1 / 29

An American view of Information Warfare

Lecture 6. Lecture 6. An American view of Information Warfare. Mohamed Sharif. Review. What is Internet? What do we need to protect? Threat Motivation Attack Types Security Objectives Security mechanisms. United States.

Download Presentation

An American view of Information Warfare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 6 Lecture 6 An American view of Information Warfare Mohamed Sharif

  2. Review • What is Internet? • What do we need to protect? • Threat Motivation • Attack Types • Security Objectives • Security mechanisms

  3. United States • United States is the remaining super power in the world and is target for attacks by anyone in any where in the world • United States is information-dependent and information-driven nation-state • Heavily relay on high-technology to meet the defense and offense needs of the military

  4. United States (Conti.) • United States is the leader in term information warfare strategies and tactics, and weapons systems as well as vulnerabilities. • Many of world’s nation-states have taken information warfare developments in the united states and adopted them to meet their own information warfare needs. • COTS

  5. US view of IW • US methodology of IW is as follows: • Offense • Disrupt, exploit, corrupt adversary information and information systems • Defense • Protect US information and information systems

  6. US View of IW Offense • Target • Counter, disrupt adversary’s C3 • Disrupt, exploit, corrupt the adversary’s information systems • Both military and civilian • Techniques of attack • Jamming • Hacking into information systems • Breaking Cryptography • Physical Destruction • Deception • Psychological Operations

  7. US IW Agencies • National Security Council • US Congress • CIA • DoD • JCS, NSA, DIA, DISA, DoAF, DoN, DoA, DARPA • DoHS • FBI, NIPC, CG • Department of Commerce • NIST • CERT

  8. US View of IW Defense • Protect Environment • Threat Knowledge • Identities and intentions of possible attackers • Techniques and methods of possible attack • Potential targets • Indication and Warning • Detection, Tracking, Identification, and Analysis of attacks • Restoration • Response Aimed at Attack • Cooperation between government and private sector

  9. Sources of IT Policy • Public Law • Presidential Directives • Office of Management and Budget • OMB's predominant mission is to assist the President in overseeing the preparation of the Federal budget and to supervise its administration in Executive Branch agencies. OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities.

  10. Sources of IT Policy (Cont.) • General Accounting Office • GAO advises Congress and the heads of executive agencies about ways to make government more effective and responsive. GAO evaluates federal programs, audits federal expenditures, and issues legal opinions. • National Institute of Standards and Technology • Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. NIST's mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

  11. Major Legislation • Computer Security Act of 1987 • This statute set the stage for protecting systems by codifying the requirement for Government-wide IT security planning and training. • http://csrc.nist.gov/secplcy/csa_87.txt • Paperwork Reduction Act of 1995. • The PRA established a comprehensive information resources management framework including security and subsumed the security responsibilities of the Computer Security Act of 1987. • http://www.rdc.noaa.gov/~pra/pralaw.htm • Clinger-Cohen Act of 1996. • This Act linked security to agency capital planning and budget processes, established agency Chief Information Officers, and re-codified the Computer Security Act of 1987. • http://www.cio.gov/docs/s1124_en.htm

  12. Major Legislation • Defense Authorization Act (P.L. 106-398) • including Title X, Subtitle G, “Government Information Security Reform” (GISRA). • Primarily addresses the program management and evaluation aspects of security • http://csrc.nist.gov/policies/Subtitle-G2.pdf • HIPAA - The Health Insurance Portability & Accountability Act of 1996 • Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act. • Requires improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards. • http://www.hcfa.gov/hipaa/hipaahm.htm

  13. Presidential Directives • Presidential Decision Directive 63, "Protecting America's Critical Infrastructures." • This directive specifies agency responsibilities for protecting the nation's infrastructure; assessing vulnerabilities of public and private sectors; and eliminating vulnerabilities. • http://www.cybercrime.gov/white_pr.htm • Presidential Decision Directive 67, "Enduring Constitutional Government and Continuity of Government.“ • Relates to ensuring constitutional government, continuity of operations (COOP) planning, and continuity of government (COG) operations. • http://www.fas.org/irp/offdocs/pdd/fpc-65.htm

  14. OMB Policies • Office of Management and Budget Circular A-130, "Management of Federal Information Resources", Appendix III, "Security of Federal Automated Information Resources.“ • Establishes a minimum set of controls to be included in Federal IT security programs • http://www.whitehouse.gov/omb/circulars/a130/a130.html • OMB Memorandum 01-24, “Reporting Instructions for the Government Information Security Reform Act." • This memorandum provides instructions to agencies on how to comply with the GISRA. • http://www.whitehouse.gov/omb/memoranda/m01-24.pdf

  15. OMB Policies(Cont.) • OMB Memorandum 99-18, "Privacy Policies on Federal Web Sites.“ • This memorandum directs Departments and Agencies to post clear privacy policies on World Wide Web sites, and provides guidance for doing so. • http://www.whitehouse.gov/omb/memoranda/m99-18.html • OMB Memorandum 00-13, "Privacy Policies and Data Collection on Federal Web Sites." • The purpose of this memorandum is a reminder that each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies. • http://www.whitehouse.gov/omb/memoranda/m00-13.html

  16. GAO Guidance • General Accounting Office "Federal Information System Control Audit Manual" (FISCAM). • The FISCAM methodology provides guidance to auditors in evaluating internal controls over the confidentiality, integrity, and availability of data maintained in computer-based information systems. • http://www.gao.gov/special.pubs/ai12.19.6.pdf • Best Practices • Executive Guide: Information Security Management: Learning From Leading Organizations. GAO/AIMD-98-68. May, 1998. • http://www.gao.gov/special.pubs/ai9868.pdf

  17. GAO Guidance(Cont.) • Information Security Risk Assessment: Practices of Leading Organizations. GAO/AIMD-00-33 November, 1999 • http://www.gao.gov/special.pubs/ai00033.pdf

  18. NIST Standards and Guidance • NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Security Information Technology Systems“, September 1996. • This publication guides organizations on the types of controls, objectives, and procedures that comprise an effective security program. • http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf • NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems“, December 1988. • This publication details the specific controls that should be documented in a security plan. • http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF

  19. NIST Standards and Guidance (Cont.) • NIST Special Publication 800-27, " Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001. • This publication presents a list of system level security principles to be considered in the design, development, and operation of an information system. • http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf • Federal Information Processing Standards. • These documents contains legislative and executive mandates for improving the utilization and management of computers and IT systems in the Federal Government. • http://csrc.nist.gov/publications/fips/index.html

  20. Export Licensing • During the Clinton administration, encryption was transferred to control by the Commerce Dept. It had previously been controlled by Dept of State as ammunition. This made it easier for global corporations to implement ecommerce applications (funds transfer, online credit card info, etc.) • US Dept. of Commerce • Exporting Basics • Bureau of Industry and Security • Export of Property belonging to Terrorists • Technology Transfer Commercialization Act of 2000

  21. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. US Constitution – Bill of Rights Fourth Amendment Law, Privacy, and the rights of citizens in a free society

  22. What are the dangers to a free society of unrestrained access to information by government agencies? For several decades political arrests were distinguished in our country precisely by the fact that the people were arrested who were guilty of nothing and were therefore unprepared to put up any resistance whatsoever…. A submissive sheep is a find for a wolf. -A. Solzhenitsyn, The Gulag Archipelago

  23. USA Patriot Act (USAPA) • Broadens wiretapping capabilities by intelligence agencies. • Branch libraries in Santa Cruz (CA) County have posted signs warning patrons that "although the Santa Cruz Library makes every effort to protect your privacy, under the federal USA PATRIOT ACT (Public Law 107-56), records of the books and other materials you borrow from this library may be obtained by federal agents." • The Defense Advanced Research Projects Agency (DARPA) has started developing a system known as "Total Information Awareness" (TIA), which would mine and collect vast amounts of information about individuals Americans and create a massive domestic surveillance system. • http://www.eff.org/

  24. USAPA (Cont.) • The Transportation Security Administration has proposed the Computer Assisted Passenger Prescreening System II, or CAPPS II. The system would use public and private databases to rate passengers by color codes, which could be used by airlines to determine whether a passenger is allowed to board a flight or be subjected to additional questioning. • EFF assisted Reef Seekers Dive Co. in resisting a federal grand jury subpoena demanding that the dive shop identify everyone who had taken, but not finished, its recreational dive classes over the last three years. The subpoena appears to have been based on fears that a terrorist attack using underwater explosives could be carried out by partially-trained, recreational divers. After a call from the EFF, U.S. Attorneys withdrew the subpoena, and it has not been reissued. • www.eff.org

  25. USAPA (Cont.) • On the other, privacy experts are concerned about how this information could be abused since the movements of innocent persons could be tracked. • Does this violate the 4th Amendment? How is this different from a security camera in a convenience store?

  26. NSA • NSA collects, analyze and interpret information for DoD and US government in general. NSA SIGINT Directive for data collection on US Citizens

  27. Database, Profiling, and Data Mining • Data gathering and retrieval is essential for intelligence. • Oracle Corporation was founded with the assistance of some CIA contracts (Berkowitz, The New Face of War. 2003: 205.) • Profiling refers to comparison of known characteristics against a profile to try to identify targets for investigation. • Data mining refers to the utilization of Artificial Intelligence to databases to find trends, patterns, and do sophisticated searches.

  28. Legality • It is a violation of federal law to intercept electronic communications without the knowledge of the parties involved. • It is also against the law to produce devices for the purposes of eavesdropping. • Some interesting sites: • Spooktech • Spybusters.com

  29. Privacy References • http://www.eff.org/issues/usapa/ • http://eff.org/Privacy/TIA/20030523_tia_report_review.php • http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=13099&c=206 • http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=13077&c=207&Type=s&insearch=capp • CIA Privacy Statement • Privacy Notice for Amazon.com • Electronic Privacy Information Center USAPA page • American Civil Liberties Union USAPA page • FindLaw's Writ - Patriot II: The Sequel Why It's Even Scarier than the First Patriot Act

More Related