Mini-Seminar Shorts Al Green CISSP, Security+ CE Categorizing Software (Public Domain, OSS, GOTS, COTS, & Freeware) IA, IA-enabled Products Teaching Tomorrow's Cybersecurity Professionals Begins at Home
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Mini-Seminar Shorts
Al GreenCISSP, Security+ CE
Categorizing Software (Public Domain, OSS, GOTS, COTS, & Freeware)
IA, IA-enabled Products
Teaching Tomorrow's Cybersecurity Professionals Begins at Home
• Which of the following ‘Economic’ systems fails without sales?• Communism• Socialism• Capitalism• All of the above• None of the above
• United States Code (Code of Laws of the United States of America)• Defines two of the software categorizations
• Federal Acquisition Regulations and Defense Acquisition Regulations Supplement (DFARS)• Defines, by another name, one of the software categorizations
Categorizing Software (Public Domain, GOTS, COTS, OSS & Freeware)
2
• Like politics and religion it can be a hot topic of debate• Public Domain and Commercial Off-The-Shelf (COTS) defined in United States Code (USC)• Government Off-The-Shelf (GOTS) [Noncommercial software] defined in FAR and DFARS• Open Source Software (OSS) also referred to as Free OSS (FOSS) or Free Libre OSS
(FLOSS). (An open-source community accepted definition is at Freedom Software Foundation (FSF) Website)
• Freeware to include shareware and trialware (Proprietary/closed source software)
• Tends to be confusing• Public Domain (Works produced by the government (employees))
• No ‘copyright’ on the work produced, though there may be restrictions on its distribution
• OSS is COTS?!• Yes, if maintenance support and/or subscription service if offered with its use
• Freeware, Shareware, and Trialware are not the one-in-the-same
Categorizing Software (Public Domain, GOTS, COTS, OSS & Freeware)
3
Is the software copyrighted?
Software being consideredSoftware is
Public Domain1No
Is software sold exclusively to the
government?
Yes
Software is Government Off-The-Shelf (GOTS)2
Yes
Note:1 Public Domain. USC Title 17 – Copyrights §105, Subject matter of copyright: United States Government works2 GOTS. (1) Federal Acquisition Regulation (FAR) 52.227-14 Rights in Data-General and (2) Defense Federal Acquisition Regulations Supplement (DFARS) 252.227-7014 “Noncommercial computer software” 3 CI. USC Title 41 – Public Contracts §104, Commercial Item
Is software offered for purchase in
commercial marketplace?
No
Software is Commercial Item (CI) 3
(capital & consumer goods)
Yes
No
Categorizing Software (Public Domain, GOTS, COTS, OSS & Freeware)
4© 2017 Alfred Green
Is software offered for purchase to
Gov’t without modification?
Software is Commercial Off-The-Shelf (COTS) 4
Yes
Is software offered to
community to include source
code?
No
Software isOpen Source Software
(OSS)5
(Includes FOSS, and FLOSS)
Yes
Note:4 COTS. USC Title 41—Public Contracts §104, Commercially available off-the-shelf item5 OSS. Free Open Source Software (FOSS), https://www.fsf.org/and Free Libre Open Source Software (FLOSS)6 Shareware. Voluntarily pay a set registration fee or make a donation to the program's creator. http://www.pcmag.com/encyclopedia/term/51251/shareware7 Trialware. Software that can be run for a limited period of time before it expires. http://www.pcmag.com/encyclopedia/term/56152/trialware
No
Software is Freeware/Shareware6/
Trialware7
(Closed Source Software)
Categorizing Software (Public Domain, GOTS, COTS, OSS & Freeware)
5© 2017 Alfred Green
Links to more information
Categorizing Software (Public Domain, GOTS, COTS, OSS & Freeware)
• Public Domain• https://en.wikipedia.org/wiki/Public-domain_software
• https://en.wikipedia.org/wiki/Category:Public_domain
• http://uscode.house.gov/download/download.shtml ( See Title 17)
• Government Off-the-Shelf (GOTS)• https://en.wikipedia.org/wiki/Government_off-the-shelf
• https://www.acquisition.gov/sites/default/files/current/far/html/52_227.html#wp1139363
• http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html
• http://dodcio.defense.gov/Open-Source-Software-FAQ/#Q:_How_do_GOTS.2C_Proprietary_COTS.2C_and_OSS_COTS_compare.3F
6
Links to more information
Categorizing Software (Public Domain, GOTS, COTS, OSS & Freeware)
• Commercial Off-the-Shelf (COTS)• https://en.wikipedia.org/wiki/Commercial_off-the-shelf
• http://uscode.house.gov/download/releasepoints/us/pl/115/40/[email protected]
• Open Source Software (OSS)• https://en.wikipedia.org/wiki/Open-source_software
• https://en.wikipedia.org/wiki/Open_Source_Initiative
• https://en.wikipedia.org/wiki/Free_software_movement
• http://dodcio.defense.gov/Open-Source-Software-FAQ/
7
Links to more information
Categorizing Software (Public Domain, OSS, GOTS, COTS, & Freeware)
• Freeware, Shareware, Trialware• https://en.wikipedia.org/wiki/Freeware
• https://en.wikipedia.org/wiki/Shareware
• https://en.wikipedia.org/wiki/Shareware#Trialware
8
Thank You!
Questions & Answers
Categorizing Software (Public Domain, OSS, GOTS, COTS, & Freeware)
9
• What is an IA product?• CNSSI 4009 Committee on National Security Systems (CNSS) Glossary
• Product whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control, non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of nonauthorized or malicious penetrations of information systems or networks
• What are examples of an IA product• NIAP »» Evolution »» FAQs »» NSTISSP #11 FAQs
• Data/network encryptors, firewalls and intrusion detection devices.
IA, IA-enabled Products
10
• What is an IA-enabled product?• CNSSI 4009 Committee on National Security Systems (CNSS) Glossary
• IA-enabled information technology product. Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities.
• IA-enabled product. Product whose primary role is not security, but provides security services as an associated feature of its intended operating capabilities
• What are examples of IA, IA-enabled products?• CNSSI 4009 Committee on National Security Systems (CNSS) Glossary
• Security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems
Note: The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. ISO/IEC 15408 is available for purchase.
IA, IA-enabled Products
11
IA, IA-enabled Products
…and many more
• Who publishes approved IA, IA-enabled products lists?• National Information Assurance Partnership (NIAP)
• A United States government initiative to meet the security testing needs of both information technology consumers and producers that is operated by the National Security Agency (NSA), and was originally a joint effort between NSA and the National Institute of Standards and Technology (NIST). https://en.wikipedia.org/wiki/National_Information_Assurance_Partnership
• Common Criteria Recognition Arrangement (CCRA)• A 28 member nation arrangement (organization), 17 that are certificate producers, in which
NIAP serves as the U.S. representative. Its purpose is to ensure IT products evaluated according to the terms of the CCRA are mutually recognized by all member nations, allowing industry to evaluate products once and sell to many nations. https://www.niap-ccevs.org/Ref/CCRA.Partners.cfm
12
• Where are approved IA, IA-enabled products lists published?• NIAP Product Compliant List (https://www.niap-ccevs.org/Product/PCL.cfm)
• Products comply with the requirements of the Federal Information Processing Standard (FIPS) Cryptographic validation program(s). Products on the PCL are evaluated and accredited at licensed/approved evaluation facilities for conformance to the Common Criteria for IT Security Evaluation (ISO Standard 15408). U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products - dated June 2013 (https://www.cnss.gov/CNSS/issuances/Policies.cfm).
• CCRA Certified Products (http://www.commoncriteriaportal.org/products/)
• The purpose of the Common Criteria Recognition Arrangement is to advance those objectives by bringing about a situation in which IT products and protection profiles which earn a Common Criteria certificate can be procured or used without the need for further evaluation. It seeks to provide grounds for confidence in the reliability of the judgements on which the original certificate was based by requiring that a Certification/Validation Body (CB) issuing Common Criteria certificates should meet high and consistent standards.
IA, IA-enabled Products
13
• What environments require the use of approved IA, IA-enabled Products?• Environments that satisfy requirements identified in National Institute of
Standards and Technology (NIST) Special Publication 800-59, Guideline for Identifying an Information System as a National Security System [NSS], Appendix A: National Security System Identification Checklist • Intelligence Activities
• Cryptologic Activities
• Command and Control of Military Forces
• Weapons and Weapons Systems
• Systems Critical to the Direct Fulfillment of Military or Intelligence Missions
• Classified Systems
IA, IA-enabled Products
14
• What environments necessitate the use of approved IA, IA-enabled Products?• Environments that satisfy requirements identified in National Institute of Standards and
Technology (NIST) Special Publication 800-59, Guideline for Identifying an Information System as a National Security System [NSS], Appendix A: National Security System Identification Checklist (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-59.pdf)
• Intelligence Activities
• Cryptologic Activities
• Command and Control of Military Forces
• Weapons and Weapons Systems
• Systems Critical to the Direct Fulfillment of Military or Intelligence Missions
• Classified Systems
Note: For non-federal environments, ISO 27000 Information security management system (ISMS) series of publications may apply. https://en.wikipedia.org/wiki/ISO/IEC_27000-series
IA, IA-enabled Products
15
• Committee for National Security Systems Instruction 4009 Glossary• https://www.cnss.gov/CNSS/issuances/Instructions.cfm
• NIST Special Publication 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products• http://csrc.nist.gov/publications/nistpubs/800-23/sp800-23.pdf
• See para ‘Policy’ sub-paras (6) and (7)
• National Information Assurance Partnership NSTISSP #11 FAQs• https://www.niap-ccevs.org/NIAP_Evolution/faqs/nstissp-11/
• National Security Agency | Central Security Service (NSA|CSS) Commercial Solutions for Classified Program (CSfC)• https://www.nsa.gov/resources/everyone/csfc/components-list/• https://www.nsa.gov/resources/everyone/csfc/assets/files/faqs-non-technical.pdf• https://www.nsa.gov/resources/everyone/csfc/assets/files/faqs-technical.pdf
Links to additional information
IA, IA-enabled Products
16
• Consider the following ‘Best Practices’, that is… mitigating risk• Setting BIOS (firmware) ‘access’ password• Establishing individual login credentials, not shared login account(s)• Use of ‘Least’ privilege credentials• Encrypting hard drive, encrypted container (folder), etc.• Seeking approval for installation of new software• Patching OS, end point security programs, hardware drivers, etc.• Other
• Warning Banner (no trespassing notice)• Using local ‘hosts’ file to block unwanted activity/sites
• https://github.com/StevenBlack/hosts
18
Teaching Tomorrow's Cybersecurity Professionals Begins at Home
• Other cont’d• Implementation of hardening guides
• Center for Internet Security (CIS) Best Practices • https://www.cisecurity.org/cybersecurity-best-practices/
• CIS Benchmarks• https://www.cisecurity.org/cis-benchmarks/
• Defense Information Systems Agency (DISA)• STIG Viewing Guidance
• http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx
• DISA Security Technical Implementation Guides• http://iase.disa.mil/stigs/Pages/a-z.aspx
• National Vulnerability Database (NVD) National Checklist Program (NCP) Repository• https://nvd.nist.gov/ncp/repository
19
Teaching Tomorrow's Cybersecurity Professionals Begins at Home
• Other cont’d• Uninstall unneeded software, and operating system features
• Reduce footprint of OS, software apps etc., and in turn vulnerabilities that pose a risk to confidentiality, integrity, and availability of personal and private information
• Lessen time required to complete patch updates, virus scans, etc.
• Contributory Negligence (https://en.wikipedia.org/wiki/Contributory_negligence)• When one’s own negligence contributes to one’s own harm
• Don’t be a victim once, twice, thrice, or even more over
20
Teaching Tomorrow's Cybersecurity Professionals Begins at Home
Warning Banner Example
21
Teaching Tomorrow's Cybersecurity Professionals Begins at Home
© 2017 Alfred Green
Steven Black Hosts Files GitHub Repository
22
Teaching Tomorrow's Cybersecurity Professionals Begins at Home
https://github.com/StevenBlack/hosts
Thank You!
Questions & Answers
Teaching Tomorrow's Cybersecurity Professionals Begins at Home
23
Related Documents
