it security
... conflict with A. After accessing dataset B, the Chinese Wall will be modified to include all datasets in conflict with B. This policy differs greatly from traditional computer security policies that are based on the military classification model. In the military security model a user is given a clearance that design’s a level of information up to which the user has complete access (more restrictive models are possible, but will not be discussed further in this paper). All information in the military system is then classified at a particular security level. It is this level that is compared with the user's clearance to determine if access is permitted. No past access history is evaluated and thus the information that the user can potentially access will not change. Fundamental Concern of Computer Security One of the major flaws in computer security is people being unaware of how to effectively exploit information security to the benefit of the company. Security unaware users have specific needs and requirements but usually do not possess any security expertise. This flaw is clearly visible in current strategies of security evaluation. Security evaluation allows the user to check whether or not a product will deliver a promised security service. For the product to be successful, the function of the security system has to be accurately stated, however one of the fundamental flaws in security is that users need assurance that the security controls will be effective and withstand penetration attempts. To full exploit information security, the user must be able to effectively evaluate the security service. The Orange Book was one of the first guidelines established for the evaluation of security products (operating systems). Under these guidelines functionality and assurance are tied together into predefined classes. A major flaw in these guidelines is that users can only choose from this set menu. Due to this rigidity, a need for a more flexible set of criteria was highlighted. Thus the European Information Security Evaluation Criteria was put forth. Under these criteria functionality and assurance are separated, allowing for the examination of specific targets of evaluation. (TOE). The user is requested to make sense of specific TOE’s and a comparison of products evaluated can be accessed against different TOE’s. This lack of Security user awareness can appear in many forms. Education has become the primary and most pressing challenge of the Security industry to date. A solution to this flaw in Computer Security is ease of use security packages whereby the problem can be relegated to one of an engineering trade-off. Security’s impact on performance however is manifold: * Effective management of security requires effort. Therefore buyers of computer security systems often opt for the package which has the best graphical users interface, this can often be a serious problem as the package may "look good’ but may fail to deliver the level of security needed. * Security often interferes with established work patterns, which may hinder users. Rigid Security measures which are clumsy or inappropriate can lead to a loss of productivity. * Introduction of Security in to an organisation can often require the introduction of additional computational resources, the cost of this can be easily quantified. Management often feel that security is a cost that must be justified. But the potential damage of having a security breach can be assessed by using risk analysis. Analysing the Risk of "No Security" Analysis of Risk has for, many company’s become a perquisite for the introduction of security into a company. Risk Management allows company’s the benefit of cost-justifying new information system security, while being able to avoid the implementation of expensive and often unnecessary controls. The use of risk analysis techniques provides a means for critically forecasting the financial benefits of a selected security mechanism, against the initial costs of the investment. Risk analysis methodologies are most often grounded in a fundamentalist paradigm approach. This approach represents are viewpoint that is concerned with the regulation and control of all of the organisations objectives and affairs. This approach arises mainly from the work of Durkheim, whereby researchers assume that the social world is in face composed of concrete empirical artefacts. They believe that the natural sciences are the best methodology to use in understanding such artefacts and their relations. Risk analysis methods which use this paradigm often take a prescriptive and normative approach whereby practical problems are given practical solutions. Under this method, it is suggested that negative events can be prevented and that information systems can be made secure if countermeasures to a security breach are implemented in a straightforward logically sequential manner. Theorists such as Kailay and Jarratt 1994, Birch and McEvoy 1992 a Parker 1981 all prescribe methodologically discrete steps to Risk Analysis. These steps or approaches are controlled scientifically and can be said to have developed linearly. For Example; Birch and McEvoy in 1992 put forth a structured risk analysis methodology, which view s the information system as a set of data structures, data processing, and events in a system. Use of this methodology in evaluating risk requires that the user see the correspondence between a threat and vulnerability. This approach relies heavily on systems theory concepts. With the automation of risk analysis methodologies in recent years, managers have been able to gain a valuable decision making tool with having little or no experience with risk analysis methodologies. CRAMM or CCTA Risk Analysis And Management Methodology, is used by managers to conduct risk analysis and other related management reviews. Theorists such as Baskerville (1998) have seeked to minimise the importance of risk analysis. Baskerville believed (REF) "best approach to the development of security analysis and design methodology, both for office use and for field practice in general, would essentially be to nest it as a component part of an existing, established, successful overall information systems analysis and design methodology. " To further illustrate this point he argued that a structured security analysis and design can be carried out in much the same way as a structured systems analysis. He used Demarco’s structured systems analysis and specification approach and implemented controls in its logical design phase. Controls can be identified by the development of formal heuristics. However from a basic functional level, starting from a different set of assumptions Baskerville’s approach is similar to other approaches. The use of risk analysis as a method for building secure systems has always encountered strong criticism. Clements in 1977 stated that classical probability theory was in appropriate to assess security risks as, risk is inherently random in nature. Clements put forth his own theory, which was based on the theory of fuzzy sets for evaluation of data processing installations. In comparison there is little difference in regard to the basic assumptions underlying, each of the risk analysis methods. Upon examination it becomes evident that the boundaries between the different classes of risk analysis are uncertain. Management of IS Security Researchers argue that in order for Security to be successful, the organisation must select a framework for interpreting the management of Information system security. IN the Security industry there has been a rise in the number of interpretive approaches used to analysis, design and manage the installation of a security mechanism. The Security industry as a whole suffers, due to the fact that researchers are still locked within functionalist traditions which depend upon conceptions which are based upon the nature of reality. The major failing of the functionalist traditions is that it is a tradition which is more suited to the natural sciences (Galliers 1991). Security which needs the support of senior management cannot be constructed on a scientific discipline, but must rather be constructed on a framework which enables management to see the necessity and the potential cost savings of an effective Security Mechanism. Preston (1991) in an effort to move researchers away from the development of security based upon scientific methods called upon information system researchers to examine the underlying assumptions and theoretical constructs that have previously shaped there understanding. Selection of a Methodology In order to select the correct Methodological base, the designer or the committee must understand the construction and the layout of the organisation as a whole and all of its societal and political viewpoints both internally and externally. Burrell and Morgan argue that the selection of an appropriate approach relies on a set of assumptions based on Ontology, Epistemology, Human Nature They believe that : "all theories of organisation are based on a philosophy of science and a theory of society" The interpretative approach views, organisation and information systems as human constructs that are shaped by an individuals perception of reality. Beneficially they allow different groups to identify and relate to each other within the organisational construct. Walsham (1993) stated: "that this is a dynamic process of action/context interweaving which is fundamental to understanding the process of organisation change and the role of information systems. " Liebenau and Backhouse (1990) argued those organisational components such as the formal, informal and the technical parts of the environment are constantly in a state of interaction. These considerations allow the designer the ability to understand the nature of system security by evaluating the names, concept’s, labels and signs which are used to structure reality. However the formulation of effective security requires a deep understanding of the social world, where reality is formed on the basis of individual cognition or perception. A point championed by Burrell and Morgan (1979) whom regarded "labels" and ‘signs’ as artificial constructs which enable an individual to describe and make sense of the external world. Security therefore should be considered internally rather than externally. Considerations about human nature can significantly alter the choice of a methodology. These considerations come from the models of man expressed in most social-scientific theories. In nature these model can be either, voluntarist or determinist. Determinist models conclude that individuals and their activities are determined by there given situation, whereas the voluntarist models recognise that man is autonomous and completely free willed. Therefore the above considerations outline that the security of information system can only be examined by developing a realistic understanding of the social context. Acceptance of a security mechanism hinges on its ability to provide acceptance. Theoretical Considerations for the Management of Information Security There are a number of different theoretical approaches, which can be used in the development of a methodology. The most common methodologies stem from research in understanding and evaluating computer based systems in organisations. In research study compiled by Kling and Iacono (1989) information systems have been linked to organisational structures and the circumstances in which they become institutionalised. Due to the fact that by its very nature the management of information systems security being a dynamic process rather then static most of the previous security methodologies no longer apply in a current context. One researcher who seems to have overcome this problem is Pettigrews (1985). Pettigrew is the originator of the Contextualist Approach, which is concerned with 3 elements: * The process component * The context component * And the outcome component This approach regards decision making and problem solving as containing components which are ‘haphazard’ and regards organisations as systems of political action. Despite being an effective Methodology the approach suffers from a number of drawbacks: * The concept fails to provided a means for analysing the various stakeholder groups which wield power within the organisation. * A complete method of evaluating the linkages between the contexts and the processes is not detailed in the Methodology, despite Pettigrew placing a great deal of emphasis on the importance of these linkages. * Pettigrew does not, despite it being of fundamental importance to the approach, place enough importance on what calls the out context levels and the other contextual levels. One theorist who seem to be able to identify the linkages between contests and the processes is Walsham who built on Giddens Structuralisation theory which is associated with a developing trend in social theory towards integration, synthesis and metatheorising. The main reasoning behind the theory is to highlight and resolve the dabate between individualistic human agents and actions as opposed to the structure of organisation societal culture. Semiotics (theory of signs) has recently begun to influence security methodologies. Semiotics is based on the work or Saussure (1966) and Pirece (1958). Eco (1976) argued that semiotics bases itself largely on a linguistic model, which by its very use of language as sign system is paradigmatic in nature. Semiotics most practical strength for the formation of a security methodology is the fact that objects, words or any symbol used as a vehicle of communication have no inherent meaning. Meaning is can only be attached by context and norms, however one individuals interpretation of a symbol may differ to another’s. This can be a very practical concept in the management of Information system, primarily due to the fact that security measures are evaluated in tandem with organisational structure. Concepts of framework A methodology can be broken into 2 distinctive approaches. The approach can be either: Nomothetic: The study of hypothesis under scientific principles. The scientific principles used allow for the construction of tests and use quantitative techniques for analysing data. Ideographic: This approach stresses the importance of individual knowledge of the topic under evaluation. Therefore the technique focus’s primarily on a detailed analysis of the history of the topic. The practitioner should be involved in the organisations day to day operations so they can gain knowledge on a personal level. Conceptual framework for interpreting the management of IS Security Semiotics can be a valuable methodology in the construction of IS security. Liebenau and Backhouse (1990) developed a stair case model which allows the practitioner to understand the analysis, design and management of information systems by drawing on semiotics by the consideration of four identified classes identified in the diagram below. Evaluation of model Information is often seen as the life blood of the organisation. The model depicts the business word and the physical world and draws upon, Pragmatics, Semantics Syntactics, and Empirics to derive and analyse and effective security viewpoint. In the model the business world is portrayed as a repertoire of pragmatics structures which represents relationships between workers, these structures are governed by internal organisational structures. Semantics allows the physical world to be analysed by the construction of signs. The model shows how the physical world is constructed by a series of steps the beginning of which is the Social World. In the Social world of the organisation, staff create and develop systems of norms, culture, values, expectations, political agenda and patterns of behaviour. These social interactions serve as a basis to meld individuals and groups. The next major step is to assign meanings to the different interactions and behaviours, which facilitates the introduction of rules and procedures. There is not a particular flow in the way the steps should be taken as moving from step to step enable the company to gain a greater depth of understanding. Using the model There are six steps which enable the Stairway model to be used for the interpretation of information system security. Step 1: Evaluation of the Business World Contained in the Business World is the Company’s Mission Statement which provides the practitioner with a detailed statement of the organisations intent and purpose within the market. The major components of the Business world which are evaluated in relation to the security of information systems are: * Operational Strategies * Ethical aspects of human nature. Step 2 : Evaluation of pragmatic organisational Components. Evaluation of the pragmatic aspects of the organisation allows the security practitioner to understand organisational norms and evaluate the company’s attitude towards security. This evaluation of security should highlight staff awareness of security within the company and provides the practitioner with a value information in how to combat staff unawareness. Step 3: Analysis of Organisation Semantics One major falling point of most methodologies is the misapplication and misrepresentation of rules, under semantics meanings of staff actions are analysed. Power structures are identified and Managers Responsibility centres are detailed, thus enabling the practitioner to assign accountability for actions which are not in the organisation’s best interest. Step 4: Syntactics The organisation by using this step can analysis its rules and procedures in regard to Security. Security reviews and audits can be evaluated to see their effectiveness on the organisations security. Syntactics allow the practitioner to review, examine and prevent: * Data Integrity * Availability of Rules * Availability of Procedures * Program Bugs * Software Piracy Step 5: Empirics Allows for the technical examination of security issues such as viruses and encryption . Empirics facilitates the organisations choice of communication channels and enables the analysis of control systems. Step 6: Examination of the Physical World The Organisations hardware and physical security issues are evaluate and reviewed. The models basic objective is as a method to provide a process of evaluating the social reality of the organisation. Such evaluation can facilitate the practitioners discover of specific security concerns which may not have been addressed previously. However as no methodology is one hundred percent effective the researcher should not discount offer methods which may prove to be just as effective. Another more practical framework which is used in business extensively for the formulation of IT Security is the PricewaterhouseCoopers information security framework. The framework allows the practitioner to define the various levels of security that need to examined and implemented to ensure that the information assets of an organisation are effectively and efficiently secured from threat. The framework is based and solely derived from a business point of view. Construction of the Framework Four Pillars The framework is composed of four pillars, which form its base. These 4 components of the framework must be in place in order to execute successful information security. Security Vision and Strategy Security within the organisation must viewed as of being strategically important to the organisation. Strategy and Vision play an integral role in the forming of effective security. The Security Vision is the organisations overall approach to security, for example: Will the organisation be an industry leader in the pursuit of profitable business initiatives and technologies?. Strategy involves how the organisation will achieve the protection of its information assets. For example How will the security organisation support and enable this higher level of strategic vision? The security vision and strategy forms a basic charter by which the organisation’s documents the overall positioning of security with the company. Included should be statements that document senior management’s attitudes and expectations as to how security is incorporated into the overall organisational goals and strategies. Information Management Security Structure For this to be successful the Structure of the company must be geared for the Security of Information. The primary goal of any security department is to support and protect the business objectives of the organisation as a whole. The success of this objective will determine the perception, acceptance, and effectiveness of the information security department. Senior Management Committee A Senior Management Committee will: * Set the policy of the organisation * Understand the business goals of the organisation * Understand the potential risk involved in the disclosure, loss, alteration, or the unavailability of critical information assets. The success of any Security Function the organisation wishes to employ is dependent on acceptance by senior Management. Senior Management support can be considered from to viewpoint, from a monetary base or a political base. Both must be gained or the success of the project will fail. Without political support from Senior Management, the information security function will only be marginally successful, regardless of the amount of financial backing. However this is not to disregard the fact that Senior Management must provide adequate funding in order to protect the information assets of the organisation. These financial resource range from providing adequate staffing levels and continued education to funding infrastructure projects. Security Awareness The key to effective security awareness is the individual employees understanding as to what their security role in the company is. This can only happen with thorough and frequent communication of senior management’s expectations. In order to raise employee awareness the most common approach employed by organisations is to launch security awareness campaign within the company. Topics addressed by the campaign should include and not be limited to: * Basic information security concepts * PC Security, which educates the user about proper virus protection and the use of proper passwords. * High level overview of the date classification program and the appropriate handling/destruction of data of the different classifications, if one has been defined * Awareness of social engineering techniques employed by hackers * The Security Departments contact details * Compliance and monitoring processes * Acceptable use, Internet access, and proper email use guidelines. The Security Awareness campaign will normally draw on the following tools: * In-house or commercially prepared newsletters * presentation, posters and give away’s * Custom or commercially available video presentations * Security awareness days * Any attention grabbing way of promoting or marketing the organisation’s desire for the security of its information assets. The framework is composed of three major components, which allow the framework to be broken down into a more manageable framework.: Decision Drivers This section of the Framework starts with the definition of the company’s security policy which is composed of, Business Initiatives and Processes, Threats, Vulnerability and Risk Assessment and Technology and Usage. These inputs form the development section of the framework. By analysing the inputs, the framework provides the organisation with a valuable tool to "measure" the major factors, which influence information security and enable an effective archectiture to be constructed. The Framework also allows the security practitioner to identify major areas within the organisation, which require information to be protected. Development Phase The basis for the first stage of the Development process is the combination of decision drivers and comprehensive security practices which go into forming the Security Policy of the organisation. An effective security policy which is based on sound polices and standards will lead to the creation of an effective information security strategy. This Strategy will ensure that the organisation’s information assets are guarded at an appropriate level dependent on its criticality to the business. Policy’s and Standards allow the company to coup with environmental change. Security Model The Security Model is primarily composed of Risk analysis and the classification of information. Thus it serves as a transition period between the construction of policy and the implementation of technology. The security model must be applied not only to information, applications, and systems but also to the organisations security policy itself. Risk Assessment Under the model the information assets of the organisation are classified under the 3 major concepts of information security, confidentiality, integrity, and availability. Control measures are identified to ensure the security measures are properly, identified, approved, and maintained. The major goal of risk assessment is provide a sound understanding of the security risks associated with the organisations information assets and to ensure that the safeguards employed by the organisation reduce the level of risk associated with a security breach. Under the Model Risk is classified under 3 categories: Low Risk – baseline tolerance for exposure and minimum threat level Medium Risk – medium tolerance for exposures and medium level of threat High Risk – low tolerance for exposures and high level of threat. In order for risk assessment to be successful the model uses the following exercises to rule out unlikely threats and identified unprotected area’s in the organisations security approach: Make an evaluation of what information is extremely important, moderately important, or of limited importance to an organisations business. Classify the information as highly confidential or proprietary, whether its has high degrees of integrity and accuracy, and high availability requirements, and when the information is needed with the corporation. Review all potential threats to an organisation’s operations and determine which are possible and which are unlikely. Using the corporate security policy and standards, define how users work within the various data categorisations. The model recognises and summarises the consequences of loss as * Loss of goods, funds or other tangible assets. * Loss of competitive advantage * Loss of competitive information * Reduction in cashflow * Loss of orders * Loss of production efficiency, effectiveness of safety * Loss of customer or supplier goodwill * Penalties for breach of statutory obligations * Public embarrassment and loss of business credibility In order to classify information assets the model first recognises and classifies the users of the systems information into 3 categories: * Information owners The information owner is a business manager responsible for the creation of a corporate information asset. Mission-Critical information can always be traced back to an individual business unit. The manager of the business unite responsible for the creation of any data of the business unit directly affected by the loss of the data is deemed to the the owner of the information. * Information Custodian An information custodian is where the information owner delegates responsibility of some information asset to a supporting organisation or information custodian. The delegation of responsibility is normally detailed in a service level agreement between the two entities. * Information User An information user can be defined as any, employee, vendor, contractor, or other person who is authorised to use the information in the course or their employment. Once the classification process of the owners of the information has been completed, responsibility and organisational roles need to be assigned. After this has been completed the process of identifying the owners of the information asset can begin, to do this the model uses the following criteria: * Data owners must be from the Business unit not IT * Support from Senior management is crucial, without which the task will not be completed successfully * Data owners need to have authority though the information security policy to enforce the classifications and related controls Security Architecture and Technical Standards The organisations Security Architecture is the technical interpretation of the corporate standards at the technical level, based on a combination of policy and technology. Technology Standards used by the corporation are documents technology- specific controls for all the major platforms within the organisation. These documented controls form a basis for the configurations necessary to secure the platforms. Technical Control Standards Technical Standards help the information security professional in the constant changing of security product and system vulnerabilities. To do this it addresses two fundamental area’s, continuous review for controls and continuous application to the current environment. These 2 area’s are necessary in order for the corporation to stay aware of changes with in the business environment and derive benefit from these changes. Security Architecture One of the major benefit of the model is the fact that it provides a link between the corporate policy and standards and the controls that must be implemented in order to achieve the business objectives of the organisation, thus enabling: * Management to allow the business objectives to drive the corporate standards and technology inherits the standards as they are developed. * Systems personal gain an understanding of the business need behind the controls by examining the corporate standard linked to the control. Implementation This phase of the framework turns what was merely an academic study before hand into practical business model. The major obstacle the corporation will encounter is the implementation of the framework at an operational and technical level. To do this the corporation must use: Administration and End-User Guidelines and Procedures These procedures are the practical approach for the implementation of the framework. The corporation should draw up on a Technology checklist to ensure all components of the framework are implemented , this will ensure that the security will remain consistent throughout all the business platforms. The procedure should be constructed using a combination of Organisation-tailored procedures and standard security configuration information for the administration side of the corporation. Once these procedures and policies have been established they can be incorporated on all levels of the organisation. End-User polices and procedures are an important phase in the implementation plan. The security awareness campaign will have combated user unawareness but failure to effectively implement End-User policies and Procedures effectively can jeopardise the whole security function within the company. Examples of these procedures include : * Password composition standards * Backup policies * Information removal from the corporation Inorder to ensure that the implementation phase of the framework is successful the corporation will require a feedback mechanism. This is incorporated into the process by a numb of organisational processes such as: Monitoring Processes Include the operational procedures used by system administrators or internal organisational auditors to monitor security levels and overall organisational compliance with the new security policy ‘s and standards. Examples of which are: * Self audits performed by System Administrators * Application or Operating systems reviews * Penetration testing * External Reviews * Day to day operations Structure to oversee systems. Enforcement Process The processes by which systems administrators or internal auditors use to enforce compliance with security levels , policy and standards. These include: * Administration procedures * Operational procedures * Technical procedures Recovery Recovery is an important aspect to insure the security of a Company ‘s security initiative. Examples of which are: * Business continuity planning * Backup and recovery procedures * Security Recovery and escalation procedures Security Incidents which arise must be dealt with by the corporation through the use of Comprehensive escalation, investigation and resolution procedures. An example of a Security incident is: * Internal Accidents * Improper systems usage * External Threats IF an effective security recovery plan is already mapped and in place the corporation will be able to reset the security function in an organised fashion when the incident’s occur. Construction of Security Program The US’s Departments of Defences Information Grid can serve as effective model to illustrate the importance of security. The information grid provides the department with the means to receive, process, transport, store, manage and protect mission critical information. The information technology challenges for the DoD are the same as that facing all Federal Agencies, as well as Multinational Corporations and Industry as a whole. What sets the DoD apart from these other entities is the size, complexity and national criticality of its mission to the United States. The American Department of Defence is the largest organisation in the states, its has three million people, active, guard, Reserve and Civilians employed. Diversified throughout the world at 637 military installations and may other locations. To administer to this community, it takes roughly 10,000 separate computer systems involving 1.5 million individual computers. Of these, over 2,000 systems are mission critical systems that must work, no matter what, for DoD to successfully execute the myriad of missions. Over one-third of all mission critical computer systems in the Federal government are in the Department of Defence. Enhancing the speed and connectivity of the Grid and its supporting infrastructure, and yet controlling access to sensitive information will remain a formidable challenge to national security for many years to come. The DoD is a primary example of how important the security of a computer system can be, as if the system is breached the result may be the loss of both military and civilian life. Security Issues Global Connectivity The Security under which the DoD operated is not sufficient to deal with the impacts of economic globalisation. The model as constructed in time when all strategically important military capabilities and technologies were situated in the US. Threats to these capabilities were dealt by erecting barriers to the countries borders. While this strategy was effective to in dealing with security threats posed during the cold war it is an ineffective strategy which could lead to the alienation of the US and seriously weaken links with, civil military integration and international co-operation. This Strategy will greatly hinder the US’ ability to deal with the new security threats brought about by globalisation. The Departments current information systems are not adequate to deal with the security threats posed by globalisation, therefore its information systems need modernisation to provide value added, secure services, enhance efficiencies information sharing and promote operability. The proposed solution to these handicaps is the Global information Grid, which places importance both on information as a strategic resource and the need for greater compatibility of information technology with combatant command, Service, and Agency mission critical operational processes. The grid uses the same "enterprise view" information security strategy which is championed by the PricewaterhouseCoopers Information Security Model. Joint Military ventures are the fundamental key to exploiting the benefits of globalisation. The States can no longer assume the place of world leader but must focus on a strategy of which does not lead to the alienation of other nations. Therefore the states must have the ability to effectively share and communicate data with its partners and allies. The DoD must facilitate this communication with the provision of communications architectures and security polices that permits flexible sharing of classified information with coalition partners on a case by case basis. One possible solution to this fundamental communication problem is to introduce a classification scheme that uses time or operational requirements to establish access procedures to classified or restricted data, thus moving away from the traditional blanket classification schemes of the Cold War. Information Superiority The Global Information Grid’s primary objective is to enable the DoD to achieve Information Superiority through the ability to effectively, store, share, analyse, and utilise information thus moving on to a higher level of knowledge management that supports Information Superiority. Simply Stated Information Superiority is the: "Capability to collect process and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same". Success in Information Superiority is dependent upon the readiness, availability, and sustainability of information flow’s and critically supporting infrastructures. As the DoD becomes increasingly complex, interconnected and interdependent, there has become an increasing need of commercial support especially CONUS area’s (continental U.S. and allied nations). This dependency on commercial infrastructures has lead the DoD to sponsor a major effort to analysis and evaluate internal infrastructure supports. External Threats The DoD is primary target for most hackers who wish to establish a reputation. Such exercises as Eligible Receiver and Solar Sunrise have emphasised the for greater security measures within the Department. Eligible Receiver which took place in 1997, tested government information facilities and highlighted there information systems vulnerabilities. Solar sunrise in Contrast was a serious penetration of DoD systems. The systems where hacked by 2 Californian Teenagers under the guidance of an Israeli Hacker. The systems a series of U.S Air Force networks where compromised at a time of international crisis with Iraq and posed a series threat to the American forces in the region if strategic military operations data was compromise. The result of these attacks has shown that, US governmental systems are potentially unsecured against hackers, this may lead the full spectrum of potential enemies, whether terrorist in nature, criminal organisations or general hacker activists to attack vulnerable civilian targets in the U.S rather than conventional military operations abroad. Another serious threat to national stability is the wide spread access to sophisticated technologies, which could potential enable aggressor nations to use information based weapons to cause financially destabilisation or information attacks which could threaten the average citizen or critical national infrastructures. The offensive and defensive capabilities derived from Information Security can potentially limit the amount of damage and provide an adequate response against the perpetrator of such an attack. Internal Threat Internal Threats pose just a serious threat if not more so then external. Internal Systems closed systems employ the same Commercial of the shelf or COTS software and physical components used for the information systems processing unclassified data including the same fundamental system vulnerabilities that can be exploited by a hacker. A Security Breach by an internal individual could result in the loss of a technical weapon system information. There is a growing trend as regarding such security breaches as a commercial endeavour and not a breach of National Security. The Introduction of new technologies in the work place has facilitated the growth of such internal espionage. Recent compromises to security and unauthorised transfers of classified information are symptomatic of the classic problem of the insider who has legitimate access to data as well as legitimate access to government electronic communications' equipment but uses them for inappropriate purposes. U.S. Government and cleared Defence contractor activities that were traditionally isolated from the general population are now. increasingly vulnerable to exploitation Recent compromises to security and unauthorised transfers of classified information are symptomatic of the classic problem of the insider who has legitimate access to data as well as legitimate access to government electronic communications' equipment but uses them for inappropriate purposes. U.S. Government and cleared Defence contractor activities that were traditionally isolated from the general population are now increasingly vulnerable to exploitation. The threat from malicious "trusted" insiders pose’s a significant threat. A malicious insider potentially has the capability to disrupt interconnected DoD information systems, to deny the use of information systems and data to other insiders, and to alter, remove or destroy information.. Insiders who betray the authorities, trust and privileges granted to them may be aided by the very information systems on which the Department is dependent. Malicious insiders can potentially reduce or compromise our military effectiveness, and place in jeopardy the lives of our military men and women. Technology vendors may also pose a serious threat to the stability of the system For example talented software developers have never been able to prove that a security system is one hundred percent effective, they have only been able to prove, that there are many way’s in which to breach the system. As the DoD acquires the majority of its information systems form external vendors providing COTS products, it has little or no influence over the development of these products. One of the fundamental security problems posed by these systems is the inability of the DoD to assure the trustworthiness of those products, many of which are developed overseer’s. For example a COTS system which is developed by an external vendor may contain a malicious computer code, which can be difficult to detect. Addressing the triad of, people, operations, and technology is the only effective way to assure the integrity of the system DoD Information Grid Security Information Protection In order to protect the information environment as a whole, the DoD employed a defence depth approach. The approach consists of a layered security systems that encompasses active and passive defensive measures to prevent unauthorised access to information and information systems. This includes the implementation of self-healing networks and other innovative approaches that allow for continuous operations in the midst of an information attack. Defence-in-depth protects critical assets and processes by creating a deterrent posture, enhancing network security programs and operations, effectively training and certifying personnel, and leveraging new technologies Security Effective protection of critical information assets and processes, requires the ability to combine and balance a multitude of security disciplines. There are risks associated with a greater reliance on technological advancements, such as the Internet, and updating of legacy systems in processing classified and sensitive information. Operational capabilities need to ensure the integrity and reliability of information through improved security awareness education and training and increased investment in research and development. Security education and awareness programs must be revitalised. Revitalisation implies that funding must be programmed throughout the Future Years Defence Program (FYDP) and must be directed towards training and awareness improvements in personnel security, industrial security, physical security, nuclear security, information security, acquisition system protection, information security, and operations security. These disciplines are inextricably integrated into safeguarding Information superiority Advancements. Personal Security is the fundamental underpinning of the security paradigm. Without trust the implementation of a security program and all other efforts to protect classified or sensitive information is irrelevant. The introduction of a personal security program, through its processes of investigation and adjudication, along with the coupling of periodic reviews, provides an effective security filter which will ensure that only individuals that merit trust are allowed access to critical systems and data. The Periodic reviews will ensure that as situations change the DoD can monitor individual circumstances in the Department thus ensuring reliability and trustworthiness Effective protection of critical DoD information assets is accomplished by 3 objectives: * Focus security policies and programs on providing protection based on assessments of threats, and the danger and consequence of compromise for the most critical and vulnerable information, systems, capabilities, people and facilities. * Integrate counterintelligence policies, programs, and processes into all critical DoD programs and operations, and provide comprehensive counterintelligence support to critical DoD technologies, force protection and countering of foreign espionage that enables the anticipation, detection and response to threats and attacks against the most critical and vulnerable information, systems, capabilities, people and facilities. * Implement an "Active Security" paradigm that enables DoD to take a more active, holistic approach to manage the protection of the most critical and vulnerable information, systems, capabilities, people and facilities. Security Infrastructure In order for security to be effective and affordable it requires management. Security, like interoperability, must be engineered in from the starting point of the project, to be effective and affordable. The ability to effectively conduct a military mission in the modern risk management enviroment hinges directly on the ability to protect mission critical information, systems, programs and facilities. The ability to protect information throughout the system is the key in this regard. Conversion of analogue systems to digital will ensure that the security problems posed by legacy systems are minimised. However there will always’ be legacy systems and systems that allied partners possess that do not have sufficient security safeguards. DoD's previous risk avoidance strategy that focused on protecting against an unauthorised intrusion proved too costly and difficult to manage in a complex environment of networked systems. Therefore the DoD was forced to accept a risk management strategy. This philosophical shift was a significant change in doing business and it forced a change in the decision process concerning acceptable risks and how to manage them. A well-protected and secured information environment requires sound risk and consequence management at all levels. Risk management is based on: * the value of information at risk, * information systems vulnerabilities, * threats posed by potential adversaries and natural phenomena, * resources available for protection and defence. * a consideration of: information needs * the impact of loss of access control, In a military context as in a business context, the value of information can change from one phase of an operation to the next. Consequence management is a leadership decision process to determine which risks are acceptable in light of the mission requirements and national security. Information assurance (IA),which is a critical component of Information Superiority, serves to ensure that the components of the Global Information Grid systems and networks are capable of providing continuous and dependable service to the Department. IA depends on the continuous successful integration of personnel, operational and technical capabilities to guarantee the availability, integrity, authenticity, confidentiality and non-repudiation of information services, while providing the means to efficiently restart these fundmental services during and following an attack. IA and Computer Network Defence are basic core design elements of the Global Information Grid, and thus provide the DoD a much more defensible and robust information infrastructure for the future. Examples of using network operations and information assurance to provide information protection include: * Protecting the ability to sustain and support forces by ensuring the availability and security of information and information systems, which facilitates the efficient movement of forces, the operation of the industrial base acquisition process, and the timely logistical support of forces. * Protecting the ability to comprehend the battle space by ensuring the integrity and confidentiality of the information systems used to transmit battle space and other information to decision-makers. This includes preventing an adversary from targeting friendly space-, air-, land-, and sea-based intelligence, surveillance and reconnaissance infrastructure, navigation systems, information fusion capabilities, and targeting systems. * Protecting ability to command and control, by incorporation of identification, authentication, and non-repudiation capabilities and the ability to respond as the situation dictates to maintain network operations. * Protecting the effectiveness of forces through the proper standardisation and configuration management of information and information systems that directly enable the employment of weapons and weapon systems, or that enable forces to accomplish their assigned missions. * Protecting the viability of command and control by neutralising foreign intelligence efforts to compromise DoD personnel or that sabotage physical components, thereby ensuring the integrity of internal operations. DoD protects the functionality of critical information and systems infrastructures through information sharing, co-ordination, and consequence management planning. In order to a achieve this an understanding of impact and protection/restoration requirements, of civil infrastructures and the network of systems and processes that produce and distribute a continuous flow of essential goods and services is needed. The DoD's strategy is to protect critical assets (information, systems, programs, people and facilities) and processes needed to complete the mission through effective training and certification of personnel, improve information and information systems that result in a protected and secure operating environment, and leverage innovative technology to help both personnel and operations in a "defense in depth" environment. In order to achieve the required security level DoD personnel must be trained and certified in proper security procedures with respect to operating securely in the IT environment. A secure operating environment throughout DoD has been strengthened by implementing such measures as Public Key Infrastructure (PKI). Such Security measures have facilitated an integrated and comprehensive attack sensing and warning strategy to detect disruptions to IT infrastructures, and the capability to conduct computer forensics investigation in the event of hostile attacks. The Department has made significant progress in constructing the appropriate infrastructures and systems to achieve information superiority. After Eligible Receiver 97-1, Solar Sunrise and other such events, the DoD undertook the following defensive actions: * Increased situational awareness by establishing a 24-hour watch centers. * Established positive control over the identification and repair of information systems at risk. * Installed intrusion detection systems on key system nodes. * Expanded computer emergency response teams to perform alerts, critical triage and repair. * Developed contingency plans to mitigate the degradation or loss of networks. * Improved the ability to analyse data rapidly and assess attacks. * Working with the National Infrastructure Protection Centre and teaming with law enforcement agencies, developed procedures to share information with the private sector. * Increased Red Team exercises to improve operational readiness. Computer Network Defence In August 1998, DoD created the Joint Task Force-Computer Network Defence. Its primary mission is to co-ordinate and direct the defence of all DoD computer systems and computer networks. This mission includes the co-ordination of DoD defensive actions with non-DoD government agencies and appropriate private organisations. In June 1999, the Joint Task Force reached Full Operational Capability. Recently, the Secretary of Defence assigned the Commander-in-Chief, U.S. Space Command the responsibility for the defence of the Department's computer networks and for the Joint Task Force-Computer Network Defence. The Department recently completed a detailed study of various Computer Network Defence related activities within the DoD and has begun a comprehensive study of this emerging and rapidly developing discipline to identify core functions and develop an integrated, Defence-wide, enterprise Computer Network Defence policy and assignment of responsibilities. Information Operations Red Teams The "Red Team" is the opposing force in a military exercise that simulates the capabilities, tactics and doctrine of real world adversaries. Information Operations Red Teams are used to simulate an adversary information attack on a command or installation to test defenses, identify weaknesses and improve readiness. Although Information Operations red teaming can, and often does, involve multiple capabilities to conduct information attacks (e.g. psychological operations, deception, physical destruction etc.), primarily they focus on the cyber domain, (i.e., vulnerabilities of computers, networks, and related information systems). Public Key Infrastructure In May 1999, the Deputy Secretary of Defense issued the Defense-wide public key infrastructure (PKI) policy. This policy requires the use of a common, integrated DoD public key infrastructure to enable security services at multiple levels of assurance, providing a solid foundation for IA capabilities across the Department. The policy mandates an aggressive approach in acquiring and using a public key infrastructure that meets DoD requirements for all information assurance services. Critical Infrastructure Protection Critical Infrastructure Protection addresses the protection of the critical assets and infrastructures DoD relies upon to accomplish its mission. In 1995, the DoD established an office to examine the dependencies on critical infrastructures and began assessing the impact of the loss of commercial telecommunications, power, and transportation services on military operations. In January 1998, a revised DoD policy on the assurance of these critical assets was issued. In May 1998, Presidential Decision Directive 63 called for a national effort to assure and protect the increasingly vulnerable and interconnected national infrastructures, including electrical power, transportation, communications, and banking and finance. Presidential Decision Directive 63 and the DoD Critical Infrastructure Protection Plan emphasise the importance of information sharing at various levels of the national security strategy. The DoD, like the rest of the federal government, relies on commercial infrastructures for providing essential services such as telecommunications, energy, and finance. Therefore, information sharing on vulnerabilities and countermeasures is crucial in forming a "partnership" with the private sector. Currently, the DoD Critical Infrastructure Protection Office is overseeing efforts on how best to share information with the private sector working at the senior levels of DoD policy making and down to and including the installation level. Research is being conducted into senior DoD level models of how government and private sector companies exchange information (e.g. classified, business confidential, etc.) and the extent to which it should be shared, documented and updated routinely. The model(s) at this level should be flexible enough to identify what government and industry gaps exist and how they should be corrected and shared, when necessary, with other lead agency co-ordinators. At the installation level, we are looking at models on how to "empower" the installation commander with making decisions on how to disseminate "sanitised" information concerning computer network vulnerabilities with the private sector, as well as, state, local, and county government representatives. The bottom line is to provide the installation commander a convenient forum for public and private sector representatives to exchange information on a periodic basis and provide recommendations to senior levels of the DoD. Finally, both levels of information sharing must allow for sharing important information about vulnerabilities, threats, intrusions and anomalies, but not to interfere with direct information exchanges between companies and the government. Intelligence and Counterintelligence It is the task of DoD Counterintelligence to protect people, technology and information infrastructure. To do this, the DoD is expanding support to critical technology protection, developing a new Counterintelligence Risk Based Methodology; enhancing support to force protection and combating terrorism, establishing training in computer investigations and forensics, and Joint Counterintelligence. fielding the Defence Counterintelligence Information System, and targeting the Insider Threat. To ensure effective defence against incidents of adversary information attacks against U.S. forces, operations and infrastructure, Intelligence and law enforcement must be able to provide early and coherent strategic warning of adversary intentions, and support early detection of in-progress, or imminent adversary attacks on all fronts. This is particularly critical for computer network threats. A robust computer network indications and warning architecture must be developed and sustained. This implies an in-depth understanding of adversarial doctrine, tactics, techniques, and procedures in conducting information attacks. Deterrence The final element necessary to protect U.S. information and information systems is deterrence. Potential attackers and adversaries must be made aware that the U.S. Government will not tolerate any intrusion or disruption of its communications networks and that it has the capability and the authority to identify and prosecute a malicious information attacker. State sponsored attacks that threaten national security may justify a military response. Conclusion The Department has made substantial progress in information assurance, but pro...