8/16/052 INFORMATION SYSTEM SECURITY (INFOSEC) Protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.
8/16/053 INFOSEC PROPERTIES Confidentiality Confidentiality ensures that information is not disclosed to unauthorized persons, processes, or devices. Integrity Integrity is the protection against unauthorized modification or destruction of information. Availability Availability is the timely, reliable access to data and information services for authorized users.
8/16/054 INFOSEC PROPERTIES Authenticity Authenticity is the service that ensures that system events are initiated by and traceable to authorized entities. It is composed of authentication and non-repudiation. Non-Repudiation Non-repudiation is the assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of senders identity, so neither can later deny having processed the data.
8/16/055 P.L. 100-235 Computer Security Act of 1987 –Develop standards and guidelines to assure Cost-effective security and Privacy of sensitive information –Provides for promulgation of standards and guidelines –Requires security plans –Requires mandatory periodic training
8/16/056 OMB A-130 Management of Federal Information Resources –Establishes policy –Requires: Information security plans Computer security in FMFIA reports Awareness and training Agencies improve contingency planning Formal emergency response capabilities
8/16/057 DoD Directive 8500.1 Information Assurance (IA) –Defense in Depth Approach –Integration of Capabilities of personnel Operations and Technology and Supports the Evolution to Network Centric Warfare.
8/16/058 ACCOUNTABILITY ACCESS CONTROL POLICY SECURITY TRAINING AND AWARENESS PROGRAM PHYSICAL CONTROLS MARKING LEAST PRIVILEGE MINIMUM REQUIREMENTS OF DoD 8500.1
8/16/059 MINIMUM REQUIREMENTS OF DoD 8500.1 (CONT.) DATA CONTINUITY DATA INTEGRITY CONTINGENCY PLAN ACCREDITATION RISK MANAGEMENT PROGRAM OTHERS AS IDENTIFIED BY RISK ASSESSMENT
8/16/0510 ROLES AND RESPONSIBILITIES Only personnel in authorized security management or administrative functions will be granted access to security management functions. An Information Assurance Manager (IAM) will be assigned to support the DAA. An Information Assurance Officer (IAO) will be assigned with the overall responsibility for implementing the security polices and practices for the portion of the system that is within the IAOs area of responsibility. The appropriate Designated Approving Authority shall accredit the system IAS before operation.
8/16/0511 ROLES AND RESPONSIBILITIES DAA: Review and approve security safeguards and issue the accreditation Ensure that all the safeguards are implemented and maintained. Identify security deficiencies and, where the deficiencies are serious enough to preclude accreditation, take action (e.g., allocate additional resource) to achieve an acceptable security level. Ensure that data ownership is established for the MEF IAS, to include accountability, access rights, and special handling requirements.
8/16/0512 ROLES AND RESPONSIBILITIES DAA continued: Be aware that connection to a network may involve additional risks because of the potential exposure of their own data to the larger community of connected networks. A RISK FOR ONE IS A RISK FOR ALL! Be aware that the security of individual networks connected to the system remains the responsibility of their respective DAAs. Be responsible for the overall system security and has the authority to disconnect any entity that does not adhere to the security requirements of the system.
8/16/0513 ROLES AND RESPONSIBILITIES IAM: Interpret and tailor DoD, DoN, USMC and MEF security policy Ensure that system security requirements are met Ensure that all INFOSEC tasks and functions are adequately performed or conducted Ensure Risk Management is accomplished Ensure activities required to accredit and re-accredit the system are completed
8/16/0514 ROLES AND RESPONSIBILITIES IAM continued: Provide guidance to IAOs and NSOs Develop training for INFOSEC personnel and users Coordinate physical access, facility access, and environmental controls Coordinate to ensure TEMPEST requirements are met Ensure that system transactions are audited and that audit trails are regularly reviewed Approve all incident reporting mechanisms
8/16/0515 ROLES AND RESPONSIBILITIES IAM continued: Provide input to system configuration management to ensure implemented changes do not compromise security Ensure the development and testing of contingency plans Perform those duties normally performed by IAOs, in the event that no IAOs are appointed Has authority to enforce security policies and safeguards on all personnel having system access for which the IAO has cognizance.
8/16/0516 ROLES AND RESPONSIBILITIES IAM continued: When no IAM is appointed, the IAO shall perform the duties of the IAM. Report the system security status, as required by the DAA. Review and forward to the DAA for approval local security procedures and policies, ensure system safeguards are maintained as required, and evaluate known vulnerabilities to ascertain if additional safeguards are needed. Begin protective or corrective measures if a security problem exists.
8/16/0517 ROLES AND RESPONSIBILITIES Operators: Use Government software for official business only Protect sensitive/classified information Access MEF IAS only when formally authorized Only for authorized purposes Protect personal authenticators Report suspected compromise to IAO
8/16/0518 ROLES AND RESPONSIBILITIES Operators continued: Notify IAM or IAO when access: –No longer required –Has changed Participate in INFOSEC awareness programs Non-compliance may result in disciplinary action
8/16/0520 UNINTENTIONAL THREATS ACCIDENTS CARELESSNESS UNINFORMED ACTIONS BAD HABITS
8/16/0521 INTENTIONAL INTENTIONAL THREATS INSIDER THREATS Persons who are granted some form of access to the equipment, data and/or facilities pose insider threats. Opportunities exist for authorized users to intentionally or (sometimes unintentionally) harm the system or compromise its data by performing the following actions: Provide unauthorized individuals with sensitive information (e.g., location and type of vessels, encryption key material) Modify hardware and/or software (introduces malicious software and/or alters track data) Provide unauthorized individuals with a back door and/or access to privileged accounts on the system
8/16/0522 INTENTIONAL INTENTIONAL THREATS Downgrade data to allow higher classification data such as SCI to be accessible at the Collateral level Disclose and/or modify sensitive data or cause denial of service attributed to curiosity and/or poor training practices as follows: Set incorrect access permission and privileges to the data Keep user access privileges after the user has been reassigned or terminated Leave W/Ss unattended while still logged in Load personal software (e.g., games, personal use programs)
8/16/0523 INTENTIONAL INTENTIONAL THREATS Execute commands by pressing keys to see what happens Accidentally execute an incorrect command and/or action resulting in destruction, modification, or disclosure of the data Allow untrained personnel to service equipment Incorrectly set router configuration tables Intentional actions by disgruntled employees to disclose, destroy, and modify the information and/or equipment, and introduce viruses, worms, time bombs or back doors Theft of the equipment and sensitive/classified information
8/16/0524 INTENTIONAL INTENTIONAL THREATS OUTSIDER THREATS Outsider threats consist of intentional (and sometimes unintentional) actions performed by unauthorized users. These actions include the following: Intercept sensitive information during transmission Gain access by using a remote terminal or by hacking from the local or wide area network; introduce malicious software, steal, modify or destroy sensitive data and programs, or modify the system configuration Jam communications channels and/or flood with false signaling, reducing the systems normal capability Inflict damage to the equipment and installations (e.g., ships, buildings, and aircraft) from accidental impact, terrorist attacks, acts of war, or civil disturbances Introduction of bogus information to lead the user or tactical commander into making an incorrect decision or action
8/16/0525 NATURAL THREATS ACTS OF NATURE Floods Fire Lightning Earthquakes Tornadoes/Hurricanes Volcanoes
8/16/0526 MALICIOUS LOGIC Hardware, software, or firmware intentionally included in an IS for an unauthorized purpose.
8/16/0527 What Do You Look For? Note abnormal or unexpected activity –Displays, music, or other sounds –Slowdown in processing speed –Disk activity –Error messages –Changes in file sizes –Loss of programs or data
8/16/0528 TROJAN HORSES NSTISSI 4009 Computer program containing an apparent or actual useful function that contains additional (hidden) functions that allows unauthorized collection, falsification, or destruction of data
8/16/0529 BOMBS A program, generally malicious in nature, hidden within or emulating another program, that is designed to execute at a specific future time or event –Logic bombs –Time bombs
8/16/0530 WORMS NSTISSI 4009 Independent program that replicates from machine to machine across network connections often clogging networks and computer systems as it spreads
8/16/0531 VIRUSES NSTISSI 4009 Self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence.
8/16/0532 MALICIOUS LOGIC PROTECTION Protection: –Use media from trusted sources –Check all files and media with multiple programs –Make backup copies of known clean media –Do not boot from diskette if possible –Use up-to-date virus scan-ware
8/16/0533 MALICIOUS LOGIC PROTECTION (CONT.) Detection: –Install automatic scanner –Install integrity checker Recovery: –Ensure up-to-date backups are available –Notify your IAO/IAM
8/16/0534 PASSWORD SECURITY PRACTICES PASSWORD SECURITY Minimum of 8 characters, combination of alpha and numeric with at least one special character No dictionary words No personal relationships (e.g., birth-dates, names) Dont write them down Dont share them with anyone Dont say them out loud while typing Dont allow someone to look over you shoulder
8/16/0535 PASSWORD SECURITY PRACTICES Choose something easy to remember Example: Twinkle Twinkle Little Star How I Wonder Where Ttl*hI1w Change it regularly (minimum every 90 days)
8/16/0536 AREA PROTECTION Comply with physical security requirements –System Security Plan Other area protection responsibilities –Ensure secure work habits –Dont try to bypass security –Only allow access to properly cleared personnel
8/16/0537 PRACTICES DANGEROUS TO SECURITY Posting passwords to computer Creating easy to guess passwords Mixing classified and unclassified media Leaving terminal logged on and unattended Discussing classified in an un-secure area Leaving the phone off the hook Propping open doors to secure areas unguarded
8/16/0538 MATERIAL HANDLING AND STORAGE DoD 5200-1R Outlines the proper handling and storage of classified materials. Safeguarding Storage Transfer Destruction