IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Information Assurance

Module 4

The Lesson

Go back to intro. Go back to module 3. Go to module 5.

The module learning objective:

  • To define the concept of National Information Assurance and identify related national policy issues.

Before we continue with this module, let's review the previous 3 modules:

Module 1 Review

Then: Money was available through DoD sponsored research. Now: Commercial demands drive development.

The birth of ARPANET evolved into a basic requirement.

Then: Public trust of government was high. Now: Public trust of government is low.

Module 2 Review

IW is more than technical, i.e. Somalia.

In the past, network links were the primary targets for exploitation, and links and nodes were targets for denial and destruction. Classic C2W.

In this new world, nodes and information are the primary targets for hackers and foreign intelligence.

There are now two new concerns: radical groups and commercial, off-the-shelf software (COTS).

Module 3 Review

DoD is now dependent on the civilian infrastructure.

DoD must share the responsibility with the civilian sector for defense of the national information infrastructure.

The President, Congress, Supreme Court and the commercial sector will divide the baby.

Government departments and agencies will have to develop a strategy for leading from behind.

In this module we will address these major points on Information Assurance:

  1. Who, what, when and why (roles perspective).
  2. DoD's role (past attempts).
  3. Risk management (nodes, links, and information).
  4. Defense strategies: red team approach vs active defense.
  5. Management challenges.

From the National Security Strategy, February 1995:

The threat of intrusions to our military and commercial information systems poses a significant risk to national security and must be addressed.

That, by now, should be obvious. The real concern is:

Are we under attack right now? And if so, from whom?

Redefining and maintaining security is a national concern. DoD and the Intel community must design a method that will provide critical threat and technical knowledge. They must also cooperate with the private sector.

Who Are The Real Players?

Some of the real players who will influence the political process and build the solutions:

  • Sun Micro Systems
  • Microsoft
  • Motorola
  • Intel
  • IBM
  • Apple
  • And many others...

With DoD leading from behind!

Accreditation Shortfalls

Past DoD attempts in securing the information infrastructure mainly involved an accreditation process. This, unfortunately, did not work well because of these shortfalls:

  • Inconsistent accreditation decisions were made independently for interdependent systems. This resulted in non-uniform protections across common DoD infrastructure. Also, the weaknesses in one community undermined the security of others.
  • Security assessments are costly, time-consuming processes.
  • Security was not adequately addressed during the development and maintenance of the systems, which resulted in ineffective or inefficient security.
  • Inefficient integration across DoD efforts resulted in duplication and approaches that did not meet common DoD needs.

Accreditation Consequences

The shortfalls of a DoD accreditation system led to the following consequences:

  • Erratic protection for DoD information systems.
  • Cost of protection too high.
  • No means to cope with new technology.
  • Once accredited, a false sense of security exists, that is until the next detected attack.

Defensive IW Implementation

Any proposed defensive IW implementation must encompass all of these areas:

  • Doctrine
  • Policy
  • Organizational Infrastructure
  • Assessments
  • Technology
  • Education & Training

Active Defense

If accreditation does not work, what about an active defense? This implementation also has shortfalls. Most importantly, an active defense would violate U.S. criminal code on computer crime, e.g., 18 USC 1030 (a)(5)(A).

Consider also the following scenario: What if the hacker is using his/her parent's business computer or is using an assigned computer at the Washington Post, Sony, or the Pentagon?

Using an active defense would damage not only the hacker's files, but also the files of the legitimate computer owner/user. What if a computer being used by a hacker, doctor's son, belonged to your doctor and the files destroyed by an active defense were your patient history files?

Other considerations:

  • Both good guys and hackers use the Internet.
  • Hackers use sniffers.
  • Hackers loop & weave.
  • Hot pursuit and active defense may not be options.

If Active Defense is not an Option...

There are recommended strategies to deal with hackers who enter your network. Once intrusion is detected, you have several options:

Sometimes the best offense is a good defense...

IW Defensive Strategy

What works?

  1. Manage your security - set policy for what is allowed, and what behavior is prohibited.
  2. Banners that announce monitoring to be read by everyone logging onto your system.
  3. Red Teaming - Controlled "hacking" by security professionals who your organization has contracted for the identification of security risk.
  4. Risk management - plan for the attack.

Note: You must have Netscape version 2.0 or higher to run the post test.

Go back to intro. Go back to module 3. Go to post test. Go to module 5.