Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SYSTEMS SECURITY OFFICE (ISSO) SERVICES MAJ Carmine Cicalese CINC INFOSEC Support One Team, One Mission Information Superiority for America.

Similar presentations


Presentation on theme: "INFORMATION SYSTEMS SECURITY OFFICE (ISSO) SERVICES MAJ Carmine Cicalese CINC INFOSEC Support One Team, One Mission Information Superiority for America."— Presentation transcript:

1 INFORMATION SYSTEMS SECURITY OFFICE (ISSO) SERVICES MAJ Carmine Cicalese CINC INFOSEC Support One Team, One Mission Information Superiority for America

2 INFORMATION SYSTEMS SECURITY (INFOSEC) The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats

3 GROWING NEED FOR INFOSEC l Nation has become highly dependent on networking for military ops, government, and commerce l Information infrastructure is at risk! Data and systems are highly vulnerable to unauthorized access l Information warfare could inflict massive disruption on military readiness and the economy l Nation has become highly dependent on networking for military ops, government, and commerce l Information infrastructure is at risk! Data and systems are highly vulnerable to unauthorized access l Information warfare could inflict massive disruption on military readiness and the economy

4 RACE AGAINST TIME: INFOSEC VS. INFOWAR l Massive Use of Networking Makes U.S. the Worlds Most Vulnerable Target for Information Warfare uIntelligence Exploitation uDisruption of Network Infrastructure l U.S. Has Orders of Magnitude More to Lose to Information Warfare Attacks Than Our Adversaries l Reliance on Unprotected Networks Carries Risk of Military Failure and Catastrophic Economic Loss l Massive Use of Networking Makes U.S. the Worlds Most Vulnerable Target for Information Warfare uIntelligence Exploitation uDisruption of Network Infrastructure l U.S. Has Orders of Magnitude More to Lose to Information Warfare Attacks Than Our Adversaries l Reliance on Unprotected Networks Carries Risk of Military Failure and Catastrophic Economic Loss

5 INFORMATION WARFARE...the threat to our military and commercial information systems poses a significant risk to national security and must be addressed. William J. Clinton President of the United States 1995 National Security Strategy

6 INFORMATION WARFARE Information in all its forms, information protection, and the increasingly prominent position of information in the attack have become central features in determining the outcome of modern and future conflicts. General John M. Shalikashvili Chairman of the Joint Chiefs of Staff Memorandum, Information Warfare Status, 10 October 1995

7 SANCTUARY -- LOST U.S.SOCIETY ADVERSARY U.S.MILITARY U.S.SOCIETY ADVERSARY U.S.MILITARY PAST PRESENT

8 INFOSEC CHALLENGES l Keeping pace with technology l National Information Infrastructure (NII) l Support to military operations l Keeping pace with technology l National Information Infrastructure (NII) l Support to military operations

9 POTENTIAL ISSO CUSTOMERS ? ? PRIVATE INDUSTRY JOHN Q. PUBLIC FINANCIAL COMMUNITY ACADEMIA HEALTH PROFESSION

10 WHAT ARE WE DOING ABOUT IT? Key INFOSEC Goal: Keep Pace with Network Technology and Security Needs Criteria for Success: Solutions that are Secure, Affordable, and Easy to Use, as Defined by Our Customers Key INFOSEC Goal: Keep Pace with Network Technology and Security Needs Criteria for Success: Solutions that are Secure, Affordable, and Easy to Use, as Defined by Our Customers

11 GOALS l Enhance Network Security l Meet All Requirements for Unique, High Assurance Solutions l Advance INFOSEC Technology l Champion Information Security for the Nation l Forge an Innovative Customer-Driven Corporate Culture l Enhance Network Security l Meet All Requirements for Unique, High Assurance Solutions l Advance INFOSEC Technology l Champion Information Security for the Nation l Forge an Innovative Customer-Driven Corporate Culture

12 ISSO MISSION l Provide leadership, products, and services necessary to enable customers to protect national security and sensitive information in information systems pursuant to Federal law and national policies; and... l Provide technical support to the governments efforts to incorporate information systems security into the National Information Infrastructure (NII) l Provide leadership, products, and services necessary to enable customers to protect national security and sensitive information in information systems pursuant to Federal law and national policies; and... l Provide technical support to the governments efforts to incorporate information systems security into the National Information Infrastructure (NII)

13 SECURITY TERMS DATA INTEGRITY - AUTHENTICATION - NON-REPUDIATION - CONFIDENTIALITY - AVAILABILITY - DATA INTEGRITY - AUTHENTICATION - NON-REPUDIATION - CONFIDENTIALITY - AVAILABILITY - Absolute verification data has not been modified (Detection of a single bit change) Verification of originator (Signature on check) Undeniable proof-of-participation (Sender/receiver in bank transaction) Privacy with encryption (Scrambled text) Assurance of service on demand (Guaranteed dial tone) Absolute verification data has not been modified (Detection of a single bit change) Verification of originator (Signature on check) Undeniable proof-of-participation (Sender/receiver in bank transaction) Privacy with encryption (Scrambled text) Assurance of service on demand (Guaranteed dial tone)

14 INFOSEC BUSINESS The business of information security comprises a cycle of critical activities designed to meet constantly changing customer needs in the emerging information age. l Assess Needs Customer education, threat awareness, vulnerability assessment, impact on business, leading national advocacy role. l Deliver Solutions Product and systems evaluations, risk management, system security engineering consultancy, new solutions, implementation assistance, security management infrastructure, life cycle support, policies and guidelines. l Create Advanced Technologies Anticipate and enable emerging technologies, conduct and coordinate research and development, rapid prototyping.

15 INFOSEC SOLUTIONS INFOSEC SOLUTIONS INFOSEC SOLUTIONS PRODUCTS TECHNOLOGIES SERVICES

16 PRODUCTS l MISSI/Fortezza l STU-III l KG-84 l KG-194 l KG-95 l CONDOR l MISSI/Fortezza l STU-III l KG-84 l KG-194 l KG-95 l CONDOR l Key Management System (EKMS) l Embedded Modules l Chips l Algorithms l Secure Terminal Equipment

17 DISN DMS GCCS EC/EDI CINC MLS CINC MLS DFAS NETWORK SECURITY MANAGEMENT Electronic Key Management System Certification Authority Workstation (CAW) DOD Directory Service DII Non - Repudiation Confidentiality Integrity Availability Identification & Authentication MISSI BUILDING BLOCK PRODUCTS SECURITY SERVICES Secure Computing High Assurance Guards Firewalls In-Line Network Encryptors **** Fortezza +Fortezza DEFENSE INFORMATION INFRASTRUCTURE SECURITY

18 l Workstation Products uFORTEZZA l High Assurance Guards uSecure Network Server (SNS) »Standard Mail Guard (SMG) n Secret unclassified l In-Line Network Encryptors uNetwork Encryption System (NES) (current) uTactical End-to-End Device (TEED) (emerging) uFastlane (multimedia ATM) (emerging) uKG-189 (Synchronous Optical Network (SONET)) l Workstation Products uFORTEZZA l High Assurance Guards uSecure Network Server (SNS) »Standard Mail Guard (SMG) n Secret unclassified l In-Line Network Encryptors uNetwork Encryption System (NES) (current) uTactical End-to-End Device (TEED) (emerging) uFastlane (multimedia ATM) (emerging) uKG-189 (Synchronous Optical Network (SONET)) MISSI Mulitlevel Information Systems Security Initiaitive

19 ISSO SERVICES ISSO services is the intellectual set of activities that assist customers in protecting the mission information

20 ISSO SERVICES l System Security Assessments l Information System Security Education, Training and Awareness (ISSETA) l Security Engineering and Consulting l Product Evaluation l Clearinghouse for Security Technical Information l Security Infrastructure l System Security Assessments l Information System Security Education, Training and Awareness (ISSETA) l Security Engineering and Consulting l Product Evaluation l Clearinghouse for Security Technical Information l Security Infrastructure

21 SYSTEM SECURITY ASSESSMENTS l Threat Assessment l OPSEC Assessment l INFOSEC Assessment l Network Vulnerability Assessments l Technical Security And Facilities Evaluation l Threat Assessment l OPSEC Assessment l INFOSEC Assessment l Network Vulnerability Assessments l Technical Security And Facilities Evaluation

22 l COMSEC Monitoring l System Security Profiles l System Certification Assistance l System Accreditation Assistance l Risk Assessment l COMSEC Monitoring l System Security Profiles l System Certification Assistance l System Accreditation Assistance l Risk Assessment SYSTEM SECURITY ASSESSMENTS

23 THREAT ASSESSMENT l All source intelligence via SIGINT, HUMINT, and IMINT l Analytic interface to intel community l Assessments tailored to customer requirements l Special studies, briefings, and video l Assist in resource and countermeasure allocations l All source intelligence via SIGINT, HUMINT, and IMINT l Analytic interface to intel community l Assessments tailored to customer requirements l Special studies, briefings, and video l Assist in resource and countermeasure allocations

24 OPSEC ASSESSMENT l Identify vulnerabilities l Information on uOperations uSupporting operations uCompetitors or adversaries l Basis for risk management decisions l Identify vulnerabilities l Information on uOperations uSupporting operations uCompetitors or adversaries l Basis for risk management decisions

25 INFOSEC ASSESSMENT l High level technical analysis of the security posture of an organizations communications and automated information systems uDetermine potential vulnerabilities and identify countermeasures uBased on known and perceived threats l Present day snapshot of implemented security l Baseline of current security assets l High level technical analysis of the security posture of an organizations communications and automated information systems uDetermine potential vulnerabilities and identify countermeasures uBased on known and perceived threats l Present day snapshot of implemented security l Baseline of current security assets

26 NETWORK VULNERABILITY ANALYSIS

27 TECHNICAL SECURITY AND FACILITIES EVALUATION

28 COMSEC MONITORING

29 l Support customers risk management process by providing information needed to make informed trade-offs between systems security risk, cost, schedule, and mission requirements l Provide timely mission and configuration specific analysis l Support certification and accreditation l Document secure system design efforts l Support customers risk management process by providing information needed to make informed trade-offs between systems security risk, cost, schedule, and mission requirements l Provide timely mission and configuration specific analysis l Support certification and accreditation l Document secure system design efforts SYSTEM SECURITY PROFILES

30 l Provide future efforts design guidance l Inject security into early design phases uLower costs uMinimal impact l Improve commercial secure products uFeed lessons learned to vendors l Provide feedback to profiling process l Provide future efforts design guidance l Inject security into early design phases uLower costs uMinimal impact l Improve commercial secure products uFeed lessons learned to vendors l Provide feedback to profiling process SYSTEM SECURITY PROFILES

31 l Focuses on developmental systems or those being upgraded l A system profile: uPresents non-judgemental technical facts uIs not a NSA endorsement uIs a structured presentation of engineering documentation uDelivers report to customer who controls it uIs time constrained vulnerability search l Focuses on developmental systems or those being upgraded l A system profile: uPresents non-judgemental technical facts uIs not a NSA endorsement uIs a structured presentation of engineering documentation uDelivers report to customer who controls it uIs time constrained vulnerability search

32 SYSTEM CERTIFICATION ASSISTANCE l Make Recommendations Regarding the Technical and Economic Feasibility of Additional Countermeasures Which Should Be Used (or Are Planned to Be Used) to Further Minimize Risks to the System

33 SYSTEM ACCREDITATION ASSISTANCE l The Cost-Effective Approach to Security Requires DAAs to Lower Risks to Acceptable Levels While Minimizing Costs

34 l Conferences l Training Classes l Standards Development l Policy Committees l Doctrine, Policy, and Procedures l Foreign Policy and Relations l Security Awareness l INFOSEC OUTREACH Program l Technology Transfer l Conferences l Training Classes l Standards Development l Policy Committees l Doctrine, Policy, and Procedures l Foreign Policy and Relations l Security Awareness l INFOSEC OUTREACH Program l Technology Transfer INFORMATION SYSTEMS SECURITY EDUCATION, TRAINING, AND AWARENESS (ISSETA)

35 CONFERENCES l National Information Systems Security Conference l AFCEA l IEEE l National Information Systems Security Conference l AFCEA l IEEE

36 TRAINING CLASSES l Train-The-Trainer l Teach, Train, and Assist (TTA) l Train-The-Trainer l Teach, Train, and Assist (TTA)

37 STANDARDS DEVELOPMENT l ISO l ANSII l ISO l ANSII

38 POLICY COMMITTEES l NSTISSC uNational policies, directives, guidance, etc., according to NSD-42 l NII l DoD l Military Services l NSTISSC uNational policies, directives, guidance, etc., according to NSD-42 l NII l DoD l Military Services

39 DOCTRINE, POLICY, AND PROCEDURES l Over-the-air rekeying l Advanced concepts and modeling for INFOSEC doctrine and risk management l Manages National COMSEC Insecurity Reporting System uTrended analysis and reports l Over-the-air rekeying l Advanced concepts and modeling for INFOSEC doctrine and risk management l Manages National COMSEC Insecurity Reporting System uTrended analysis and reports

40 INFOSEC OUTREACH PROGRAM l Certified Module Embedment (CME) Program

41 SECURITY ENGINEERING AND CONSULTING l Information Systems Security Engineering (ISSE) l System Design Guidance l Security Architecture and Frameworks l System Acquisition l Life Cycle Consulting l Information Systems Security Engineering (ISSE) l System Design Guidance l Security Architecture and Frameworks l System Acquisition l Life Cycle Consulting

42 INFORMATION SYSTEMS SECURITY ENGINEERING l ISSE Handbook l System Security Engineering Model (SSEM) l ISSE Handbook l System Security Engineering Model (SSEM)

43 LIFE CYCLE CONSULTING l Key Management l Privilege Management l Product Installation and Support Training l Design Methodology l Rainbow Series l Key Management l Privilege Management l Product Installation and Support Training l Design Methodology l Rainbow Series

44 PRODUCT EVALUATION l Product Profiles l TEMPEST Endorsement Program (TEP) l Trusted Product Evaluation Program (TPEP) l Evaluated INFOSEC (COMSEC) Product Listing l Product Profiles l TEMPEST Endorsement Program (TEP) l Trusted Product Evaluation Program (TPEP) l Evaluated INFOSEC (COMSEC) Product Listing

45 EVALUATED INFOSEC (COMSEC) PRODUCT LISTING l Commercial COMSEC Endorsement Program (CCEP) l Authorized Vendor Program (AVP) l Commercial COMSEC Endorsement Program (CCEP) l Authorized Vendor Program (AVP)

46 CLEARINGHOUSE FOR INFORMATION l Commercial Product Data Base l Vulnerability Data Base l Information (DOCKMASTER, TEMPEST Info Center) l Help Desk l Commercial Product Data Base l Vulnerability Data Base l Information (DOCKMASTER, TEMPEST Info Center) l Help Desk

47 INFORMATION l DOCKMASTER l TEMPEST Info Center l DOCKMASTER l TEMPEST Info Center

48 SECURITY INFRASTRUCTURE l Key Management and Provisioning l Doctrine, Policy, and Standards l MISSI Network Security Management uCertification Authentication Workstation (CAW) uDirectory System Agent (DSA) uMail List Agent (MLA) uRekey Manager (with EKMS) uAudit Manager l Key Management and Provisioning l Doctrine, Policy, and Standards l MISSI Network Security Management uCertification Authentication Workstation (CAW) uDirectory System Agent (DSA) uMail List Agent (MLA) uRekey Manager (with EKMS) uAudit Manager

49 STRATEGY FOR PROVIDING CUSTOMER SUPPORT V11 DISADISA VENDORSVENDORS ISSOISSO ARMYARMY NAVY/MARINESNAVY/MARINES AIR FORCE

50 WHO ARE YOU GOING TO CALL l CONTRACTOR SUPPORT (410) (STU-III) l CINCS, JOINT COMMANDS & DEFENSE AGENCIES (410) (STU-III) l MILITARY DEPARTMENTS (410) (STU-III) l CIVIL AGENCIES (410) (STU-III) DSN Prefix: , Ask Operator for Desired FAX: (410) STU-III FAX: (410) TOLL FREE: l CONTRACTOR SUPPORT (410) (STU-III) l CINCS, JOINT COMMANDS & DEFENSE AGENCIES (410) (STU-III) l MILITARY DEPARTMENTS (410) (STU-III) l CIVIL AGENCIES (410) (STU-III) DSN Prefix: , Ask Operator for Desired FAX: (410) STU-III FAX: (410) TOLL FREE:


Download ppt "INFORMATION SYSTEMS SECURITY OFFICE (ISSO) SERVICES MAJ Carmine Cicalese CINC INFOSEC Support One Team, One Mission Information Superiority for America."

Similar presentations


Ads by Google