CSE 3100: Information Assurance and Security - University of Guyana - 2024 - PDF

University of Guyana CSE 3100 : Information Assurance and Security Session 01 – September 04, 2024 Lecturer : Jerome Allicock University of Guyana...

University of Guyana CSE 3100 : Information Assurance and Security Session 01 – September 04, 2024 Lecturer : Jerome Allicock University of Guyana Jerome Allicock Session Outline Intro To Information Assurance (IA) Information Assurance Scope Of Information Introduction  Learning Objectives IA Core Principles Process & Model Assurance A Bit On Risk 1 2 3 4 5 6 7 8 9 10 11 12 About CSE 3100 The Need For IA Architecture IA vs InfoSec The Security Security Big  Description Information Assurance Framework & Views Paradigm Picture  Learning Objectives  Required Readings  Session Schedules  Weekly Topics  Course Assessment 2 University of Guyana Jerome Allicock Hello! Mr. Jerome Allicock B.Sc., IMBA. ⬡ 13+ years in Telecoms ⬡ 8+ years in Revenue Assurance & ITSM ⬡ Entrepreneur & Tech Enthusiast ⬡ Contact #: 621-5866 ⬡ Email: [email protected] 3 University of Guyana Jerome Allicock CSE 3100 Description ⬡ This course is a third year first semester course intended for students pursuing the four year full time degree program. ⬡ This course will equip the students with the analytical knowledge required to apply information security knowledge. ⬡ Students will be introduced to current, real-world cases which are widely reviewed in the practitioner community. 4 University of Guyana Jerome Allicock CSE 3100 Description Cont’d ⬡ CSE 3100 “Information Assurance (IA) & Security” is a dedicated study that will equip you with the knowledge and skills to:  Assess risks  Be aware of threats & vulnerabilities associated with the use of various computing technologies  Reduce risks associated with access, storage, transmission and processing of data/information  Implement reaction plans for service restoration and business continuity 5 University of Guyana Jerome Allicock CSE 3100 Description Cont’d ⬡ Security encompasses:  Computer security  Communications security  Operations security  Physical security ⬡ The core elements of the course are:  Risk assessment  Data and systems protection  Threat & vulnerability detection  Reaction/response plans 6 University of Guyana Jerome Allicock Learning Objectives ⬡ By the end of this course students will be able to:  Describe the nature of security risk in a business and an IT context.  Compare and apply several models for security risk assessment.  Facilitate a risk assessment process and gain consensus on risk-based decisions.  Incorporate risk assessment into an IT security plan. 7 University of Guyana Jerome Allicock Required Readings ⬡ Information Assurance: Security in the Information Environment by Andrew Blyth and Gerald L. Kovacich ⬡ Information Assurance: Managing Organizational IT Security Risks by Joseph Boyce and Daniel Jennings ⬡ Information Assurance and Security Technologies for Risk Assessment and Threat Management: Advances by Te-Shun Chou Lecture Sessions ⬡ Wednesdays @ 06:15PM – 09:15PM  3hrs lecture time weekly  2hrs tutorial sessions weekly 8 University of Guyana Jerome Allicock Weekly Topics ⬡ Introduction to Information Assurance ⬡ Metrics for Information Assurance /Risk Assessment ⬡ Networking and Cryptography ⬡ Information Assurance Planning and Deployment ⬡ Vulnerabilities and Protection ⬡ Identity and Trust Technologies ⬡ Verification and Evaluation ⬡ Incident Response ⬡ Human Factors / Cultural Anthropology ⬡ Legal, Ethical, and Social Implications 9 University of Guyana Jerome Allicock Course Assessment ⬡ Coursework: 40%  Two(2) Tests (20%), Assignment (10%) & Labs (10%) ⬡ Finals: 60% Course Requirements ⬡ Attend all class sessions and labs ⬡ Review slides and other required/assigned readings before class ⬡ Participate in class discussions ⬡ Submit all assignments inside the submission period 10 University of Guyana Jerome Allicock “ Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers. Chris Pirillo 11 University of Guyana Jerome Allicock Information Assurance & Security University of Guyana Jerome Allicock Learning Objectives ⬡ Understand the concept of Information Assurance. ⬡ The need and importance of Information Assurance. ⬡ The core principles surrounding IA. ⬡ IA Architecture Framework, Process and Model. ⬡ Difference between Information Assurance and Information Security. ⬡ Overview of Risk Management and Security. 13 University of Guyana Jerome Allicock Brief Re-cap Baltzan, Paige 2017. Information Systems. 4/e, McGraw Hill. ISBN: 978-1-259-81429-7 14 University of Guyana Jerome Allicock What Is Information? ⬡ “Information is data endowed with relevance and purpose.” (Blyth and Kovacich, p. 17) ⬡ Characteristics that information should possess to be useful:  Accurate, timely, complete, verifiable, consistent, available What Is Assurance? ⬡ Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy – CNSSI 4009 ⬡ The degree of confidence that the security needs of a system are satisfied  Grounds for confidence that the four security goals: (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation – NIST SP- 800 15 University of Guyana Jerome Allicock What Is Security? ⬡ Security is concerned with the protection of assets.  “Assets” are entities upon which someone places value. ⬡ Security is a condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems.  Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach. 16 University of Guyana Jerome Allicock What Is Information Assurance? ⬡ “Protecting Information Assets from destruction, degradation, manipulation and exploitation by an opponent”. (Blyth and Kovacich) ⬡ Measures that protect and defend information and information systems by ensuring their:  Availability, Integrity, Authentication, Confidentiality, Nonrepudiation ⬡ These measures include providing for restoration of information systems by incorporating  Protection, Detection and Reaction capabilities ⬡ IA defines and applies a collection of policies, standards, methodologies, services and mechanisms to maintain mission integrity with respect to people, process, technology, information and supporting infrastructure ⬡ IA provides for confidentiality, integrity, availability, possession, utility, authenticity, nonrepudiation, authorized use, and privacy of information in all forms and during all exchanges 17 University of Guyana What Is IA Cont’d? Jerome Allicock ⬡ Information assurance is the practice of managing information-related risks ⬡ More specifically, IA practitioners seek to protect and defend information and information systems by ensuring  Confidentiality, integrity, authentication, availability, and non-repudiation. ⬡ These goals are relevant whether the information are in storage, processing, or transit, and whether threatened by malice or accident ⬡ In other words, IA is the process of ensuring that authorized users have access to authorized information at the authorized time What Is Information Security? ⬡ The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. 18 Why Do We Need Information University of Guyana Jerome Allicock Assurance & Security (IAS)? ⬡ Discussions on…  Ecommerce  Health Care  Banking  Business Processes  National Defense  Mission-critical information processing  Aircraft Flight Management Systems  Other Navigation Systems Aspects of Information Assurance taken from Storage Networking Industry Association, 2009, “Introduction to Information Assurance” 19 University of Guyana Jerome Allicock IA Core Principles ⬡ Confidentiality – disclosure to authorized user ⬡ Integrity – original intended form ⬡ Availability – ready for use within stated operational parameters ⬡ Possession – remains in the custody of authorized personnel ⬡ Image source: https://www.naavi.org/wp/starting- Authenticity – conforms to reality or not misrepresented an-information-assurance-program/ ⬡ Utility – fit for a purpose and in a usable state ⬡ Privacy – protection of personal information and adherence to relevant privacy compliances ⬡ Authorized Use - available only to authorized personnel ⬡ Nonrepudiation – ensure that the originator of a message or transaction may not later deny action 20 University of Guyana Jerome Allicock IA Architecture Framework ⬡ Conceptual structure for defining and describing an IA architecture ⬡ IA root driver is Risk  Business drivers  Technical drivers ⬡ IA Architectural Perspectives  People  Policy  Business process  System & Application  Information/data  Infrastructure 21 University of Guyana Jerome Allicock Information Assurance Process ⬡ Enumeration & Classification of the Data/Information assets  value, state, location, sensitivity, form ⬡ Risk Assessment (vulnerabilities & threats) ⬡ Risk Analysis (probability & impact) ⬡ Risk Management (treatment, systems) ⬡ Test, Review, Monitor ⬡ Repeat… 22 University of Guyana Jerome Allicock Information Assurance Model ⬡ IA Models are tools dedicated to defend 3 key elements  People - training, ethics, culture, education, motivation  Process - procedures, rules, standards, security guidelines  Technology - tools to mitigate attacks, eg. firewall, antiviruses, encryption etc. Image source: https://cybersecnugget.wordpress.com/2015/04/26/it- security-modelling-tools-information-assurance-model/ 23 University of Guyana Information Assurance & Security Jerome Allicock Models ⬡ Confidentiality, Integrity, Availability (CIA) Triad ⬡ Committee on National Security Systems (CNSS) McCumber Cube ⬡ Business Model for Information Security (BMIS) ⬡ A Reference Model for Information Assurance & Security (RMIAS) 24 University of Guyana McCumbers Cube & BMIS Jerome Allicock ⬡ Incorporates CIA into its model and builds upon it with two other dimensions – Information States and Security Measures. ⬡ Information States ⬡ Security Countermeasures ⬡ Three dimensional, pyramid shaped structure made up of four elements linked together by six dynamic interconnections. ⬡ The model takes a business oriented approach to managing information security to demonstrate that information security can be both predictive and proactive. ⬡ Source: https://www.slideserve.com/horace/a-business-model-for-information-security- management-bmis 25 IA vs Information Security University of Guyana Jerome Allicock (InfoSec) ⬡ IA is a complete process/model that includes the elements of InfoSec ⬡ Both involve people, processes, techniques, and technology e.g. administrative, technical, and physical controls ⬡ InfoSec – Confidentiality, integrity and availability, also known as the CIA triad ⬡ IA explicitly includes reliability, access control, and nonrepudiation as well as a strong emphasis on strategic risk management ⬡ ISMS are more closely aligned with IA ⬡ Common Security Frameworks include ISO/IEC 27001-2:2005-6, ITGI, COBIT, COSO, FFIEC, NIST, CICA, ITCG, OGC and ITIL 26 University of Guyana Scope Of Information Assurance Jerome Allicock Image source: https://www.researchgate.net/figure/Relationship-Between-IA-and- INFOSEC-Information-Assurance-is-now-viewed-as-both_fig3_235470635 27 University of Guyana Jerome Allicock The Security Paradigm ⬡ Principle 1: The Hacker will probably be someone you know ⬡ Principle 2: Trust No One ⬡ Principle 3: Make the hacker believe s/he will be caught ⬡ Principle 4: Protect in layers ⬡ Principle 5: While planning, presume complete failure of a single layer ⬡ Principle 6: Make security part of the initial design ⬡ Principle 7: Disable unneeded services, packages, features ⬡ Principle 8: Before connecting, understand and secure ⬡ Principle 9: Prepare for the worst 28 University of Guyana Jerome Allicock Image source: https://commons.wikimedia.org/wiki/File:A_Reference_Model_ of_Information_Assurance_and_Security_%28RMIAS%29.png Risk Management Lifecycle Image source: https://www.snia.org/sites/default/education/tutorials/2009/sprin g/security/EricHibbard-Introduction-Information-Assurance.pdf 29 University of Guyana Security Big Picture Jerome Allicock Image source: https://www.snia.org/sites/default /education/tutorials/2009/spring/s ecurity/EricHibbard-Introduction- Information-Assurance.pdf 30 University of Guyana Risk Treatment Decision Making Process Jerome Allicock Image source: https://www.snia.org/sites/default /education/tutorials/2009/spring/s ecurity/EricHibbard-Introduction- Information-Assurance.pdf 31 University of Guyana Jerome Allicock Risk Treatment Options ⬡ Risk Avoidance - seeks to avoid compromising events entirely ⬡ Risk Transfer - involves the contractual shifting of a pure risk from one party to another ⬡ Risk Reduction – measures to reduce the risk ⬡ Risk Retention – keep the risk and have plans to deal with it when it occurs 32 Points to note… University of Guyana Jerome Allicock ⬡ Root driver of IA is risk ⬡ Effective IA requires integration from inception ⬡ The weak link in security is most often the human element ⬡ Manage the risks or mitigate the consequences ⬡ A holistic approach to security includes people, the organization, governance, process and technology ⬡ The security program is expected to keep the organization out of trouble and out of the headlines ⬡ Implementing firewalls and hardening systems are not really security issues any longer but operational issues ⬡ Risk management is a balance of cost and risk 33 University of Guyana Jerome Allicock Thanks! Any questions? 34

CSE 3100: Information Assurance and Security - University of Guyana - 2024 - PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue