1 / 37

Nebraska University Consortium on Information Assurance

Nebraska University Consortium on Information Assurance. Information Assurance: Where We’ve Been and Where We’re Going Prepared for INFRAGARD Knoxville, Tenn. 15 December 2005 Blaine W. Burnham, PhD Executive Director, Nebraska University Consortium for Information Assurance,(NUCIA)

seven
Télécharger la présentation

Nebraska University Consortium on Information Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nebraska University Consortium on Information Assurance Information Assurance: Where We’ve Been and Where We’re Going Prepared for INFRAGARD Knoxville, Tenn. 15 December 2005 Blaine W. Burnham, PhD Executive Director, Nebraska University Consortium for Information Assurance,(NUCIA) College of IS&T Peter Kiewit Institute University of Nebraska, Omaha Blaine Burnham Ph.D

  2. IA: Been There, Done That • Outline • What is Information Assurance • Threat • What are the Parts, a Taxonomy • What have we Learned and When • Where are we Now • Where are we Going • To Be Informed • Management Challenges • Credentials Blaine Burnham Ph.D

  3. IA: Been There, Done That • What is Information Assurance • A triple ( Users, Information Objects, Policy) • An Environment • A Threat • Technologies, Practices, Procedures • The attenuation of the threat to an acceptable level of risk Blaine Burnham Ph.D

  4. IA: Been There, Done That • Is Information Assurance a “NEW” idea? • Very Old Concept / Practice • People have Needs: Information has Value • Well developed solutions • Pre literate; The Oral Tradition • Literate: India ink, multiple copies, notaries • People have long developed instincts • How do you know if your car is stolen Blaine Burnham Ph.D

  5. IA: Been There, Done That • Why is it so Difficult? • We need to understand that Security is a Global System property • Need to secure the whole system • A Non Observable Property • Generally can not tell if it is working correctly • And we need to understand what is happening – the physics of information has changed • Our way of thinking has not changed - enough Blaine Burnham Ph.D

  6. IA: Been There, Done That • Why is there Information Assurance? • In the computing environment the needs and value persist, the Instincts Fail • How do you know if your data is stolen, changed? • The Environment is not an extension of what we are use to • The physics of information is different • Information Binding • What is it and how does it work • Oral Tradition • Paper • Electronics • Something very different must happen to enable us as a culture / society to get to what we need! Blaine Burnham Ph.D

  7. IA: Been There, Done That • Threat • The Wedge • Whatever Works • Technology • Simple to very Sophisticated • Social Engineering • Weak and Flawed Software ( Viruses, Worms, BOF, other) • Access ( War Driving ) • Hardware Reverse Engineering • Software Reverse Engineering Blaine Burnham Ph.D

  8. IA: Been There, Done That • Threat • Three Levels • Low End – Ankle Biters - Stop These • High End – State Sponsorship - Get Help • Mid Range - The Mercs – THE Problem • Wild Cards • Terrorists • Competition • Considerable Overlap • Tech transfer • Leverage • Motivation Blaine Burnham Ph.D

  9. IA: Been There, Done That • What are the Parts • A Taxonomy • Policy • Membership • Boundary • Secure System Management • Damage detection and recovery • Secure System management • Connection and Separation • Assurance Blaine Burnham Ph.D

  10. IA: Been There, Done That • An IA Taxonomy • Membership • Users • Software • Hardware • Policy • Well-defined / Consistent / Implementable • Clear / Unambiguous • Boundary • Who / What / Where Blaine Burnham Ph.D

  11. IA: Been There, Done That • An IA Taxonomy (cont) • Damage Detection and Recovery • Will Happen • Prepare in Advance • Who do You Call • Incident Handling / Forensics / Disaster Recovery • Connection / Separation • Policy Level Negotiation • Consequence of Connectivity • A Risk Accepted by ONE is a Risk Shared by ALL (and ALL may not know it) • Not All Equals are Equal • How Do You Decide Blaine Burnham Ph.D

  12. IA: Been There, Done That • An IA Taxonomy • Secure System Management • This is not other duties as assigned • Requires special attention • Out Sourcing is popular / Let’s talk about that • Assurance • The Really Hard Part • How do You decide “ Good Enough” • Lots of Parts • Deserves its own segue Blaine Burnham Ph.D

  13. IA: Been There, Done That • About Assurance • What is it? • Circular Definitions • Confidence ~~ Assurance ~~ Confidence • Not a lot of help • Complicated Definitions • Trustworthy ~~ Trust(ed) ~~ Security Assurance ~~ Information Assurance • Throw in High Assurance just to clarify Things • Parts • Policy Assurance, Design Assurance, Implementation Assurance, Operational or Administrative Assurance Blaine Burnham Ph.D

  14. IA: Been There, Done That • More About Assurance • What is it? • None of these attempts is “wrong”. • Some not too useful / not too much insight. • How about? • Assurance is the basis for the belief that a system will behave as expected. • Assurance is about Behavior • Assurance is Operational • A side benefit is Assurance can be accumulative and have scope. Blaine Burnham Ph.D

  15. IA: Been There, Done That • What is not Assurance • The Classical exceptions • Empathic Assertion (aka Rivers of Impassioned Rhetoric (Dan Edwards)) • Security Through Obscurity • I couldn’t find any Flaws • Challenges / Contests • Any of this sound familiar ( E-Voting machines?) • Somewhat at odds with the S&R community • Not Probabilistic • Generally cannot build a High Assurance System out of Low Assurance Components • The Problem / Perception of Testing Blaine Burnham Ph.D

  16. IA: Been There, Done That • Why Should Anyone Care? • Malicious Code is THE weapon of choice. • Schell: “ Science, Pseudoscience, Flying Pigs” • Very Subtle • The Ken Thompson Paper • Understand the potential economic consequences • The Pipeline • The “Problem” with Western Code • Understand the Technical Consequences • Pete’s Paper • We know and understand the feature set, we lack high assurance Blaine Burnham Ph.D

  17. IA: Been There, Done That • The COTS Conundrum • DOD IT uses Commodity technology as much as possible • Alternatives are hugely expensive, slow to acquire, costly tails, don’t tend to roll forward. • DOD captive of Commercial Assurance Needs • Commercial Assurance needs top out at EAL4 • DOD assurance needs (the critical ones start at EAL4 and UP) • Can’t get to High Assurance with COTS Blaine Burnham Ph.D

  18. IA: Been There, Done That • Yet More About Assurance • An Aside • High Assurance and the Marketplace • Claim: Market Forces will eventually drive the Assurance Demands of the marketplace to levels commensurate with the needs of Government. • Active words: Eventually, Commensurate, Needs • Actors: Insurers, Underwriters • Do we need to Consider Risk Models Blaine Burnham Ph.D

  19. IA: Been There, Done That • Why High Assurance? • The Risk Model is Changing • We are putting more at Risk • All in favor of Tele-Medicine (HU) • All in favor of Internet Voting (HU) • The Threat Model is Changing • Progressively Less Control over the Computing “Undercarriage”. • More “bad actors” have greater Access • Very Strong Verification (High Assurance) is THE ONLY VIABLE OPTION • ALL Other approaches have been Compromised. Blaine Burnham Ph.D

  20. IA: Been There, Done That • What have we learned and when? • Automation of Protected Information in the late 1960’s ( USAF) • Was this a good idea? • Is the Information Adequately Protected? • Is the Information Equivalently Protected? • How would you decide? • Tiger teams • Not Good News Blaine Burnham Ph.D

  21. IA: Been There, Done That • What have we learned and when? • Need to better understand the problem and begin codifying approached to solutions • Rand Study ( the Ware Report) 1970 gets it right. • http://www.rand.org/publications/R/R609.1/R609.1.html • Points out the problem and general direction to remedies with amazing insight • “Probably the most serious risk in system software is incomplete design, in the sense that inadvertent loopholes exist in the protective barriers and have not been foreseen by the designers. “ Blaine Burnham Ph.D

  22. IA: Been There, Done That Blaine Burnham Ph.D

  23. IA: Been There, Done That • What have we learned and when? • How to get it Done • The Anderson Report (72) • “An Advanced development and Engineering program to obtain an open-use, multilevel secure computing capability is described” • Gets it right • Introduces the concept of the reference monitor • The second of the two protection mechanisms we have • Recommends extensions of use for the other protection mechanism – CRYPTOGRAPHY • Whoop! • Work done piecemeal over the next 15 years • Multics showed How (early 70’s) • DEC came Close (early 80’s) See Morrie’s book • http://nucia.unomaha.edu:8080/dspace/bitstream/123456789/61/1/gasserbook.pdf • Gemini got it right Blaine Burnham Ph.D

  24. IA: Been There, Done That • What have we learned and when? • S&S (74) Design Analysis and Understanding • In the absence of methodical techniques, experience has provided some useful principles that can guide the design and contribute to an implementation without security flaws • The DEFCON experience and the relation to the S&S Principles • S&S got it right • 100 References • http://www.cs.virginia.edu/~evans/cs551/saltzer/ Blaine Burnham Ph.D

  25. IA: Been There, Done That • What happened and why? • The Money went Away • And so did the people • No funding for academic research • No funding for graduate students • No continuity of people • No continuity of knowledge • For three generations of researchers • So It is not in the schools yesterday and today • The knowledge is not with the vendors!!! Blaine Burnham Ph.D

  26. IA: Been There, Done That • What happened and why? • Early 80’s qualified that specified the core technology – Trusted OS • The Orange Book and TPEP • Build very smart CS designers researchers and evaluators – in the Government and FFRDC’s • The Vendors more or less clueless start to hire from Government • Clear opportunity for consultants and several very good consulting firms appear ( TIS, Sytek, SCC ) • Consulting turns out to be a badly leveraged business model • Consulting firms turn to products to improve business model • Consulting firms caught in the ambiguity of honesty and sales • Consulting firms melt down and become product firms and work for hire. • Good / Great advice give way to product marketing • Which Products – the LHF – guards, firewalls, IDS • Careful design and thoughtful engineering gives way to marketing snakeoil • We have lots of stuff and in the main most of it is only marginally helpful • Heavily weighted toward reactive response • Symptomatic relief not systemic solutions • A Tremendous market position for the Vendors Blaine Burnham Ph.D

  27. IA: Been There, Done That • Where are we now and why? • The Buffer Overflow accounts for 85% of attacks. • C – Sucks. Yet Language of Choice for O/S and Services • Huge bloated OS’s that are internally completely fragile • More recent released with 65000 known problems – Oh Well!! • We know better • Patch and Pray is the Mantra • We accept this behavior in NO other segment of our society • We know better • No Coherent view of Secure System Architecture • Societally Unacceptable • We know better Blaine Burnham Ph.D

  28. IA: Been There, Done That • Where are we now and why? • No prevalent Understanding of Foundations • Moving toward Phrenology and Rattles • We know better • Hostage to the 18 month wonder and the last Salesman • A plethora of products of dubious value, clouded pedigree, rarely interoperable • Seriously Muddy Thinking • A flood of books that leave a lot to be desired Blaine Burnham Ph.D

  29. IA: Been There, Done That • Where are we now and why? • Muddy thinking (example) • The Books • New Book - just today • “Computer Security Fundamentals” / Eastton • “FYI: “Old” Encryption • PGP is more that ten years old. Some readers might wonder whether it is old and outdated. Cryptography is unlike other technological endeavors in this regard – older is better. It is usually unwise to use the “latest thing” in encryption for the simple reason that is is unproven. An older encryption method, provided it has not yet been broken, is usually a better choice because it has been subjected to years of examination by experts and to cracking attempts by both experts and less honorably motivated individuals. This is sometimes hard for computer professionals to understand since the newest technology is often preferred in the computer business.” • There is so much wrong with this statement that it hard to know where to start. Blaine Burnham Ph.D

  30. IA: Been There, Done That • Where are we now and why? • Law – a Segue • Piecemeal at Best • Banking Secrecy Act • Cable TV Privacy act of 1984 • Electronic Communications Privacy Act • Fair Credit Reporting Act • Family Educational Right ot Privacy Act • Privacy Act of 1974 • Right to Financial Privacy Act of 1978 • Video Privacy Protection Act of 1988 • GLB • HIPAA • SOX • Online Personal Privacy Act 2002 ( not passed) Blaine Burnham Ph.D

  31. IA: Been There, Done That • Where are we now and why? • The Law – a Segue • Piecemeal at Best • Anti Spyware Act • DMCA 1998 • Computer Security Act of 1987 • Paperwork Reduction Act of 1995 • Information Technology Management Reform Act of 1996 • Federal Information Security Act of 2002 • NSD 42 • PDD63 • Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 • USA PATRIOT Act • Homeland Security Act of 2002 • This is nuts. Blaine Burnham Ph.D

  32. IA: Been There, Done That • Where are we going from Here? • Much greater penetration of computers into societal fabric • Everything that costs over $100 with be IP addressable • Phones • Viruses and assorted hacks underway as we speak • The Fly-by-wire automobile • The unprotected consolidation of information • The Matrix • MATRIX Project — a pilot effort to increase and enhance the exchange of sensitive terrorism and other criminal activity information between local, state, and federal law enforcement agencies. Looks a lot like TIA • And the losses from same • Personal data on 32,000 Americans is stolen from Seisint • ChoicePoint revealed that scam artists had gotten access to personal data on about 145,000 people Blaine Burnham Ph.D

  33. IA: Been There, Done That • Where are we going from Here? • More gimmicks and gadgets • Information Security Products • Google 30,700,000 • More marginal advice • Information Security Consultants • Google 4,900,000 • Much greater risk • We are going to insist on computer enabling the foundational processes of the country • E-voting Blaine Burnham Ph.D

  34. IA: Been There, Done That • Management Challenges • Strategies • You need to Lead • E.g. Defense in Depth • Multiple Layers • Good idea – expensive • The People Part of the Equation • You need to Lead • Don’t Expect More Than YOU Are Willing to Give • Don’t Be Afraid to Get Help • Becoming Harder in the Market Place • Too Much Snake oil • IA is a 2-5 Billion Dollar Snakeoil Business Blaine Burnham Ph.D

  35. IA: Been There, Done That • To Be Informed • Conferences • Good ones and not good ones and how to tell the Difference • Workshops • Hacker du Jour and Others • Training and Short Courses • NBDC and Others • Academic Programs • UNO and Others Blaine Burnham Ph.D

  36. IA: Been There, Done That • Where are we going from Here? • People will have to exercise there political muscle to start to rectify the problem • Software Liability • Professional Standards • Demand Much Greater Accountability • It is a societal issue that needs to be treated as such Blaine Burnham Ph.D

  37. IA: Been There, Done That • Credentials • CISSP • Certification • SANS • Microsoft • Cisco • Novell • Other? Blaine Burnham Ph.D

More Related