World. http//www.nsa.gov:8080/isso/programs/nietp/index.htm. Introduction to Information Assurance (IA). 07 July 1999. The Course Objective is -.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' N ational I NFOSEC E ducation and T raining P rogram' - noah-fuentes


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Educational

Solutions

National

INFOSEC

Education

and

Training

Program

for

a

Safer

World

http//www.nsa.gov:8080/isso/programs/nietp/index.htm

introduction to information assurance ia
Introduction

to

Information Assurance (IA)

07 July 1999

slide3

The Course Objective is -

  • To introduce the student to Information Assurance,
    • Present the macro problem facing the global
    • information network infrastructure and,
        • Define Information Assurance and what is

being done to protect infrastructures.

slide4

What is Information Assurance

and . . .

why should I care?

slide5

Information Assurance is . . .

  • Information Operations (IO) that protect and defend
  • information and information systems by ensuring their
      • confidentiality,
      • authentication,
      • integrity,
      • availability, and
      • non-repudiation.
  • This includes providing for restoration of information
  • systems by incorporating
      • protection,
      • detection, and
      • reaction capabilities.

(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

national infrastructures at risk

In the cyber era,

our traditional lines of defense

no longer provide a wall between

citizens and those who would do

harm.

National Infrastructures At Risk
  • Landscape is changing
  • PCCIP/PDD 63
slide7

International

Private

Citizen

Business

Sector

State,

Local

Govt

Critical

Public

Safety

Federal

Govt

National

Security

Intel/DoD

Basic Information Security Services

* Transaction Non-Repudiation

* System Availability

* Data Integrity * Data Confidentiality

* User Identification & Authentication

Through trained system users, maintainers, & developers

Validated Certificates

Assured Services

INFORMATION ASSURANCE

Interlocking Communities

Served by Interlocking Information Infrastructures

Electronic Commerce

Electronic Mail

Electronic Data Interchange

Electronic Funds Transfer

File Transfer

Information Search/Retrieval

GII

FII

DII

NII

Requiring

PROTECT

DETECT

RESPOND

RECONSTITUTE

slide8

You Are Here!

You Are Here!

The number of internet users will

quadruple from 36.0 million in 1997

to 142.0 million by the year 2002:

Avg. annual growth rate = 53%

slide9

H I S T O R Y

Evolution

of

Information Assurance

In the 20th Century

slide10

In the Beginning . . .

There was COMSEC

(Communications Security )

“Measurement and controls taken to deny

unauthorized persons information derived

from telecommunications and to ensure the

authenticity of such telecommunications.

COMSEC includes: cryptosecurity, trans-

mission security, emissions security, &

physical security of COMSEC material.”

slide11

Confidentiality -

      • Assurance that information is not disclosed to
  • unauthorized persons, processes, or devices. *
      • In condensed form . . .
  • Protection from unauthorized disclosure
  • or
  • No one but you and the sender knows

*(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

slide12

Authentication -

    • Security measure designed to establish the validity of a
  • transmission, message, or originator, or a means of verifying
  • an individual’s authorization to receive specific categories of
  • information. *
    • In condensed form . . .
  • Verification of originator
  • or
  • Knowing for sure who sent the message

*(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

slide13

The Threat/Concern Was . . .

Sender

Receiver

. . . listening in on private communications

slide14

Then there was . . .

COMPUSEC

(80/90’s)

“ Measures and controls that ensure

confidentiality, integrity, and availability

of information system assets including

hardware, software, firmware, and

information being processed, stored, and

communicated.”

(Computer Security)

slide15

Integrity -

    • Quality of an Information System (IS) reflecting the local correctness
  • and reliability of the operating system; the logical completeness of the
  • hardware and software implementing the protection mechanisms; and
  • the consistency of the data structures and occurrence of the stored data.*
    • In condensed form . . .
  • Protection from unauthorized change
  • or
  • Person hearing/receiving exactly what you said/sent
  • *(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

slide16

Availability -

      • Timely, reliable access to data and information
  • services for authorized users.*
      • In condensed form . . .
  • Assured access by authorized users
  • or
  • Having a dial tone when you want one

*(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

slide17

This COMPUSEC Threat/Concern expanded to . . .

Malicious Logic

Access

Hacker

Private communications

User

Security Breach

(password)

slide19

This COMSEC/COMPUSEC merger formed . . .

INFOSEC

(90’s)

“Protection of information systems against

unauthorized access to or modification of

information, whether in storage, processing,

or transit, and against the denial of services to

authorized users, including those measures

necessary to detect, document, and counter

such threats.”

(Information Systems Security)

slide20

Non-Repudiation -

  • Assurance the sender of data is provided with proof of delivery
  • and the recipient is provided with proof of the sender’s identity,
  • so neither can later deny having processed the data.*
  • In condensed form . . .
  • Undeniable proof of participation
  • or
  • Like receipt-requested mail - each knows the other got it
  • *(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

slide21

Today . . .

we speak “Information Assurance”

(Now/Future)

“Information Operations that protect and

defend information and information systems

by ensuring their confidentiality, authentication,

integrity, availability, and non-repudiation. This

includes providing for restoration of information

systems by incorporating protection, detection

and reaction capabilities.”

slide22

The Concern NOW is . . .

Protect, Defend . . .

Integrity

Authentication

Confidentiality

Non-Repudiation

Availability

. . . & Restoration of Info

slide23

New Direction

New Challenges

Information Assurance (IA) Leadership

for the Nation

Provide - - solutions, products and services, and

conductdefensive information operations,

to achieve - - IA for

U.S. Critical Information Infrastructures

operating in a global network environment

slide24

Get Engaged . . .

Move from INFOSEC . . . to . . . Information Assurance

Protect

Detect

IA

Restore

React

our ability to protect
Our ability to protect
  • Between 1996 & 2006 the U.S. will require more than 1.3 million new highly skilled IT workers: (90% growth rate)
    • 137,800/yr. to fill new jobs
    • 244.000/yr. to replace workers leaving IT fields

The Digital Work Force. U.S. Dept. of Commerce, Office of Technology Policy, June 1999

current capacity to produce
Current Capacity to Produce

In 1994 only 24,553 U.S. students earned

bachelor’s degrees in computer and information sciences

You do the math:

95,000 IT workers needed/yr.

-24,553 IT degrees earned/yr.

70,447

Deficit / Yr.

ALL requiring I A education and training

ALL requiring I A education and training

slide29

President’s Commission

  • (October 1997)
    • President’s Commission on Critical Information Infrastructure Protection (PCCIIP)
    • http://www.pccip.gov/
  • National Goal
    • Achieve & maintain ability to protect critical infrastructure . . .
slide30

Critical Infrastructures

      • Telecommunications
      • Electric Power
      • Banking & Finance
      • Oil & Gas Delivery & Storage
      • Water
      • Emergency Services
      • Government Services
slide31

What’s being done?

Presidential Decision Directive 63

(1998)

“It has long been the Policy of the United States to assure the continuity and viability of critical infrastructures. I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.”

www.ciao.gov

slide32

P A R T N E R I N G

ACADEMIA

INDUSTRY

GOVERNMENT

slide33

Partners - Provide IA through Cyber Defense by moving from the . . .

  • Protect mode of securing
    • Networks
    • Servers
    • Workstations, . . . to the . . .
  • Detect & Report modes
    • Improve attack sensing & warning
    • Data fusion & analysis
    • Determine source, intent, impact, then report it, and . . .finally to the . . .
  • Respond mode
    • Restore - damage, recover, and verify operations
    • Pursue - contact appropriate legal authorities
slide34

The Bottom Line

Be aware of the complexity of

and the threats to

business and government

infrastructures and understand the security

procedures designed to protect networks from

information attacks

slide35

For more information on IA . . .

  • PDD-63 and the Presidential Commission Report on Critical Infrastructure
  • Protection: http://www.pccip.gov/info.html
  • Defense Information Systems Agency (DISA) Awareness and Training
  • Facility: http://www.disa.mil/ciss/cissitf.html
  • National Security Telecommunications and Information Systems Security Training
  • Standards: http://www..nstissc.gov
  • National INFOSEC Education Colloquium: http://www.infosec.jmu.edu/ncisse
  • National Institute for Standards and Technology (NIST) Computer Security Clearing

House: http://csrc.nist.gov/welcome.html

  • National Security Agency INFOSEC Page - National INFOSEC Education and Training

Program: http://www.nsa.gov:8080/isso/programs/nietp/index.htm

ad