• No results found

Commercial Practices in IA Testing Panel

N/A
N/A
Protected

Academic year: 2021

Share "Commercial Practices in IA Testing Panel"

Copied!
29
0
0

Loading.... (view fulltext now)

Full text

(1)

Commercial Practices in IA

Testing Panel

March 22, 2001

Albuquerque, New Mexico

First Information Assurance Testing Conference

Sponsored by:

(2)

Panel Members

! Dr. Myron L. Cramer

» Executive Director, Information Assurance

Division, Windermere

! Lori Ericson

» interAmerica Analytics

! Matthew Devost

» Director of Operations, Security Design

International (SDI)

! Samuel Nitzberg

» Senior Scientist, New Jersey Operations,

(3)

Objectives

! To share commercial practices in the area of IA Testing, emphasizing topics with

high relevance to DoD

! The speakers will each share their

perspectives and will participate in Group Wrap-up

(4)

Discussion Topics

Presentations will address he following topics as they relate to IA testing.

! Test Objectives

» What things are commercial testers trying to accomplish?

» How are these objectives incorporated into test planning?

! Threats

» How does the commercial world characterize its threats?

» What are threat motives, capabilities?

» What kind of intelligence gathering is done on the threat?

» To what extent does the threat drive a system design?

» How is this incorporated in testing?

(5)

Discussion Topics (cont)

! Metrics

» What is the current commercial thinking on test metrics?

» How do they measure success?

! Test Methods

» What are the roles for vulnerability scanning, penetration

testing, blind testing, insider testing?

! Reports

» What kind of documentation is produced?

» How does it get used?

(6)

Agenda

All Panel Discussions

Questions & Answers

11:40 – 12:00

Samuel Nitzberg New York e-Commerce

Testing Activities

11:00 – 11:40

Matthew Devost Hacker Methods &

Penetration Testing

10:15 – 11:00

Break

9:45 – 10:15

Lori Ericson Perspectives on the Threat

9:05 – 9:45

Myron Cramer Commercial Testing

Introduction & Overview

8:30 – 9:05

Speaker Topic

(7)

Role of Testing

! Testing plays an integral part of development process even in the most streamlined

processes

! Information security is recognized as a

standard requirement for e-Commerce and part of a system’s transition from development to production

! Information security testing of operational systems is also regularly performed

(8)

Test Objectives

! What things are commercial testers trying to accomplish?

» Verify design implementation, configuration, integration,

operation

» Assess exposures

» Satisfy audit responsibilities

! How are these objectives incorporated into test planning?

» Identify system security requirements

» Allocate security requirements within security

architecture

(9)

Challenges for Enterprises

! Landscape Discovery

» Network topology

» Role of legacy systems, services and users

» Constraints of communications infrastructure

! Dealing with Change » Maintaining compatibility

» Data center versus distributed computing base

! Controlling Access

» Enabling extranet operations

» Sharing information with partners and customers

» Protecting intranet

! Scalability

» Implementing security across a large enterprise

» Supporting required user services

(10)

Landscape Discovery

! Scanning and assessment

» Networks, servers, protocols, protections

! Interviews

» Nature of the information

» Sensitivity

» Risks

» Information organization

! Picture of existing architecture » Networks, servers, applications

» Users

(11)
(12)
(13)

Types of Information

PLAN PROCESS 1 PROCESS n DATA BASES STAFF MISSION OBJECTIVE ...

(14)

Value of Information

! There are different types of

organizational information

! These face different threats and have

different security issues

(15)

Dealing with Change

! Requires new approaches and new technologies

» New Computing Model

» Transition from Data Center to Distributed Computing

» Internet connections and services

! Introduces new exposures

Mainframes Data Centers

Time

Past Present Future

(16)

Controlling Access

! Supporting collaboration over multiple overlapping Communities of Interest

Intranet 1

Intranet 2

(17)

Scalability

! Network-based components

» Leverage network to distribute services to all connected

users

! Host-based components

» Where visibility and access is required to individual

workstations

» Requires administration of client configurations

! Managed Services

(18)

Security Architecture & Engineering

! Policy

» Business Plan

» International, Federal, State Law

» Intercompany Agreements ! Requirements Translation » Operational Environment » Risk Exposures » User Communities » Information Administration » Security Specifications ! Design » Architectural Implementation

» Product Performance Specification

» Components Selection and Configurations

REQUIREMENTS

SPECIFICATIONS

(19)

Security Architecture

Authentication Directory Incident Response Enterprise Management Support

Provides enabling and infrastructure services

Network Mapping

Vulnerability Assessment Intrusion Detection

Measure

Determines the condition of an information system Anti-Virus Firewalls Proxy Server VPN Content Inspection Host access controls

Application access controls

Protect

Enforces separation Applies Least Privilege Enforcement Principles

(20)

Security Architecture

Internet Proxy Server Web Server Mail Server Users Intruder Firewall VPN Server Authentication Server File Server Intranet Server Directory Server Content Inspection Intrusion Detection Enterprise Management Clients Intranet DMZ

(21)

Domain Model

! Shares security responsibility among each component in functional regions

User Work-station

Domain 1

Network Server Boundary Work- User station

Domain 2

Network Server

(22)

IA Context

Vulnerability Analysis Network Mapping Boundary Protection Intrusion Detection Enterprise Management Network Architecture Incident Response Status Significant Events System Vulnerabilities Significant Events Anomalies Intrusion Attempts Boundaries Security Policies Actions Security Policies Security Policies Tasking Network Architecture

(23)

Vulnerability Analysis

Vulnerability Modeling Susceptibility Analysis Vulnerability Testing CERT Advisories Boundary Protection Incident Response Intrusion Detection Server Data Base Potential System Risks Anomalies Known Vulnerabilities Intrusion Attempts Network Mapping Network Architecture Security Policies Testing Tools Predicted System Vulnerabilities Verified System Vulnerabilities Security Policies

(24)

Scientific Method

Hypothesis Test

(25)
(26)
(27)
(28)

Intrusion Detection

Operations

(29)

Contact Information

Dr. Myron L. Cramer 410-266-1900

[email protected] http://www.wias.net

Windermere Information Technology Systems Information Assurance Division

401 Defense Highway Annapolis, Maryland 21401

References

Related documents

• Allied health field is important and growing segment of health care workforce, but despite prominence in health care team, allied health workforce is understudied • Demand

However, fold-changes in the genes affected by diet x ploidy interaction and involved in metabolic pathways were moderate and the number of probes af- fected by this interaction

Even the relatively newest forms of dispute resolution practice have begun developing professional associations and discussion of ap- propriate standards, practice protocols and

As an example of the applications, a high gain planar array antenna at V band by using the half-height-pin gap waveguide has been designed and is presented in the paper with a

FOSSC Oman 2013 credativ group Open Source for business One-stop Shop for Open Source Support TM?. Open Source

Data analysis revealed one theme titled: "The need for support" and four categories regarding the needs of infertile couples, following treatment failure

With a focus on the personal financial planning side of divorce and the other issues you need to be well aware of before, during, and after a divorce, author and bestselling

The export sales exceeded previous year’s and planned sales quantity figures as well.. Source of the increase was export to Ukraine