Educational
Download
1 / 35

N ational I NFOSEC E ducation and T raining P rogram - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

Educational Solutions. N ational I NFOSEC E ducation and T raining P rogram. for a Safer World. http//www.nsa.gov:8080/isso/programs/nietp/index.htm. Introduction to Information Assurance (IA). 07 July 1999. The Course Objective is -.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' N ational I NFOSEC E ducation and T raining P rogram' - noah-fuentes


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
N ational i nfosec e ducation and t raining p rogram

Educational

Solutions

National

INFOSEC

Education

and

Training

Program

for

a

Safer

World

http//www.nsa.gov:8080/isso/programs/nietp/index.htm


Introduction to information assurance ia

Introduction

to

Information Assurance (IA)

07 July 1999


N ational i nfosec e ducation and t raining p rogram

The Course Objective is -

  • To introduce the student to Information Assurance,

    • Present the macro problem facing the global

    • information network infrastructure and,

      • Define Information Assurance and what is

        being done to protect infrastructures.


N ational i nfosec e ducation and t raining p rogram

What is Information Assurance

and . . .

why should I care?


N ational i nfosec e ducation and t raining p rogram

  • Information Assurance is . . .

  • Information Operations (IO) that protect and defend

  • information and information systems by ensuring their

    • confidentiality,

    • authentication,

    • integrity,

    • availability, and

    • non-repudiation.

  • This includes providing for restoration of information

  • systems by incorporating

    • protection,

    • detection, and

    • reaction capabilities.

      (Definition from National Information Systems Security

      (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)


  • National infrastructures at risk

    In the cyber era,

    our traditional lines of defense

    no longer provide a wall between

    citizens and those who would do

    harm.

    National Infrastructures At Risk

    • Landscape is changing

    • PCCIP/PDD 63


    N ational i nfosec e ducation and t raining p rogram

    International

    Private

    Citizen

    Business

    Sector

    State,

    Local

    Govt

    Critical

    Public

    Safety

    Federal

    Govt

    National

    Security

    Intel/DoD

    Basic Information Security Services

    * Transaction Non-Repudiation

    * System Availability

    * Data Integrity * Data Confidentiality

    * User Identification & Authentication

    Through trained system users, maintainers, & developers

    Validated Certificates

    Assured Services

    INFORMATION ASSURANCE

    Interlocking Communities

    Served by Interlocking Information Infrastructures

    Electronic Commerce

    Electronic Mail

    Electronic Data Interchange

    Electronic Funds Transfer

    File Transfer

    Information Search/Retrieval

    GII

    FII

    DII

    NII

    Requiring

    PROTECT

    DETECT

    RESPOND

    RECONSTITUTE


    N ational i nfosec e ducation and t raining p rogram

    You Are Here!

    You Are Here!

    The number of internet users will

    quadruple from 36.0 million in 1997

    to 142.0 million by the year 2002:

    Avg. annual growth rate = 53%


    N ational i nfosec e ducation and t raining p rogram

    Evolution

    of

    Information Assurance

    In the 20th Century


    N ational i nfosec e ducation and t raining p rogram

    In the Beginning . . .

    There was COMSEC

    (Communications Security )

    “Measurement and controls taken to deny

    unauthorized persons information derived

    from telecommunications and to ensure the

    authenticity of such telecommunications.

    COMSEC includes: cryptosecurity, trans-

    mission security, emissions security, &

    physical security of COMSEC material.”


    N ational i nfosec e ducation and t raining p rogram

  • unauthorized persons, processes, or devices. *

    • In condensed form . . .

  • Protection from unauthorized disclosure

  • or

  • No one but you and the sender knows

  • *(Definition from National Information Systems Security

    (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)


    N ational i nfosec e ducation and t raining p rogram

    • Authentication -

      • Security measure designed to establish the validity of a

    • transmission, message, or originator, or a means of verifying

    • an individual’s authorization to receive specific categories of

    • information. *

    • In condensed form . . .

  • Verification of originator

  • or

  • Knowing for sure who sent the message

  • *(Definition from National Information Systems Security

    (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)


    N ational i nfosec e ducation and t raining p rogram

    The Threat/Concern Was . . .

    Sender

    Receiver

    . . . listening in on private communications


    N ational i nfosec e ducation and t raining p rogram

    Then there was . . .

    COMPUSEC

    (80/90’s)

    “ Measures and controls that ensure

    confidentiality, integrity, and availability

    of information system assets including

    hardware, software, firmware, and

    information being processed, stored, and

    communicated.”

    (Computer Security)


    N ational i nfosec e ducation and t raining p rogram

    • Integrity -

      • Quality of an Information System (IS) reflecting the local correctness

    • and reliability of the operating system; the logical completeness of the

    • hardware and software implementing the protection mechanisms; and

    • the consistency of the data structures and occurrence of the stored data.*

    • In condensed form . . .

  • Protection from unauthorized change

  • or

  • Person hearing/receiving exactly what you said/sent

    • *(Definition from National Information Systems Security

      (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)


    N ational i nfosec e ducation and t raining p rogram

    • Availability -

      • Timely, reliable access to data and information

  • services for authorized users.*

    • In condensed form . . .

  • Assured access by authorized users

  • or

  • Having a dial tone when you want one

  • *(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)


    N ational i nfosec e ducation and t raining p rogram

    This COMPUSEC Threat/Concern expanded to . . .

    Malicious Logic

    Access

    Hacker

    Private communications

    User

    Security Breach

    (password)


    N ational i nfosec e ducation and t raining p rogram

    The Concern later increased to include both . . .

    • COMSEC . . . and . . .

    • COMPUSEC


    N ational i nfosec e ducation and t raining p rogram

    This COMSEC/COMPUSEC merger formed . . .

    INFOSEC

    (90’s)

    “Protection of information systems against

    unauthorized access to or modification of

    information, whether in storage, processing,

    or transit, and against the denial of services to

    authorized users, including those measures

    necessary to detect, document, and counter

    such threats.”

    (Information Systems Security)


    N ational i nfosec e ducation and t raining p rogram

    • Non-Repudiation -

    • Assurance the sender of data is provided with proof of delivery

    • and the recipient is provided with proof of the sender’s identity,

    • so neither can later deny having processed the data.*

    • In condensed form . . .

    • Undeniable proof of participation

    • or

    • Like receipt-requested mail - each knows the other got it

    • *(Definition from National Information Systems Security

      (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)


    N ational i nfosec e ducation and t raining p rogram

    Today . . .

    we speak “Information Assurance”

    (Now/Future)

    “Information Operations that protect and

    defend information and information systems

    by ensuring their confidentiality, authentication,

    integrity, availability, and non-repudiation. This

    includes providing for restoration of information

    systems by incorporating protection, detection

    and reaction capabilities.”


    N ational i nfosec e ducation and t raining p rogram

    The Concern NOW is . . .

    Protect, Defend . . .

    Integrity

    Authentication

    Confidentiality

    Non-Repudiation

    Availability

    . . . & Restoration of Info


    N ational i nfosec e ducation and t raining p rogram

    New Direction

    New Challenges

    Information Assurance (IA) Leadership

    for the Nation

    Provide - - solutions, products and services, and

    conductdefensive information operations,

    to achieve - - IA for

    U.S. Critical Information Infrastructures

    operating in a global network environment


    N ational i nfosec e ducation and t raining p rogram

    Get Engaged . . .

    Move from INFOSEC . . . to . . . Information Assurance

    Protect

    Detect

    IA

    Restore

    React



    Our concern is our ability to network has exceeded
    OUR CONCERN IS . . .Our ability to NETWORK . . . has exceeded ..

    Growth Rate = 79%


    Our ability to protect
    Our ability to protect

    • Between 1996 & 2006 the U.S. will require more than 1.3 million new highly skilled IT workers: (90% growth rate)

      • 137,800/yr. to fill new jobs

      • 244.000/yr. to replace workers leaving IT fields

    The Digital Work Force. U.S. Dept. of Commerce, Office of Technology Policy, June 1999


    Current capacity to produce
    Current Capacity to Produce

    In 1994 only 24,553 U.S. students earned

    bachelor’s degrees in computer and information sciences

    You do the math:

    95,000 IT workers needed/yr.

    -24,553 IT degrees earned/yr.

    70,447

    Deficit / Yr.

    ALL requiring I A education and training

    ALL requiring I A education and training


    N ational i nfosec e ducation and t raining p rogram

    • President’s Commission

    • (October 1997)

      • President’s Commission on Critical Information Infrastructure Protection (PCCIIP)

      • http://www.pccip.gov/

    • National Goal

      • Achieve & maintain ability to protect critical infrastructure . . .


    N ational i nfosec e ducation and t raining p rogram

    • Critical Infrastructures

      • Telecommunications

      • Electric Power

      • Banking & Finance

      • Oil & Gas Delivery & Storage

      • Water

      • Emergency Services

      • Government Services


    N ational i nfosec e ducation and t raining p rogram

    What’s being done?

    Presidential Decision Directive 63

    (1998)

    “It has long been the Policy of the United States to assure the continuity and viability of critical infrastructures. I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.”

    www.ciao.gov


    N ational i nfosec e ducation and t raining p rogram

    P A R T N E R I N G

    ACADEMIA

    INDUSTRY

    GOVERNMENT


    N ational i nfosec e ducation and t raining p rogram

    • Partners - Provide IA through Cyber Defense by moving from the . . .

    • Protect mode of securing

      • Networks

      • Servers

      • Workstations, . . . to the . . .

    • Detect & Report modes

      • Improve attack sensing & warning

      • Data fusion & analysis

      • Determine source, intent, impact, then report it, and . . .finally to the . . .

    • Respond mode

      • Restore - damage, recover, and verify operations

      • Pursue - contact appropriate legal authorities


    N ational i nfosec e ducation and t raining p rogram

    The Bottom Line

    Be aware of the complexity of

    and the threats to

    business and government

    infrastructures and understand the security

    procedures designed to protect networks from

    information attacks


    N ational i nfosec e ducation and t raining p rogram

    • For more information on IA . . .

    • PDD-63 and the Presidential Commission Report on Critical Infrastructure

    • Protection: http://www.pccip.gov/info.html

    • Defense Information Systems Agency (DISA) Awareness and Training

    • Facility: http://www.disa.mil/ciss/cissitf.html

    • National Security Telecommunications and Information Systems Security Training

    • Standards: http://www..nstissc.gov

    • National INFOSEC Education Colloquium: http://www.infosec.jmu.edu/ncisse

    • National Institute for Standards and Technology (NIST) Computer Security Clearing

      House: http://csrc.nist.gov/welcome.html

    • National Security Agency INFOSEC Page - National INFOSEC Education and Training

      Program: http://www.nsa.gov:8080/isso/programs/nietp/index.htm