CDSE Workshop. CDS Concepts and Definitions. Elaine M. Caddick Principal Cybersecurity Engineer 19 July 2016

Similar documents
INFORMATION ASSURANCE DIRECTORATE

Presentation Title 11/13/2013

SECURE INFORMATION EXCHANGE: REFERENCE ARCHITECTURE

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

This is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08

CNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum

INFORMATION ASSURANCE DIRECTORATE

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

INFORMATION ASSURANCE DIRECTORATE

Simplifying Information Sharing Across Security Boundaries. Deep-Secure Overview 12 th November 2013, Prague. Presentation to.

INFORMATION ASSURANCE DIRECTORATE

Security Secure Information Sharing

Advanced Security Tester Course Outline

Go mobile. Stay in control.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

INFORMATION ASSURANCE DIRECTORATE

INFORMATION EXCHANGE GATEWAYS: REFERENCE ARCHITECTURE

INFORMATION ASSURANCE DIRECTORATE

CIS Top 20 #13 Data Protection. Lisa Niles: CISSP, Director of Solutions Integration

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Distributed Systems. Lecture 14: Security. 5 March,

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

MIS Week 9 Host Hardening

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Cybersecurity in Acquisition

System Security Administration

Computing Accreditation Commission Version 2.0 CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

Achilles System Certification (ASC) from GE Digital

IC32E - Pre-Instructional Survey

Committee on National Security Systems. CNSS Policy No. 14 November 2002

Internet Security: Firewall

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

the SWIFT Customer Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Overlooked Costs and Risks of Firewalls

Secure Development Lifecycle

WHO AM I? Been working in IT Security since 1992

BeOn Security Cybersecurity for Critical Communications Systems

Secure Cloud Computing Architecture (SCCA)

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Cyber Security Solutions Mitigating risk and enhancing plant reliability

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Certification Report

DoDD DoDI

Information Technology Security Guideline. Network Security Zoning

The Top 6 WAF Essentials to Achieve Application Security Efficacy

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Indicate whether the statement is true or false.

National Information Assurance (IA) Policy on Wireless Capabilities

Department of Defense INSTRUCTION

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

INFORMATION ASSURANCE DIRECTORATE

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Cybersecurity: Incident Response Short

Catalog of Control Systems Security: Recommendations for Standards Developers. September 2009

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

System and Practice of Information Security Certification for IT products in China

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Real-time Communications Security and SDN

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Certification Report

Internet Security Firewalls

Certification Report

Data Sources for Cyber Security Research

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

INFORMATION ASSURANCE DIRECTORATE

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

DoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2. Version 1, Release February Developed by DISA for the DoD

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Carbon Black PCI Compliance Mapping Checklist

MICROSOFT (MS) WINDOWS DEFENDER ANTIVIRUS SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 4 27 APRIL 2018

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Cyber Security Advisory

Verizon Software Defined Perimeter (SDP).

113 BSIMM Activities at a Glance

Why the cloud matters?

NEN The Education Network

Dr. Stephanie Carter CISM, CISSP, CISA

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

National Policy On Classified Information Spillage

GUIDE. MetaDefender Kiosk Deployment Guide

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

Cyber Security Technologies

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

CIRT: Requirements and implementation

INFORMATION ASSURANCE DIRECTORATE

Alternatives to Patching for more Secure and Reliable Control Systems

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

CYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Table of Content Security Trend

68 Insider Threat Red Flags

SECURITY+ COMPETITIVE ANALYSIS 1. GIAC GSEC 2. (ISC)2 SSCP 3. EC-COUNCIL CEH

Transcription:

CDSE Workshop CDS Concepts and Definitions Elaine M. Caddick Principal Cybersecurity Engineer 19 July 2016 Approved for Public Release; Distribution Unlimited. Case Number 16 2506 2016 The MITRE Corporation. ALL RIGHTS RESERVED. 2016 The MITRE Corporation. All rights reserved.

CDS Concepts and Definitions 2016 The MITRE Corporation. All rights reserved.

3 First, Some Definitions Information Security Policy Aggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information (CNSSI No. 4009) Security Domain A collection of entities to which applies a single security policy executed by a single authority. (FIPS 188) Source: FIPS PUB 188, Standard Security Label for Information Transfer, 6 September 1994 Source: CNSSI No. 4009, Committee on National Security Systems (CNSS) Glossary, 6 April 2015

4 What is a Cross Domain Solution (CDS)? Controlled Interface A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems. (CNSSI No. 4009) Cross Domain Solution (CDS) A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains. (CNSSI No. 4009) Controlled Interface Firewall CDS Transfer Access Multilevel Source: CNSSI No. 4009, Committee on National Security Systems (CNSS) Glossary, 6 April 2015

Wide Range of Controlled Interfaces 5

6 Types of CDSs Data Transfer Solutions A Transfer CDS facilitates the movement of data between information systems operating in different security domains Examples: Information Support Server Environment (ISSE) Guard, Radiant Mercury (RM) Guard, Raytheon High Speed Guard (HSG) Access Solutions A cross domain solution that provides access to a computing platform, application, or data residing on different security domains from a single device without any data transfer between the various domains Examples: Raytheon Trusted Thin Client (TTC), AFRL SecureView (SV) Multi-Level Solutions A Multi-level CDS uses trusted labeling to store data at different classifications and allows users to access the data based upon their security domain and credentials Examples: Oracle Cross Domain Security Express (CDSE), General Dynamics Trusted Network Environment (TNE) Source: UCDSMO definitions and CNSSI No. 4009, Committee on National Security Systems (CNSS) Glossary, 6 April 2015

7 CDS Functionality Provides the ability to access and/or transfer electronic data between two or more differing security domains User and service functionality Extend mission functions to operate across domains Provide protection Prevents leakage of data from the high side to the low side Defends against attacks from the low side Maintains separation of the security domains Mitigate risk Loss of confidentiality, integrity and availability Components of Larger Functional Architecture

Other CDS Capabilities 8 Capabilities may include: Filtering - eliminate data based on pre-defined criteria (e.g., data type, classification) Keyword Search - search for dirty words ; clean word capabilities emerging Integrity Checks - verify that data has not been modified Transliteration - reformat data Sanitization - remove or edit sensitive data so that resulting data is less sensitive Regrading - changes to sensitivity labels (i.e., classification and caveats) Malicious Code Checks - check for presence of viruses Cleaning - remove background data, remove active content, remove malicious content

9 CDS versus Firewall CDS Generally implemented on trusted platform Connects domains at different levels Opens doors that are normally closed Prevents data leakage Filters data at application level Few services allowed through (e.g., E-mail, messages, file transfer) Often no IP forwarding Performs downgrading Firewall Not generally implemented on trusted platform Connects domains at same level Closes doors that are normally open Controls network services Filters packets at protocol level; may proxy packets at application level More services allowed through (e.g., file transfer, E- mail, TELNET, HTTP) Some types offer IP forwarding No downgrading performed, because none is required

Controlled Interface Comparison 10 Feature Stateful Firewalls Next Generation Firewalls Proxy Firewalls Cross Domain Solutions (Transfer) Shallow Packet Inspection Yes Yes Yes Yes Protocol Anomaly Detection Partially Yes Yes Yes Stream Based Scanning Yes Yes Yes Deep Packet Inspection Yes Yes Yes File Based Scanning Yes Yes Deep Content Inspection Yes Yes Deep Content Sanitization Trusted Platform Mandatory Access Controls Role Based Access Controls Yes Yes Yes Yes Increasing Assurance, Specialization, and Cost Decreasing Performance Source: Potential Foundational Graphics for XBIS, Scott Hall, 24 October 2012

What does it mean to be Trusted? 11 A Combination of Functionality & Assurance Functional Capabilities Mandatory Access Controls Labels Type enforcement Separation Kernel Integrity Assurance Measures Functional and penetration testing Requirements, design and code analysis Special Analysis (e.g., covert channel analysis) Configuration management/trusted distribution Objective: Establish confidence that behavior is predictable, reliable and appropriate Completeness Correctness Resistance to attack Strength of implementation

Why is CDS so hard to do? 12 A CDS is a high value target Features and high level of assurance needed for CDS not typically found in mainstream COTS products It requires a specialty skill-set that crosses many engineering disciplines It opens up high risk communication flows not previously available Due to risk of domain connections, policies create extra steps, impose restrictions, and add requirements Limited technology available - Market not large enough for COTS vendors The special requirements, restrictive policies, trusted technologies, unique threats, and high risk of cross domain connections demand extraordinary knowledge, skill and focus on the part of the CDS engineering and testing community

13 Who Do I Talk To About CDS? Unified Cross Domain Services Management Office (UCDSMO) E-Mail: NIPRNet: info-ucdsmo@nsa.gov SIPRNet: info-ucdsmo@nsa.smil.mil JWICS: info-ucdsmo@nsa.ic.gov Telephone: Unclassified: 240-373-0796 Secure: 763-2470 Web Sites: Intelink-U: https://intelshare.intelink.gov/sites/ucdsmo SIPRNet: http://intelshare.intelink.sgov.gov/sites/ucdsmo JWICS: http://intelshare.intelink.ic.gov/sites/ucdsmo

14 Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback