Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | jasmine-cross |
View: | 215 times |
Download: | 1 times |
Protective Measures at Protective Measures at NATO Headquarters NATO Headquarters
Ian DavisIan DavisHead, Information Systems ServiceHead, Information Systems ServiceNATO Headquarters NATO Headquarters Brussels, BelgiumBrussels, Belgium
The Prime Directive - IThe Prime Directive - I
NATO information…NATO information…
……shall be managed asshall be managed as
a corporate resourcea corporate resource
to support NATO [business]…to support NATO [business]…
… … throughout its life-cycle... throughout its life-cycle...
Extract from NATO Information Management PolicyExtract from NATO Information Management Policy
The Prime Directive - IIThe Prime Directive - II
NATO information…NATO information…
……shall be protected…shall be protected…
……to ensure its confidentiality,to ensure its confidentiality,
integrity and availabilityintegrity and availability
throughout its life-cycle... throughout its life-cycle...
Extract from NATO Information Management PolicyExtract from NATO Information Management Policy
What is NATO? What is NATO?
An alliance of 19 nations...An alliance of 19 nations... ...and EAPC, PJC & NUC...and EAPC, PJC & NUC The forum for consultation and The forum for consultation and
decisions on security mattersdecisions on security matters A facility for co-operation in other A facility for co-operation in other
mattersmatters
NATO HQ ActivitiesNATO HQ Activities
HEADQUARTERSADMINISTRATION
PROGRAMMEMANAGEMENT
COORDINATION OF ACTIVITIES
POLITICALCONSULTATION
CONSULTATION
NATO HQSTAFF:
CREATE,COLLATE,MANAGE
MEETINGATTENDEES:
CREATE,REVIEW,APPROVE
AGENDASDOCUMENTS
NOTESDECISION SHEETS
DOCUMENTSCOMMENTS
The Consultation ProcessThe Consultation Process
CONSULTATIONCONSULTATION
requiresrequires
INFORMATIONINFORMATION
requiresrequires
INFORMATION MANAGEMENTINFORMATION MANAGEMENT
requiresrequires
INFORMATION SECURITYINFORMATION SECURITY
Transformation of NATOTransformation of NATOsince 1989since 1989 PoliticalPolitical
NATO > EAPC > OTHERSNATO > EAPC > OTHERS
Information TechnologyInformation Technology Mainframe > LAN > WAN [> Internet]Mainframe > LAN > WAN [> Internet]
SecuritySecurity Confidentiality > Integrity & AvailabilityConfidentiality > Integrity & Availability
NATO HQ OrganisationNATO HQ Organisation
NAC EAPC
MILITARYCOMMITTEE
INTERNATIONALMILITARY STAFF
INTERNATIONALSTAFF
NATIONAL/ PARTNER
DELEGATIONS
MILITARYREPRESENTATIONS
Security DomainsSecurity Domains
EAPC DOMAIN
NATO DOMAIN
EXTERNAL DOMAIN
MILREPSDELEGATIONS
PARTNER MISSIONS
MILITARYCOMMANDS
NATOAGENCIES
MEMBERNATIONS
PARTNERNATIONS
INTERNATIONAL ORGANISATIONS
OTHER NATIONS
MEDIA
GENERAL PUBLIC
ACADEMEINDUSTRY
INTERNATIONAL STAFFS
NATO HQ
NATO HQ Approach to NATO HQ Approach to SecuritySecurity
Separate regime for each domainSeparate regime for each domain
Same process:Same process: Adherence to NATO PolicyAdherence to NATO Policy
StructureStructure
ObjectivesObjectives
PrinciplesPrinciples
CountermeasuresCountermeasures
StructureStructure Formality:Formality:
separation of functionsseparation of functions documentationdocumentation
Security as system functionality:Security as system functionality: designdesign
developmentdevelopment
testingtesting
Managed throughout life-cycleManaged throughout life-cycle configuration managementconfiguration management
Separation of RolesSeparation of Roles
Operating AuthorityOperating Authoritysystem developmentsystem developmentsystem installationsystem installationsystem operationsystem operationsystem maintenancesystem maintenance
Security AuthoritySecurity Authorityrisk analysisrisk analysissecurity SOPssecurity SOPsequipment approvalequipment approvalauditsaudits
Security Accreditation AuthoritySecurity Accreditation Authorityaccreditationaccreditation
inspectionsinspections
DocumentationDocumentation
Security requirements statementSecurity requirements statement
Security operating proceduresSecurity operating procedures
Interconnection agreementsInterconnection agreements
ObjectivesObjectives
Protecting NATO information against Protecting NATO information against loss of:loss of:
ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability
By either accidental or deliberate actBy either accidental or deliberate act
DefinitionsDefinitions
ConfidentialityConfidentiality disclosure of information to disclosure of information to
unauthorised parties unauthorised parties
IntegrityIntegrity modification of informationmodification of information
AvailabilityAvailability destruction of datadestruction of data denial of service (access to data)denial of service (access to data)
Principles - IPrinciples - I
Risk managementRisk management
MinimalityMinimality
Least privilegeLeast privilege
Self-protecting nodesSelf-protecting nodes
Defence-in-depthDefence-in-depth
Implementation verificationImplementation verification
Risk ManagementRisk Management
Use of approved methodologyUse of approved methodology
Analysis of:Analysis of: ThreatsThreats VulnerabilitiesVulnerabilities
Risk AssessmentRisk Assessment
CountermeasuresCountermeasures
Residual RiskResidual Risk
Countermeasures Residual Risk
Risk ManagementRisk Management
Risk assessment
Requirements CostRisk Analysis
Threats & Vulnerabilities
Residual RiskResidual Risk
RISK IDENTIFIEDBY RISK ASSESSMENT
RISKCOVERED
BYCOUNTER
MEASURES
Residual Risk: Risk accepted due tocost/difficulty of countermeasures
Principles - IPrinciples - I
Risk managementRisk management
MinimalityMinimality
Least privilegeLeast privilege
Self-protecting nodesSelf-protecting nodes
Defence-in-depthDefence-in-depth
Implementation verificationImplementation verification
Principles - IIPrinciples - II
MinimalityMinimality only enable those services requiredonly enable those services required
Least privilegeLeast privilege users only given functions & users only given functions &
authorizations they needauthorizations they need
COTS software must be COTS software must be managedmanaged
Principles - IIIPrinciples - III
Self-protecting nodesSelf-protecting nodes each network node protects itselfeach network node protects itself regards other nodes as untrustedregards other nodes as untrusted
Defence-in-depthDefence-in-depth no reliance on one single measure no reliance on one single measure
Implementation verificationImplementation verification regular review of security postureregular review of security posture change/configuration managementchange/configuration management
CountermeasuresCountermeasures
PHYSICAL
PERSONNEL
TECHNICAL
PROCEDURAL
Countermeasures - ICountermeasures - I
PhysicalPhysical separation of domainsseparation of domains restrict access to information storesrestrict access to information stores data redundancydata redundancy
PersonnelPersonnel careful selection of staffcareful selection of staff educationeducation beware the “insider” threatbeware the “insider” threat
Countermeasures - IICountermeasures - II ProceduralProcedural
standard operating proceduresstandard operating procedures need-to-know separationneed-to-know separation inspections & reviewsinspections & reviews configuration managementconfiguration management
TechnicalTechnical certified productscertified products access controls & audit toolsaccess controls & audit tools firewalls & filtersfirewalls & filters anti-virus softwareanti-virus software
ConclusionsConclusions
Information systems are critical to Information systems are critical to operationsoperations
Security:Security: is an integral part of the overall is an integral part of the overall
systemsystem must be managed throughout entire must be managed throughout entire
life-cyclelife-cycle requires structure & methodrequires structure & method requires a balanced mix of a wide requires a balanced mix of a wide
variety of techniquesvariety of techniques
Maximum Line Capacity
IncomingTraffic (email)
OutgoingTraffic (Web)
Denial of Service Attack(flooding line)