8/16/051 SECURITY AWARENESS TRAINING 8/16/052 INFORMATION SYSTEM SECURITY (INFOSEC) Protection of information systems against unauthorized access to.

8/16/05 1

SECURITY AWARENESS TRAINING

8/16/05 2

INFORMATION SYSTEM SECURITY (INFOSEC)

Protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.

8/16/05 3

INFOSEC PROPERTIES

Confidentiality

Confidentiality ensures that information is not disclosed to unauthorized persons, processes, or devices.

Integrity

Integrity is the protection against unauthorized modification or destruction of information.

Availability

Availability is the timely, reliable access to data and information services for authorized users.

8/16/05 4

INFOSEC PROPERTIES

Authenticity

Authenticity is the service that ensures that system events are initiated by and traceable to authorized entities. It is composed of authentication and non-repudiation.

Non-Repudiation

Non-repudiation is the assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of sender’s identity, so neither can later deny having processed the data.

8/16/05 5

P.L. 100-235

• Computer Security Act of 1987– Develop standards and guidelines to

assure• Cost-effective security and• Privacy of sensitive information

– Provides for promulgation of standards and guidelines

– Requires security plans– Requires mandatory periodic training

8/16/05 6

OMB A-130

• Management of Federal Information Resources– Establishes policy – Requires:

• Information security plans• Computer security in FMFIA reports• Awareness and training• Agencies improve contingency planning• Formal emergency response capabilities

8/16/05 7

DoD Directive 8500.1

• Information Assurance (IA)– Defense in Depth Approach– Integration of

• Capabilities of personnel• Operations and Technology and• Supports the Evolution to Network Centric Warfare.

8/16/05 8

• ACCOUNTABILITY• ACCESS CONTROL POLICY• SECURITY TRAINING AND AWARENESS

PROGRAM• PHYSICAL CONTROLS• MARKING• LEAST PRIVILEGE

MINIMUM REQUIREMENTSOF DoD 8500.1

8/16/05 9

MINIMUM REQUIREMENTS OF DoD 8500.1 (CONT.)

• DATA CONTINUITY • DATA INTEGRITY• CONTINGENCY PLAN• ACCREDITATION• RISK MANAGEMENT PROGRAM• OTHERS AS IDENTIFIED BY RISK

ASSESSMENT

8/16/05 10

ROLES AND RESPONSIBILITIES

Only personnel in authorized security management or administrative functions will be granted access to security management functions.

An Information Assurance Manager (IAM) will be assigned to support the DAA.

An Information Assurance Officer (IAO) will be assigned with the overall responsibility for implementing the security polices and practices for the portion of the system that is within the IAO’s area of responsibility.

The appropriate Designated Approving Authority shall accredit the system IAS before operation.

8/16/05 11

ROLES AND RESPONSIBILITIES

DAA:

Review and approve security safeguards and issue the accreditation

Ensure that all the safeguards are implemented and maintained.

Identify security deficiencies and, where the deficiencies are serious enough to preclude accreditation, take action (e.g., allocate additional resource) to achieve an acceptable security level.

Ensure that data ownership is established for the MEF IAS, to include accountability, access rights, and special handling requirements.

8/16/05 12

ROLES AND RESPONSIBILITIES

DAA continued:

Be aware that connection to a network may involve additional risks because of the potential exposure of their own data to the larger community of connected networks. A RISK FOR ONE IS A RISK FOR ALL!

Be aware that the security of individual networks connected to the system remains the responsibility of their respective DAAs.

Be responsible for the overall system security and has the authority to disconnect any entity that does not adhere to the security requirements of the system.

8/16/05 13

ROLES AND RESPONSIBILITIES

IAM: Interpret and tailor DoD, DoN, USMC and MEF security policy

Ensure that system security requirements are met

Ensure that all INFOSEC tasks and functions are adequately performed or conducted

Ensure Risk Management is accomplished

Ensure activities required to accredit and re-accredit the system are completed

8/16/05 14

ROLES AND RESPONSIBILITIES

IAM continued:

Provide guidance to IAOs and NSOs

Develop training for INFOSEC personnel and users

Coordinate physical access, facility access, and environmental controls

Coordinate to ensure TEMPEST requirements are met

Ensure that system transactions are audited and that audit trails are regularly reviewed

Approve all incident reporting mechanisms

8/16/05 15

ROLES AND RESPONSIBILITIES

IAM continued:

Provide input to system configuration management to ensure implemented changes do not compromise security

Ensure the development and testing of contingency plans

Perform those duties normally performed by IAOs, in the event that no IAOs are appointed

Has authority to enforce security policies and safeguards on all personnel having system access for which the IAO has cognizance.

8/16/05 16

ROLES AND RESPONSIBILITIES

IAM continued:

When no IAM is appointed, the IAO shall perform the duties of the IAM.

Report the system security status, as required by the DAA.

Review and forward to the DAA for approval local security procedures and policies, ensure system safeguards are maintained as required, and evaluate known vulnerabilities to ascertain if additional safeguards are needed.

Begin protective or corrective measures if a security problem exists.

8/16/05 17

ROLES AND RESPONSIBILITIES

Operators:

Use Government software for official business only

Protect sensitive/classified information

Access MEF IAS only when formally authorized

Only for authorized purposes

Protect personal authenticators

Report suspected compromise to IAO

8/16/05 18

ROLES AND RESPONSIBILITIES

Operators continued:

• Notify IAM or IAO when access: – No longer required– Has changed

• Participate in INFOSEC awareness programs

• Non-compliance may result in disciplinary action

8/16/05 19

THREAT CATEGORIES

• UNINTENTIONAL

• INTENTIONAL

• NATURAL

8/16/05 20

UNINTENTIONAL THREATSUNINTENTIONAL THREATS

• ACCIDENTS

• CARELESSNESS

• UNINFORMED ACTIONS

• BAD HABITS

8/16/05 21

INTENTIONALINTENTIONAL THREATS

INSIDER THREATS

Persons who are granted some form of access to the equipment, data and/or facilities pose insider threats. Opportunities exist for authorized users to intentionally or (sometimes unintentionally) harm the system or compromise its data by performing the following actions:

Provide unauthorized individuals with sensitive information (e.g., location and type of vessels, encryption key material)

Modify hardware and/or software (introduces malicious software and/or alters track data)

Provide unauthorized individuals with a back door and/or access to privileged accounts on the system

8/16/05 22

INTENTIONALINTENTIONAL THREATS

Downgrade data to allow higher classification data such as SCI to be accessible at the Collateral level

Disclose and/or modify sensitive data or cause denial of service attributed to curiosity and/or poor training practices as follows:

Set incorrect access permission and privileges to the data

Keep user access privileges after the user has been reassigned or terminated

Leave W/Ss unattended while still logged in

Load personal software (e.g., games, personal use programs)

8/16/05 23

INTENTIONALINTENTIONAL THREATS

Execute commands by pressing keys to see what happens

Accidentally execute an incorrect command and/or action resulting in destruction, modification, or disclosure of the data

Allow untrained personnel to service equipment Incorrectly set router configuration tables Intentional actions by disgruntled employees to disclose, destroy, and

modify the information and/or equipment, and introduce viruses, worms, time bombs or back doors

Theft of the equipment and sensitive/classified information

8/16/05 24

INTENTIONALINTENTIONAL THREATS

OUTSIDER THREATS

Outsider threats consist of intentional (and sometimes unintentional) actionsperformed by unauthorized users. These actions include the following:

Intercept sensitive information during transmission

Gain access by using a remote terminal or by hacking from the local or wide area network; introduce malicious software, steal, modify or destroy sensitive data and programs, or modify the system configuration

Jam communications channels and/or flood with false signaling, reducing the system’s normal capability

Inflict damage to the equipment and installations (e.g., ships, buildings, and aircraft) from accidental impact, terrorist attacks, acts of war, or civil disturbances

Introduction of bogus information to lead the user or tactical commander into making an incorrect decision or action

8/16/05 25

NATURAL THREATS

ACTS OF NATURE•Floods

•Fire

•Lightning

•Earthquakes

•Tornadoes/Hurricanes

•Volcanoes

8/16/05 26

MALICIOUS LOGIC

Hardware, software, or firmware intentionally included in an IS for an unauthorized purpose.

8/16/05 27

What Do You Look For?

• Note abnormal or unexpected activity– Displays, music, or other sounds– Slowdown in processing speed– Disk activity– Error messages– Changes in file sizes– Loss of programs or data

8/16/05 28

TROJAN HORSESNSTISSI 4009

Computer program containing an apparent or actual useful function that contains additional (hidden) functions that allows unauthorized collection, falsification, or destruction of data

8/16/05 29

BOMBS

• A “program”, generally malicious in nature, hidden within or emulating another program, that is designed to execute at a specific future time or event– Logic bombs– Time bombs

8/16/05 30

WORMSNSTISSI 4009

Independent program that replicates from machine to machine across network connections often clogging networks and computer systems as it spreads

8/16/05 31

VIRUSESNSTISSI 4009

Self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence.

8/16/05 32

MALICIOUS LOGIC PROTECTION

• Protection:– Use media from trusted sources– Check all files and media with multiple

programs– Make backup copies of known clean

media– Do not boot from diskette if possible– Use up-to-date virus scan-ware

8/16/05 33

MALICIOUS LOGIC PROTECTION (CONT.)

• Detection:– Install automatic scanner– Install integrity checker

• Recovery:– Ensure up-to-date backups

are available– Notify your IAO/IAM

8/16/05 34

PASSWORD SECURITY PRACTICES

• PASSWORD SECURITY

• Minimum of 8 characters, combination of alpha and numeric with at least one special character

• No dictionary words

• No personal relationships (e.g., birth-dates, names)

• Don’t write them down

• Don’t share them with anyone

• Don’t say them out loud while typing

• Don’t allow someone to look over you shoulder

8/16/05 35

PASSWORD SECURITY PRACTICES

• Choose something easy to remember

•Example:

•Twinkle Twinkle Little Star How I Wonder Where

•Ttl*hI1w• Change it regularly (minimum every 90 days)

8/16/05 36

AREA PROTECTION

• Comply with physical security requirements– System Security Plan

• Other area protection responsibilities– Ensure secure work habits– Don’t try to bypass security– Only allow access to properly cleared

personnel

8/16/05 37

PRACTICES DANGEROUS TO SECURITY

• Posting passwords to computer

• Creating easy to guess passwords

• Mixing classified and unclassified media

• Leaving terminal logged on and unattended

• Discussing classified in an un-secure area

• Leaving the phone off the hook

• Propping open doors to secure areas unguarded

8/16/05 38

MATERIAL HANDLING AND STORAGE

DoD 5200-1R

Outlines the proper handling and storage of classified materials.

• Safeguarding

• Storage

• Transfer

• Destruction