8/16/05 1 SECURITY AWARENESS TRAINING
Mar 26, 2015
8/16/05 1
SECURITY AWARENESS TRAINING
8/16/05 2
INFORMATION SYSTEM SECURITY (INFOSEC)
Protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.
8/16/05 3
INFOSEC PROPERTIES
Confidentiality
Confidentiality ensures that information is not disclosed to unauthorized persons, processes, or devices.
Integrity
Integrity is the protection against unauthorized modification or destruction of information.
Availability
Availability is the timely, reliable access to data and information services for authorized users.
8/16/05 4
INFOSEC PROPERTIES
Authenticity
Authenticity is the service that ensures that system events are initiated by and traceable to authorized entities. It is composed of authentication and non-repudiation.
Non-Repudiation
Non-repudiation is the assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of sender’s identity, so neither can later deny having processed the data.
8/16/05 5
P.L. 100-235
• Computer Security Act of 1987– Develop standards and guidelines to
assure• Cost-effective security and• Privacy of sensitive information
– Provides for promulgation of standards and guidelines
– Requires security plans– Requires mandatory periodic training
8/16/05 6
OMB A-130
• Management of Federal Information Resources– Establishes policy – Requires:
• Information security plans• Computer security in FMFIA reports• Awareness and training• Agencies improve contingency planning• Formal emergency response capabilities
8/16/05 7
DoD Directive 8500.1
• Information Assurance (IA)– Defense in Depth Approach– Integration of
• Capabilities of personnel• Operations and Technology and• Supports the Evolution to Network Centric Warfare.
8/16/05 8
• ACCOUNTABILITY• ACCESS CONTROL POLICY• SECURITY TRAINING AND AWARENESS
PROGRAM• PHYSICAL CONTROLS• MARKING• LEAST PRIVILEGE
MINIMUM REQUIREMENTSOF DoD 8500.1
8/16/05 9
MINIMUM REQUIREMENTS OF DoD 8500.1 (CONT.)
• DATA CONTINUITY • DATA INTEGRITY• CONTINGENCY PLAN• ACCREDITATION• RISK MANAGEMENT PROGRAM• OTHERS AS IDENTIFIED BY RISK
ASSESSMENT
8/16/05 10
ROLES AND RESPONSIBILITIES
Only personnel in authorized security management or administrative functions will be granted access to security management functions.
An Information Assurance Manager (IAM) will be assigned to support the DAA.
An Information Assurance Officer (IAO) will be assigned with the overall responsibility for implementing the security polices and practices for the portion of the system that is within the IAO’s area of responsibility.
The appropriate Designated Approving Authority shall accredit the system IAS before operation.
8/16/05 11
ROLES AND RESPONSIBILITIES
DAA:
Review and approve security safeguards and issue the accreditation
Ensure that all the safeguards are implemented and maintained.
Identify security deficiencies and, where the deficiencies are serious enough to preclude accreditation, take action (e.g., allocate additional resource) to achieve an acceptable security level.
Ensure that data ownership is established for the MEF IAS, to include accountability, access rights, and special handling requirements.
8/16/05 12
ROLES AND RESPONSIBILITIES
DAA continued:
Be aware that connection to a network may involve additional risks because of the potential exposure of their own data to the larger community of connected networks. A RISK FOR ONE IS A RISK FOR ALL!
Be aware that the security of individual networks connected to the system remains the responsibility of their respective DAAs.
Be responsible for the overall system security and has the authority to disconnect any entity that does not adhere to the security requirements of the system.
8/16/05 13
ROLES AND RESPONSIBILITIES
IAM: Interpret and tailor DoD, DoN, USMC and MEF security policy
Ensure that system security requirements are met
Ensure that all INFOSEC tasks and functions are adequately performed or conducted
Ensure Risk Management is accomplished
Ensure activities required to accredit and re-accredit the system are completed
8/16/05 14
ROLES AND RESPONSIBILITIES
IAM continued:
Provide guidance to IAOs and NSOs
Develop training for INFOSEC personnel and users
Coordinate physical access, facility access, and environmental controls
Coordinate to ensure TEMPEST requirements are met
Ensure that system transactions are audited and that audit trails are regularly reviewed
Approve all incident reporting mechanisms
8/16/05 15
ROLES AND RESPONSIBILITIES
IAM continued:
Provide input to system configuration management to ensure implemented changes do not compromise security
Ensure the development and testing of contingency plans
Perform those duties normally performed by IAOs, in the event that no IAOs are appointed
Has authority to enforce security policies and safeguards on all personnel having system access for which the IAO has cognizance.
8/16/05 16
ROLES AND RESPONSIBILITIES
IAM continued:
When no IAM is appointed, the IAO shall perform the duties of the IAM.
Report the system security status, as required by the DAA.
Review and forward to the DAA for approval local security procedures and policies, ensure system safeguards are maintained as required, and evaluate known vulnerabilities to ascertain if additional safeguards are needed.
Begin protective or corrective measures if a security problem exists.
8/16/05 17
ROLES AND RESPONSIBILITIES
Operators:
Use Government software for official business only
Protect sensitive/classified information
Access MEF IAS only when formally authorized
Only for authorized purposes
Protect personal authenticators
Report suspected compromise to IAO
8/16/05 18
ROLES AND RESPONSIBILITIES
Operators continued:
• Notify IAM or IAO when access: – No longer required– Has changed
• Participate in INFOSEC awareness programs
• Non-compliance may result in disciplinary action
8/16/05 19
THREAT CATEGORIES
• UNINTENTIONAL
• INTENTIONAL
• NATURAL
8/16/05 20
UNINTENTIONAL THREATSUNINTENTIONAL THREATS
• ACCIDENTS
• CARELESSNESS
• UNINFORMED ACTIONS
• BAD HABITS
8/16/05 21
INTENTIONALINTENTIONAL THREATS
INSIDER THREATS
Persons who are granted some form of access to the equipment, data and/or facilities pose insider threats. Opportunities exist for authorized users to intentionally or (sometimes unintentionally) harm the system or compromise its data by performing the following actions:
Provide unauthorized individuals with sensitive information (e.g., location and type of vessels, encryption key material)
Modify hardware and/or software (introduces malicious software and/or alters track data)
Provide unauthorized individuals with a back door and/or access to privileged accounts on the system
8/16/05 22
INTENTIONALINTENTIONAL THREATS
Downgrade data to allow higher classification data such as SCI to be accessible at the Collateral level
Disclose and/or modify sensitive data or cause denial of service attributed to curiosity and/or poor training practices as follows:
Set incorrect access permission and privileges to the data
Keep user access privileges after the user has been reassigned or terminated
Leave W/Ss unattended while still logged in
Load personal software (e.g., games, personal use programs)
8/16/05 23
INTENTIONALINTENTIONAL THREATS
Execute commands by pressing keys to see what happens
Accidentally execute an incorrect command and/or action resulting in destruction, modification, or disclosure of the data
Allow untrained personnel to service equipment Incorrectly set router configuration tables Intentional actions by disgruntled employees to disclose, destroy, and
modify the information and/or equipment, and introduce viruses, worms, time bombs or back doors
Theft of the equipment and sensitive/classified information
8/16/05 24
INTENTIONALINTENTIONAL THREATS
OUTSIDER THREATS
Outsider threats consist of intentional (and sometimes unintentional) actionsperformed by unauthorized users. These actions include the following:
Intercept sensitive information during transmission
Gain access by using a remote terminal or by hacking from the local or wide area network; introduce malicious software, steal, modify or destroy sensitive data and programs, or modify the system configuration
Jam communications channels and/or flood with false signaling, reducing the system’s normal capability
Inflict damage to the equipment and installations (e.g., ships, buildings, and aircraft) from accidental impact, terrorist attacks, acts of war, or civil disturbances
Introduction of bogus information to lead the user or tactical commander into making an incorrect decision or action
8/16/05 25
NATURAL THREATS
ACTS OF NATURE•Floods
•Fire
•Lightning
•Earthquakes
•Tornadoes/Hurricanes
•Volcanoes
8/16/05 26
MALICIOUS LOGIC
Hardware, software, or firmware intentionally included in an IS for an unauthorized purpose.
8/16/05 27
What Do You Look For?
• Note abnormal or unexpected activity– Displays, music, or other sounds– Slowdown in processing speed– Disk activity– Error messages– Changes in file sizes– Loss of programs or data
8/16/05 28
TROJAN HORSESNSTISSI 4009
Computer program containing an apparent or actual useful function that contains additional (hidden) functions that allows unauthorized collection, falsification, or destruction of data
8/16/05 29
BOMBS
• A “program”, generally malicious in nature, hidden within or emulating another program, that is designed to execute at a specific future time or event– Logic bombs– Time bombs
8/16/05 30
WORMSNSTISSI 4009
Independent program that replicates from machine to machine across network connections often clogging networks and computer systems as it spreads
8/16/05 31
VIRUSESNSTISSI 4009
Self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence.
8/16/05 32
MALICIOUS LOGIC PROTECTION
• Protection:– Use media from trusted sources– Check all files and media with multiple
programs– Make backup copies of known clean
media– Do not boot from diskette if possible– Use up-to-date virus scan-ware
8/16/05 33
MALICIOUS LOGIC PROTECTION (CONT.)
• Detection:– Install automatic scanner– Install integrity checker
• Recovery:– Ensure up-to-date backups
are available– Notify your IAO/IAM
8/16/05 34
PASSWORD SECURITY PRACTICES
• PASSWORD SECURITY
• Minimum of 8 characters, combination of alpha and numeric with at least one special character
• No dictionary words
• No personal relationships (e.g., birth-dates, names)
• Don’t write them down
• Don’t share them with anyone
• Don’t say them out loud while typing
• Don’t allow someone to look over you shoulder
8/16/05 35
PASSWORD SECURITY PRACTICES
• Choose something easy to remember
•Example:
•Twinkle Twinkle Little Star How I Wonder Where
•Ttl*hI1w• Change it regularly (minimum every 90 days)
8/16/05 36
AREA PROTECTION
• Comply with physical security requirements– System Security Plan
• Other area protection responsibilities– Ensure secure work habits– Don’t try to bypass security– Only allow access to properly cleared
personnel
8/16/05 37
PRACTICES DANGEROUS TO SECURITY
• Posting passwords to computer
• Creating easy to guess passwords
• Mixing classified and unclassified media
• Leaving terminal logged on and unattended
• Discussing classified in an un-secure area
• Leaving the phone off the hook
• Propping open doors to secure areas unguarded
8/16/05 38
MATERIAL HANDLING AND STORAGE
DoD 5200-1R
Outlines the proper handling and storage of classified materials.
• Safeguarding
• Storage
• Transfer
• Destruction