Eidws 107 information assurance


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Eidws 107 information assurance

  1. 1. Information Assurance <ul><li>Enlisted Information Dominance Warfare Specialist </li></ul>
  2. 2. References <ul><li>Joint DODIIS/Cryptologic SCI Information Systems Security Practices </li></ul><ul><li>Director of Central Intelligence Directive 6/3 </li></ul><ul><li>SECNAVINST M-5239.1 </li></ul><ul><li>CJCSM 6510.01 </li></ul><ul><li>SECNAVINST 5270.47B DON Policy for Content of Publicly Accessible www sites </li></ul><ul><li>CNSSI 4009 </li></ul>
  3. 3. What is IA? <ul><li>Information operations that protect and defend data and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. </li></ul><ul><li>This includes providing restoration of IS by incorporating protection, detection, and reaction capabilities. </li></ul>
  4. 4. The Role of Operations Security <ul><li>Balance ease of use against required mechanisms needed for system controls. </li></ul><ul><ul><ul><li>Value of data (monetary value) </li></ul></ul></ul><ul><ul><ul><li>Ongoing operational need for the data </li></ul></ul></ul><ul><ul><ul><li>Reduced vulnerabilities and threats to ongoing operations </li></ul></ul></ul>
  5. 5. 5 Attributes of IA <ul><li>Confidentiality - Render the information unintelligible except by authorized entities </li></ul><ul><li>Integrity - Data has not been altered in an unauthorized manner since it was created, transmitted, or stored. </li></ul><ul><li>Availability - Timely, reliable access to data and information services for authorized users </li></ul><ul><li>Non-repudiation - assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data. </li></ul><ul><li>Authentication - Establishes the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information. </li></ul>
  6. 6. The CIA Triad Confidentiality Availability Integrity
  7. 7. The CIA Triad <ul><li>Confidentiality : Ensures that information is not compromised or shared amongst unauthorized participants: </li></ul><ul><ul><ul><li>While data is on the source device </li></ul></ul></ul><ul><ul><ul><li>While data is in transit on the network </li></ul></ul></ul><ul><ul><ul><li>Upon data reaching its intended target </li></ul></ul></ul>
  8. 8. The CIA Triad <ul><li>Integrity : Ensures that data is not damaged or modified while either in transit or storage. </li></ul><ul><ul><ul><li>Protects against both malicious intentional damage and accidental damage by authorized users. </li></ul></ul></ul><ul><ul><ul><li>Ensures data is consistent and is a true reflection of real information </li></ul></ul></ul>
  9. 9. The CIA Triad <ul><li>Confidentiality : Ensures that information is not compromised or shared amongst unauthorized participants: </li></ul><ul><ul><ul><li>While data is on the source device </li></ul></ul></ul><ul><ul><ul><li>While data is in transit on the network </li></ul></ul></ul><ul><ul><ul><li>Upon data reaching its intended target </li></ul></ul></ul>
  10. 10. The CIA Triad <ul><li>Availability : Ensures that information is always available at the time authorized users need it. </li></ul>
  11. 11. IA Terminology <ul><li>Certification </li></ul><ul><li>Accreditation </li></ul><ul><li>Designated Approving Authority (DAA) </li></ul><ul><li>System Security Plan </li></ul><ul><li>System Security Authorization Agreement (SSAA) </li></ul><ul><li>Authority To Operate (ATO) </li></ul><ul><li>Interim Authority To Operate (IATO) </li></ul><ul><li>Configuration Management </li></ul>
  12. 12. IA Terminology <ul><li>Certification </li></ul><ul><li>A comprehensive evaluation of the technical and non-technical security features of an IS and other safeguards, made as part of and in support of the accreditation process, to establish the extent to which a particular design and implementation meet a set of specified security requirements. </li></ul>
  13. 13. IA Terminology <ul><li>Accreditation </li></ul><ul><li>The official management decision to permit operation of an IS in a specified environment at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. This authorization is granted by the Designated Approving Authority (DAA). Decision based on the DAA’s review of the SSAA. </li></ul>
  14. 14. IA Terminology <ul><li>Designated Approving Authority (DAA) </li></ul><ul><li>The official with the authority to formally assume responsibility for operating a system (or network) at an acceptable level of risk </li></ul>
  15. 15. IA Terminology <ul><li>System Security Authorization Agreement (SSAA) </li></ul><ul><li>A formal document that fully describes the planned security tasks required to meet system or network security requirements. The package must contain all information necessary to allow the DAA Rep/SCO to make an official management determination for authorization for a system, network, or site to operate in a particular security mode of operation, with a prescribed set of safeguards, against a defined threat with stated vulnerabilities and countermeasures; in a given operational environment, under a stated operational concept; with stated interconnection to external systems; and acceptable levels of risk. </li></ul>
  16. 16. IA Terminology <ul><li>Authority to Operate (ATO) </li></ul><ul><li>Authorization granted by a DAA for a DoD IS to process, store, or transmit information. An ATO indicated a DoD IS has adequately implemented all assigned IA controls to the point where residual risk is acceptable to the DAA. ATOs may be issued for up to 3 years. </li></ul><ul><li>Interim Authority to Operate (IATO) </li></ul><ul><li>A temporary authorization to operate a DoD IS under the conditions or constraints enumerated in the accreditation decision. </li></ul>
  17. 17. IA Terminology <ul><li>Configuration Management </li></ul><ul><ul><li>The procedures used to carry out changes that affect the network, individual systems, or software. </li></ul></ul><ul><ul><li>Identifying, controlling, accounting for, and auditing changes made to the baseline trusted computing base (TCB), which includes changes to hardware, software, and firmware. </li></ul></ul><ul><ul><li>A system that controls changes and tests documentation through the operational life cycle of a system. </li></ul></ul>Who makes changes? Why are changes made? When changes are made What changes are made?
  18. 18. Risk Management <ul><li>The discipline of identifying and measuring security risks associated with an IS, and controlling and reducing those risks to an acceptable level. </li></ul>
  19. 19. 9 Categories of Computer Incidents Precedence Category Description 1 1 Root Level Intrusion (Incident) 2 2 User Level Intrusion (Incident) 3 4 Denial of Service (Incident) 4 7 Malicious Logic (Incident) 5 3 Unsuccessful Activity Attempt (Event) 6 5 Non-Compliance Activity (Event) 7 6 Reconnaissance (Event) 8 8 Investigating (Event) 9 9 Explained Anomaly (Event)
  20. 20. SECNAVINST 5720.47B DoN World Wide Web Policy <ul><li>Comprehensive web site management instruction for publicly accessible web content </li></ul>
  21. 21. Vulnerability Management <ul><li>IAVA - Information Assurance Vulnerability Alert : </li></ul><ul><li>Addresses severe network vulnerabilities resulting in immediate and potentially severe threats to DOD systems and information. Corrective action is of the highest priority due to the severity of the vulnerability risk </li></ul><ul><li>IAVB - Information Assurance Vulnerability Bulletin : </li></ul><ul><li>Addresses new vulnerabilities that do not pose an immediate risk to DoD systems, but are significant enough that noncompliance with the corrective action could escalate the risk. </li></ul><ul><li>IAVT - Information Assurance Vulnerability Technical Advisory </li></ul><ul><li>Addresses new vulnerabilities that are generally categorized as low risk to DoD systems </li></ul><ul><li>CTO - Communications Tasking Order </li></ul><ul><li>Addresses vulnerabilities extremely critical to the overall security of the GIG. They supersede or change current DoN network policy, and provide implementation direction for new IA initiatives. </li></ul>
  22. 22. Security Definitions <ul><li>Vulnerability - a software, hardware, or procedural weakness that may provide an attacker the open door needed to gain access to a computer or network. </li></ul><ul><li>Threat - Any potential danger to information or systems. </li></ul>
  23. 23. Security Relationships Threat Agent Threat Vulnerability Risk Asset Exposure Safeguard Gives rise to Exploits Leads to Can Damage And Causes Can be counter-measured by a Directly affects
  24. 24. Information Assurance Manager (IAM) <ul><li>Functions as the focal point and principal advisor for IA matters on behalf of the IA Program Manager and the CO. </li></ul>
  25. 25. Q & A