Lecture 6
Download
1 / 29

US view of IW - PowerPoint PPT Presentation


  • 196 Views
  • Updated On :

Lecture 6. Lecture 6. An American view of Information Warfare. Mohamed Sharif. Review. What is Internet? What do we need to protect? Threat Motivation Attack Types Security Objectives Security mechanisms. United States.

Related searches for US view of IW

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'US view of IW' - richard_edik


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Lecture 6

Lecture 6

An American view of Information Warfare

Mohamed Sharif


Slide2 l.jpg

Review

  • What is Internet?

  • What do we need to protect?

  • Threat Motivation

  • Attack Types

  • Security Objectives

  • Security mechanisms


Slide3 l.jpg

United States

  • United States is the remaining super power in the world and is target for attacks by anyone in any where in the world

  • United States is information-dependent and information-driven nation-state

    • Heavily relay on high-technology to meet the defense and offense needs of the military


Slide4 l.jpg

United States (Conti.)

  • United States is the leader in term information warfare strategies and tactics, and weapons systems as well as vulnerabilities.

    • Many of world’s nation-states have taken information warfare developments in the united states and adopted them to meet their own information warfare needs.

    • COTS


Us view of iw l.jpg
US view of IW

  • US methodology of IW is as follows:

    • Offense

      • Disrupt, exploit, corrupt adversary information and information systems

    • Defense

      • Protect US information and information systems


Us view of iw offense l.jpg
US View of IW Offense

  • Target

    • Counter, disrupt adversary’s C3

    • Disrupt, exploit, corrupt the adversary’s information systems

    • Both military and civilian

  • Techniques of attack

    • Jamming

    • Hacking into information systems

  • Breaking Cryptography

  • Physical Destruction

  • Deception

  • Psychological Operations


Slide7 l.jpg

US IW Agencies

  • National Security Council

  • US Congress

  • CIA

  • DoD

    • JCS, NSA, DIA, DISA, DoAF, DoN, DoA, DARPA

  • DoHS

    • FBI, NIPC, CG

  • Department of Commerce

    • NIST

  • CERT


Slide8 l.jpg

US View of IW Defense

  • Protect Environment

  • Threat Knowledge

    • Identities and intentions of possible attackers

    • Techniques and methods of possible attack

    • Potential targets

  • Indication and Warning

  • Detection, Tracking, Identification, and Analysis of attacks

  • Restoration

  • Response Aimed at Attack

  • Cooperation between government and private sector


Sources of it policy l.jpg
Sources of IT Policy

  • Public Law

  • Presidential Directives

  • Office of Management and Budget

    • OMB's predominant mission is to assist the President in overseeing the preparation of the Federal budget and to supervise its administration in Executive Branch agencies. OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities.


Slide10 l.jpg

Sources of IT Policy (Cont.)

  • General Accounting Office

    • GAO advises Congress and the heads of executive agencies about ways to make government more effective and responsive. GAO evaluates federal programs, audits federal expenditures, and issues legal opinions.

  • National Institute of Standards and Technology

    • Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. NIST's mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.


Major legislation l.jpg
Major Legislation

  • Computer Security Act of 1987

    • This statute set the stage for protecting systems by codifying the requirement for Government-wide IT security planning and training.

    • http://csrc.nist.gov/secplcy/csa_87.txt

  • Paperwork Reduction Act of 1995.

    • The PRA established a comprehensive information resources management framework including security and subsumed the security responsibilities of the Computer Security Act of 1987.

    • http://www.rdc.noaa.gov/~pra/pralaw.htm

  • Clinger-Cohen Act of 1996.

    • This Act linked security to agency capital planning and budget processes, established agency Chief Information Officers, and re-codified the Computer Security Act of 1987.

    • http://www.cio.gov/docs/s1124_en.htm


Major legislation12 l.jpg
Major Legislation

  • Defense Authorization Act (P.L. 106-398)

    • including Title X, Subtitle G, “Government Information Security Reform” (GISRA).

    • Primarily addresses the program management and evaluation aspects of security

    • http://csrc.nist.gov/policies/Subtitle-G2.pdf

  • HIPAA - The Health Insurance Portability & Accountability Act of 1996

    • Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act.

    • Requires improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards.

    • http://www.hcfa.gov/hipaa/hipaahm.htm


Presidential directives l.jpg
Presidential Directives

  • Presidential Decision Directive 63, "Protecting America's Critical Infrastructures."

    • This directive specifies agency responsibilities for protecting the nation's infrastructure; assessing vulnerabilities of public and private sectors; and eliminating vulnerabilities.

    • http://www.cybercrime.gov/white_pr.htm

  • Presidential Decision Directive 67, "Enduring Constitutional Government and Continuity of Government.“

    • Relates to ensuring constitutional government, continuity of operations (COOP) planning, and continuity of government (COG) operations.

    • http://www.fas.org/irp/offdocs/pdd/fpc-65.htm


Omb policies l.jpg
OMB Policies

  • Office of Management and Budget Circular A-130, "Management of Federal Information Resources", Appendix III, "Security of Federal Automated Information Resources.“

    • Establishes a minimum set of controls to be included in Federal IT security programs

    • http://www.whitehouse.gov/omb/circulars/a130/a130.html

  • OMB Memorandum 01-24, “Reporting Instructions for the Government Information Security Reform Act."

    • This memorandum provides instructions to agencies on how to comply with the GISRA.

    • http://www.whitehouse.gov/omb/memoranda/m01-24.pdf


Slide15 l.jpg

OMB Policies(Cont.)

  • OMB Memorandum 99-18, "Privacy Policies on Federal Web Sites.“

    • This memorandum directs Departments and Agencies to post clear privacy policies on World Wide Web sites, and provides guidance for doing so.

    • http://www.whitehouse.gov/omb/memoranda/m99-18.html

  • OMB Memorandum 00-13, "Privacy Policies and Data Collection on Federal Web Sites."

    • The purpose of this memorandum is a reminder that each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies.

    • http://www.whitehouse.gov/omb/memoranda/m00-13.html


Gao guidance l.jpg
GAO Guidance

  • General Accounting Office "Federal Information System Control Audit Manual" (FISCAM).

    • The FISCAM methodology provides guidance to auditors in evaluating internal controls over the confidentiality, integrity, and availability of data maintained in computer-based information systems.

    • http://www.gao.gov/special.pubs/ai12.19.6.pdf

  • Best Practices

    • Executive Guide: Information Security Management: Learning From Leading Organizations. GAO/AIMD-98-68. May, 1998.

    • http://www.gao.gov/special.pubs/ai9868.pdf


Gao guidance cont l.jpg
GAO Guidance(Cont.)

  • Information Security Risk Assessment: Practices of Leading Organizations. GAO/AIMD-00-33 November, 1999

    • http://www.gao.gov/special.pubs/ai00033.pdf


Nist standards and guidance l.jpg
NIST Standards and Guidance

  • NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Security Information Technology Systems“, September 1996.

    • This publication guides organizations on the types of controls, objectives, and procedures that comprise an effective security program.

    • http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

  • NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems“, December 1988.

    • This publication details the specific controls that should be documented in a security plan.

    • http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF


Slide19 l.jpg

NIST Standards and Guidance (Cont.)

  • NIST Special Publication 800-27, " Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001.

    • This publication presents a list of system level security principles to be considered in the design, development, and operation of an information system.

    • http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf

  • Federal Information Processing Standards.

    • These documents contains legislative and executive mandates for improving the utilization and management of computers and IT systems in the Federal Government.

    • http://csrc.nist.gov/publications/fips/index.html


Export licensing l.jpg
Export Licensing

  • During the Clinton administration, encryption was transferred to control by the Commerce Dept. It had previously been controlled by Dept of State as ammunition. This made it easier for global corporations to implement ecommerce applications (funds transfer, online credit card info, etc.)

  • US Dept. of Commerce

    • Exporting Basics

    • Bureau of Industry and Security

    • Export of Property belonging to Terrorists

    • Technology Transfer Commercialization Act of 2000


Law privacy and the rights of citizens in a free society l.jpg

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

US Constitution – Bill of Rights

Fourth Amendment

Law, Privacy, and the rights of citizens in a free society


What are the dangers to a free society of unrestrained access to information by government agencies l.jpg
What are the dangers to a free society of unrestrained access to information by government agencies?

For several decades political arrests were distinguished

in our country precisely by the fact that the people were

arrested who were guilty of nothing and were therefore

unprepared to put up any resistance whatsoever…. A

submissive sheep is a find for a wolf.

-A. Solzhenitsyn, The Gulag Archipelago


Usa patriot act usapa l.jpg
USA Patriot Act (USAPA) access to information by government agencies?

  • Broadens wiretapping capabilities by intelligence agencies.

  • Branch libraries in Santa Cruz (CA) County have posted signs warning patrons that "although the Santa Cruz Library makes every effort to protect your privacy, under the federal USA PATRIOT ACT (Public Law 107-56), records of the books and other materials you borrow from this library may be obtained by federal agents."

  • The Defense Advanced Research Projects Agency (DARPA) has started developing a system known as "Total Information Awareness" (TIA), which would mine and collect vast amounts of information about individuals Americans and create a massive domestic surveillance system.

    • http://www.eff.org/


Usapa cont l.jpg
USAPA access to information by government agencies?(Cont.)

  • The Transportation Security Administration has proposed the Computer Assisted Passenger Prescreening System II, or CAPPS II. The system would use public and private databases to rate passengers by color codes, which could be used by airlines to determine whether a passenger is allowed to board a flight or be subjected to additional questioning.

  • EFF assisted Reef Seekers Dive Co. in resisting a federal grand jury subpoena demanding that the dive shop identify everyone who had taken, but not finished, its recreational dive classes over the last three years. The subpoena appears to have been based on fears that a terrorist attack using underwater explosives could be carried out by partially-trained, recreational divers. After a call from the EFF, U.S. Attorneys withdrew the subpoena, and it has not been reissued.

    • www.eff.org


Usapa cont25 l.jpg
USAPA access to information by government agencies?(Cont.)

  • On the other, privacy experts are concerned about how this information could be abused since the movements of innocent persons could be tracked.

  • Does this violate the 4th Amendment? How is this different from a security camera in a convenience store?


Slide26 l.jpg
NSA access to information by government agencies?

  • NSA collects, analyze and interpret information for DoD and US government in general.

    NSA SIGINT Directive for data collection on US Citizens


Database profiling and data mining l.jpg
Database, Profiling, and Data Mining access to information by government agencies?

  • Data gathering and retrieval is essential for intelligence.

  • Oracle Corporation was founded with the assistance of some CIA contracts (Berkowitz, The New Face of War. 2003: 205.)

  • Profiling refers to comparison of known characteristics against a profile to try to identify targets for investigation.

  • Data mining refers to the utilization of Artificial Intelligence to databases to find trends, patterns, and do sophisticated searches.


Legality l.jpg
Legality access to information by government agencies?

  • It is a violation of federal law to intercept electronic communications without the knowledge of the parties involved.

  • It is also against the law to produce devices for the purposes of eavesdropping.

  • Some interesting sites:

    • Spooktech

    • Spybusters.com


Privacy references l.jpg
Privacy References access to information by government agencies?

  • http://www.eff.org/issues/usapa/

  • http://eff.org/Privacy/TIA/20030523_tia_report_review.php

  • http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=13099&c=206

  • http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=13077&c=207&Type=s&insearch=capp

  • CIA Privacy Statement

  • Privacy Notice for Amazon.com

  • Electronic Privacy Information Center USAPA page

  • American Civil Liberties Union USAPA page

  • FindLaw's Writ - Patriot II: The Sequel Why It's Even Scarier than the First Patriot Act


ad