ISC2 CISSP Practice Test Questions-CISSP Exam Dumps | Exam4Help.com
1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.
-
Upload
maryann-copeland -
Category
Documents
-
view
216 -
download
0
Transcript of 1 A Comprehensive Framework for Information Assurance Abe Usher, CISSP.
1
A Comprehensive Framework for Information Assurance
Abe Usher, CISSP
2
Agenda
Introduction
Information Assurance defined
What you need to know
A comprehensive (lightweight) framework
Demonstrations
IATAC resources
Questions
3
Introduction: whoami
Deputy Director of the Information Assurance Technology Analysis Center (IATAC)
Certified Information Systems Security Professional (CISSP)
M.S. in Information Systems
Creator of the INFOSEC Zeitgeist
Former infantry officer
Geek
4
Introduction: purpose
To provide an information briefing on a simple, yet comprehensive framework for thinking about Information Assurance (IA) issues
5
IA defined: old perspective
Information Security:
“Protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.[1]”
John McCumber, 1991
6
IA defined: contemporary perspective Information Assurance:
“Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.[2]”
confidentiality- assurance that information is not disclosed to unauthorized individuals, processes, or devices.
integrity- quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
availability- timely, reliable access to data and information services for authorized users.
NSTISSI No. 4009, "National IA Glossary," May 2003
7
What you “need to know” Technologist perspective
– TCP/IP stack details
– Firewalls
– Intrusion detection
– Anti-virus
– INFOSEC Research Council hard problems list
Policy perspective:– DoD 8500 series documents
– DoD 5200 series documents
– DoD 8100 series documents
– NIST 800 series documents
– National Strategy to Secure Cyberspace
– DoD IA Strategy
– DITSCAP / NIACAP
Operator perspective:– IS Alliance: Common Sense Guide for Home and Individual Users
– IS Alliance: Common Sense Guide for Senior Managers
8
Common criteria
9
What you “need to know”
Do we lose the forest while looking at the trees?
10
Thoughts on classification
“The beginning of all understanding is classification.”
Hayden White
11
A comprehensive, yet “lightweight” framework
12
Thoughts on classification
“Classification is, in fact, a general method used by us all for dealing with information… So by classification we can organize our knowledge of the [plant kingdom] into a system which stores and summarizes our information for us in a convenient manner…
Clearly, some systems by which we can organize this knowledge, make generalizations and predictions, and simply reduce the sheer bulk of data with which we have to deal, is not only desirable but essential.”
Charles Jefferies An Introduction to Plant Taxonomy
13
A comprehensive, yet lightweight framework
14
A comprehensive, yet lightweight framework
15
A comprehensive, yet lightweight framework
16
A comprehensive, yet lightweight framework
17
Case study: confidentiality of information in transmission
Alice views an information resource belonging to Bob using a plain text protocol
Information state: transmission
Security service: confidentiality
Security countermeasure: encryption [3], secure transmission medium, frequency hopping, obscure system interface, access controls
18
Case study: confidentiality of information in transmission
19
Interactive Web based version
20
Case study: availability of net based resources
Bob wants to view a Web resource belonging to Alice
Information state: storage, transmission
Security service: availability
Security countermeasure: traffic filtering/blocking [4], rate limiting, functional redundancy, data redundancy, load balancing, acceptable use policy, business continuity of operations plan
21
Case study: availability of net based resources
22
A comprehensive, yet lightweight framework
23
IATAC Resources
IAnewsletter
IA Digest
Technical inquiries
Technical repository
On the Web at:
– http://iac.dtic.mil/iatac
– https://iatac.dtic.smil.mil
24
Questions
25
Backup slides
26
References[1] McCumber, John. "Information Systems Security: A Comprehensive Model". Proceedings 14th National
Computer Security Conference. National Institute of Standards and Technology. Baltimore, MD. October 1991.
[2] NSTISSI No. 4009, "National INFOSEC Glossary," January 1999.
[3] OpenSSH protocol. Designed through the OpenBSD project at http://www.openbsd.org/. Latest release September 2003.
[4] Linux Planet. Traffic filtering by IP Address. http://www.linuxplanet.com/linuxplanet/tutorials/1527/5/. February 2000.
[5] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A Model for Information Assurance: An Integrated Approach". Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. U.S. Military Academy. West Point, NY. June 2001.
27
Information Security Zeitgeist
Provides a graphical depiction of the emergence and disappearance of hot topics in information security over time
Inspired by the Google Zeitgeist report
On the Web:
http://www.sharp-ideas.net/research/infosec_zeitgeist.html
http://www.google.com/press/zeitgeist.html
28
Information Security Zeitgeist
29
Information Security Zeitgeist