National

INFOSEC Education and

Training Program

Educational Solutions

for a Safer World

http//www.nsa.gov:8080/isso/programs/nietp/index.htm

Introduction

to

Information Assurance (IA)

07 July 1999

To introduce the student to Information Assurance,

Present the macro problem facing the global

information network infrastructure and,

Define Information Assurance and what is

being done to protect infrastructures.

The Course Objective is -

What is Information Assurance

and . . .

why should I care?

Information Assurance is . . . Information Operations (IO) that protect and defend information and information systems by ensuring their

confidentiality, authentication, integrity, availability, and non-repudiation.

This includes providing for restoration of information systems by incorporating

protection, detection, and reaction capabilities.

(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

National Infrastructures At Risk

In the cyber era, our traditional lines of defenseno longer provide a wall betweencitizens and those who would do harm.

Landscape is changing PCCIP/PDD 63

INFORMATION ASSURANCEINFORMATION ASSURANCE

PrivateCitizen

BusinessSector

Critical PublicSafety

State,LocalGovt

NationalSecurity

Intel/DoDInternationalFederal

Govt

Interlocking Communities

Served by Interlocking Information Infrastructures

FII DII

Electronic CommerceElectronic MailElectronic Data InterchangeElectronic Funds TransferFile TransferInformation Search/Retrieval

NII

GII

Requiring

Basic Information Security Services* Data Integrity * Data Confidentiality* User Identification & Authentication

* Transaction Non-Repudiation* System Availability

Through trained system users, maintainers, & developers

Validated Certificates Assured ServicesPROTECT DETECT RESPOND RECONSTITUTE

You Are Here!

You Are Here!

The number of internet users will quadruple from 36.0 million in 1997 to 142.0 million by the year 2002: Avg. annual growth rate = 53%

H I S T O R Y

Evolution

of

Information Assurance

In the 20th Century

In the Beginning . . .

There was COMSEC (Communications Security )

“Measurement and controls taken to deny

unauthorized persons information derived

from telecommunications and to ensure the

authenticity of such telecommunications.

COMSEC includes: cryptosecurity, trans-

mission security, emissions security, &

physical security of COMSEC material.”

Confidentiality -

Assurance that information is not disclosed to unauthorized persons, processes, or devices. *

In condensed form . . .

Protection from unauthorized disclosure

or

No one but you and the sender knows

*(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

Authentication - Security measure designed to establish the validity of a

transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information. *

In condensed form . . .

Verification of originator

or

Knowing for sure who sent the message

*(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

The Threat/Concern Was . . .

. . . listening in on private

communications

Sender

Receiver

Then there was . . .

COMPUSEC

(80/90’s)

“ Measures and controls that ensure

confidentiality, integrity, and availability

of information system assets including

hardware, software, firmware, and

information being processed, stored, and

communicated.”

(Computer Security)

Integrity -

Quality of an Information System (IS) reflecting the local correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.*

In condensed form . . .

Protection from unauthorized change

or

Person hearing/receiving exactly what you said/sent

*(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

Availability -

Timely, reliable access to data and information services for authorized users.*

In condensed form . . .

Assured access by authorized users

or

Having a dial tone when you want one

*(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

This COMPUSEC Threat/Concern expanded to . . .

Access

Malicious Logic

Hacker

UserPrivate communications

Security Breach(password)

The Concern later increased to include both . . .

• COMSEC . . . and . . .

• COMPUSEC

This COMSEC/COMPUSEC merger formed . . .

INFOSEC

(90’s)

“Protection of information systems against

unauthorized access to or modification of

information, whether in storage, processing,

or transit, and against the denial of services to

authorized users, including those measures

necessary to detect, document, and counter

such threats.”

(Information Systems Security)

Non-Repudiation -

Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.*

In condensed form . . .

Undeniable proof of participation

or

Like receipt-requested mail - each knows the other got it

*(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

Today . . .

we speak “Information Assurance”(Now/Future)

“Information Operations that protect and

defend information and information systems

by ensuring their confidentiality, authentication,

integrity, availability, and non-repudiation. This

includes providing for restoration of information

systems by incorporating protection, detection

and reaction capabilities.”

The Concern NOW is . . .

Protect, Defend . . .

Integrity

Confidentiality

Non-Repudiation

Availability

. . . & Restoration of Info

Authentication

New Direction

Information Assurance (IA) Leadership

for the Nation

Provide - - solutions, products and services, and

conduct defensive information operations,

to achieve - - IA for

U.S. Critical Information Infrastructures

operating in a global network environment

New Challenges

Get Engaged . . .

Move from INFOSEC . . . to . . . Information Assurance

Protect Detect

Restore React

IA

Why is Information Assurance

important?

OUR CONCERN IS . . .Our ability to NETWORK . . . has exceeded ..

Growth Rate = 79%

Our ability to protect Between 1996 & 2006

the U.S. will require more than 1.3 million new highly skilled IT workers: (90% growth rate)• 137,800/yr. to fill new

jobs

• 244.000/yr. to replace workers leaving IT fields

The Digital Work Force. U.S. Dept. of Commerce, Office of Technology Policy, June 1999

Current Capacity to Produce

In 1994 only 24,553 U.S. students earned bachelor’s degrees in computer and information sciences

You do the math:95,000 IT workers needed/yr.

-24,553 IT degrees earned/yr.

Deficit / Yr.70,447

ALL requiring I A education and trainingALL requiring I A education and training

President’s Commission

(October 1997)

President’s Commission on Critical Information Infrastructure Protection (PCCIIP)

http://www.pccip.gov/

National Goal Achieve & maintain ability to protect critical infrastructure . . .

Critical Infrastructures

•

Telecommunications

• Electric Power

• Banking & Finance

• Oil & Gas Delivery & Storage

• Water

• Emergency Services

• Government Services

What’s being done?

Presidential Decision Directive 63

(1998)

“It has long been the Policy of the United States to assure the continuity and viability of critical infrastructures. I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.”

www.ciao.gov

P A R T N E R I N G

ACADEMIA INDUSTRY

GOVERNMENT

Partners - Provide IA through Cyber Defense by moving from the . . .

Protect mode of securing

Networks

Servers

Workstations, . . . to the . . . Detect & Report modes

Improve attack sensing & warning

Data fusion & analysis

Determine source, intent, impact, then report it, and . . .finally to the . . .

Respond mode

Restore - damage, recover, and verify operations

Pursue - contact appropriate legal authorities

The Bottom Line

Be aware of the complexity of

and the threats to

business and government

infrastructures and understand the security

procedures designed to protect networks from

information attacks

For more information on IA . . .

PDD-63 and the Presidential Commission Report on Critical Infrastructure

Protection: http://www.pccip.gov/info.html

Defense Information Systems Agency (DISA) Awareness and Training

Facility: http://www.disa.mil/ciss/cissitf.html

National Security Telecommunications and Information Systems Security Training

Standards: http://www..nstissc.gov

National INFOSEC Education Colloquium: http://www.infosec.jmu.edu/ncisse

National Institute for Standards and Technology (NIST) Computer Security Clearing

House: http://csrc.nist.gov/welcome.html

National Security Agency INFOSEC Page - National INFOSEC Education and Training

Program: http://www.nsa.gov:8080/isso/programs/nietp/index.htm