National INFOSEC Education & Training Program

1
Educational Solutions
National INFOSEC Education
and Training Program
for a Safer World
http//www.nsa.gov8080/isso/programs/nietp/index.h
tm
2

• Introduction
• to
• Information Assurance (IA)

07 July 1999
3
The Course Objective is -

• To introduce the student to Information
  Assurance,
• Present the macro problem facing the global
• information network infrastructure and,
• Define Information Assurance and what is
• being done to protect infrastructures.

4
What is Information Assurance and . . .
why should I care?
5

• Information Assurance is . . .
• Information Operations (IO) that protect and
  defend
• information and information systems by
  ensuring their
• confidentiality,
• authentication,
• integrity,
• availability, and
• non-repudiation.
• This includes providing for restoration of
  information
• systems by incorporating
• protection,
• detection, and
• reaction capabilities.
• (Definition from National Information Systems
  Security
• (INFOSEC) Glossary, NSTISSI No. 4009, Aug
  1997)

6
National Infrastructures At Risk

• Landscape is changing
• PCCIP/PDD 63

7
INFORMATION ASSURANCE
Interlocking Communities
Served by Interlocking Information Infrastructures
Electronic Commerce Electronic Mail Electronic
Data Interchange Electronic Funds Transfer File
Transfer Information Search/Retrieval
GII


FII
DII
NII
Requiring
PROTECT
DETECT
RESPOND
RECONSTITUTE
8
You Are Here!
You Are Here!
The number of internet users will quadruple from
36.0 million in 1997 to 142.0 million by the
year 2002 Avg. annual growth rate 53
9
H I S T O R Y
Evolution of
Information Assurance
In the 20th Century
10
In the Beginning . . . There was COMSEC

(Communications Security ) Measurement and
controls taken to deny unauthorized persons
information derived from telecommunications and
to ensure the authenticity of such
telecommunications. COMSEC includes
cryptosecurity, trans- mission security,
emissions security, physical security of
COMSEC material.
11

• Confidentiality -
• Assurance that information is not disclosed to
• unauthorized persons, processes, or
  devices.

• In condensed form . . .
• Protection from unauthorized disclosure
• or
• No one but you and the sender knows

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No.
4009, Aug 1997)
12

• Authentication -
• Security measure designed to establish the
  validity of a
• transmission, message, or originator, or a
  means of verifying
• an individuals authorization to receive
  specific categories of
• information.

• In condensed form . . .
• Verification of originator
• or
• Knowing for sure who sent the message

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No.
4009, Aug 1997)
13

The Threat/Concern Was . . .
Sender
Receiver
. . . listening in on private
communications
14
Then there was . . . COMPUSEC (80/90s)
Measures and controls that ensure
confidentiality, integrity, and availability of
information system assets including hardware,
software, firmware, and information being
processed, stored, and communicated.
(Computer Security)
15

• Integrity -
• Quality of an Information System (IS)
  reflecting the local correctness
• and reliability of the operating system
  the logical completeness of the
• hardware and software implementing the
  protection mechanisms and
• the consistency of the data structures and
  occurrence of the stored data.

• In condensed form . . .
• Protection from unauthorized change
• or
• Person hearing/receiving exactly what you
  said/sent

• (Definition from National Information Systems
  Security
• (INFOSEC) Glossary, NSTISSI No. 4009, Aug
  1997)

16

• Availability -
• Timely, reliable access to data and information
• services for authorized users.

• In condensed form . . .
• Assured access by authorized users
• or
• Having a dial tone when you want one

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI
No. 4009, Aug 1997)
17
This COMPUSEC Threat/Concern expanded to . . .
Malicious Logic
Access
Hacker
Private communications
User
Security Breach (password)
18
The Concern later increased to include both . . .

• COMSEC . . . and . . .
• COMPUSEC

19
This COMSEC/COMPUSEC merger formed . . .
INFOSEC
(90s) Protection of
information systems against unauthorized access
to or modification of information, whether in
storage, processing, or transit, and against the
denial of services to authorized users, including
those measures necessary to detect, document, and
counter such threats.
(Information Systems Security)
20

• Non-Repudiation -
• Assurance the sender of data is provided with
  proof of delivery
• and the recipient is provided with proof of
  the senders identity,
• so neither can later deny having processed
  the data.

• In condensed form . . .
• Undeniable proof of participation
• or
• Like receipt-requested mail - each knows the
  other got it

• (Definition from National Information Systems
  Security
• (INFOSEC) Glossary, NSTISSI No. 4009, Aug 1997)

21
Today . . . we speak Information
Assurance (Now/Future) Information Operations
that protect and defend information and
information systems by ensuring their
confidentiality, authentication, integrity,
availability, and non-repudiation. This includes
providing for restoration of information systems
by incorporating protection, detection and
reaction capabilities.
22
The Concern NOW is . . .
Protect, Defend . . .
Integrity
Authentication
Confidentiality
Non-Repudiation
Availability
. . . Restoration of Info
23
New Direction
New Challenges
Information Assurance (IA) Leadership for the
Nation
Provide - - solutions, products and services,
and conduct defensive information operations,
to achieve - - IA for U.S. Critical
Information Infrastructures operating in a global
network environment
24
Get Engaged . . . Move from INFOSEC . . . to .
. . Information Assurance
Protect
Detect
IA
Restore
React
25
Why is Information Assurance important?
26
OUR CONCERN IS . . .Our ability to NETWORK . . .
has exceeded ..
Growth Rate 79
27
Our ability to protect

• Between 1996 2006 the U.S. will require more
  than 1.3 million new highly skilled IT workers
  (90 growth rate)
• 137,800/yr. to fill new jobs
• 244.000/yr. to replace workers leaving IT fields

The Digital Work Force. U.S. Dept. of Commerce,
Office of Technology Policy, June 1999
28
Current Capacity to Produce
In 1994 only 24,553 U.S. students earned
bachelors degrees in computer and information
sciences
You do the math 95,000 IT workers
needed/yr.
-24,553 IT degrees earned/yr.
70,447
Deficit / Yr.
ALL requiring I A education and training
ALL requiring I A education and training
29

• Presidents Commission
• (October 1997)
• Presidents Commission on Critical Information
  Infrastructure Protection (PCCIIP)
• http//www.pccip.gov/
• National Goal
• Achieve maintain ability to protect critical
  infrastructure . . .

30

• Critical Infrastructures
• Telecommunications
• Electric Power
• Banking Finance
• Oil Gas Delivery Storage
• Water
• Emergency Services
• Government Services

31
Whats being done? Presidential Decision
Directive 63 (1998) It has long been the Policy
of the United States to assure the continuity and
viability of critical infrastructures. I intend
that the United States will take all necessary
measures to swiftly eliminate any significant
vulnerability to both physical and cyber attacks
on our critical infrastructures, including
especially our cyber systems. www.ciao.gov
32
P A R T N E R I N G
ACADEMIA
INDUSTRY
GOVERNMENT
33

• Partners - Provide IA through Cyber Defense by
  moving from the . . .
• Protect mode of securing
• Networks
• Servers
• Workstations, . . . to the . . .
• Detect Report modes
• Improve attack sensing warning
• Data fusion analysis
• Determine source, intent, impact, then report
  it, and . . .finally to the . . .
• Respond mode
• Restore - damage, recover, and verify
  operations
• Pursue - contact appropriate legal authorities

34
The Bottom Line Be aware of the complexity of
and the threats to business and government
infrastructures and understand the
security procedures designed to protect networks
from information attacks
35

• For more information on IA . . .
• PDD-63 and the Presidential Commission Report
  on Critical Infrastructure
• Protection http//www.pccip.gov/info.html
• Defense Information Systems Agency (DISA)
  Awareness and Training
• Facility http//www.disa.mil/ciss/cissitf.htm
  l
• National Security Telecommunications and
  Information Systems Security Training
• Standards http//www..nstissc.gov
• National INFOSEC Education Colloquium
  http//www.infosec.jmu.edu/ncisse
• National Institute for Standards and Technology
  (NIST) Computer Security Clearing
• House http//csrc.nist.gov/welcome.html
• National Security Agency INFOSEC Page -
  National INFOSEC Education and Training
• Program http//www.nsa.gov8080/isso/program
  s/nietp/index.htm