Full Transcript

Information Assurance and Security 1 Prelim Lesson 1 Prof. John C. Valdoria, MIT College of Industrial Technology Introduction to Information Assurance Information Assurance (IA) is the study of how to protect your information assets from destruction, degradation, manipulation and exploitat...

Information Assurance and Security 1 Prelim Lesson 1 Prof. John C. Valdoria, MIT College of Industrial Technology Introduction to Information Assurance Information Assurance (IA) is the study of how to protect your information assets from destruction, degradation, manipulation and exploitation. But also, how to recover should any of those happen. These are some aspects of information needed protection: Availability: timely, reliable access to data and information services for authorized users; Integrity: protection against unauthorized modification or destruction of information; Confidentiality: assurance that information is not disclosed to unauthorized persons; Authentication: security measures to establish the validity of a transmission, message, or originator. Non-repudiation: assurance that the sender is provided with proof of a data delivery and recipient is provided with proof of the sender’s identity, so that neither can later deny having processed the data. The simple truth is that IT security cannot be accomplished in a vacuum, because there are a multitude of dependencies and interactions among all four security engineering domains. So threats/risks to IA should be considered along these dimensions as well. Four major categories of Information Assurance: Physical security Personnel security IT security Operational security Proper Practice of Information Assurance enforcing hard-to-guess passwords encrypting hard drives locking sensitive documents in a safe assigning security clearances to staffers using SSL for data transfers having off-site backup of documents Physical security refers to the protection of hardware, software, and data against physical threats to reduce or prevent disruptions to operations and services and loss of assets. Personnel security is a variety of ongoing measures taken to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution, and unavailability of an organization’s logical and physical assets, as the result of action or inaction by insiders and known outsiders, such as business partners. IT security is the inherent technical features and functions that collectively contribute to an IT infrastructure achieving and sustaining confidentiality, integrity, availability, accountability, authenticity, and reliability.” Operational security involves the implementation of standard operational security procedures that define the nature and frequency of the interaction between users, systems, and system resources, the purpose of which is to: achieve and sustain a known secure system state at all times, and prevent accidental or intentional theft, release, destruction, alteration, misuse, or sabotage of system resources. According to Raggad’s taxonomy of information security, a computing environment is made up of five continuously interacting components: activities, people, data, technology, and networks. IA includes computer and information security. According to Blyth and Kovacich, IA can be thought of as protecting information at three distinct levels: physical: data and data processing activities in physical space; information infrastructure: information and data manipulation abilities in cyberspace; perceptual: knowledge and understanding in human decision space. The lowest level focus of IA is the Physical level: Computers, physical networks, telecommunications and supporting systems such as power, facilities and environmental controls. Also at this level are the people who manage the systems. Desired Effects: to affect the technical performance and the capability of physical systems, to disrupt the capabilities of the defender. Attacker’s Operations: physical attack and destruction, including: electromagnetic attack, visual spying, intrusion, scavenging and removal, wiretapping, interference, and eavesdropping. Defender’s Operations: physical security, OPSEC, TEMPEST. Thus, IA includes aspects of: COMPSEC: computer security; COMSEC: communications and network security; ITSEC: (which includes both COMPSEC and COMSEC); OPSEC: operations security. The second level focus of IA is the information Infrastructure level: This covers information and data manipulation ability maintained in cyberspace, including: data structures, processes and programs, protocols, data content and databases. Desired Effects: to influence the effectiveness and performance of information functions supporting perception, decision making, and control of physical processes. Attacker’s Operations: impersonation, piggybacking, spoofing, network attacks, malware, authorization attacks, active misuse, and denial of service attacks. Defender’s Operations: information security technical measures such as: encryption and key management, intrusion detection, anti-virus software, auditing, redundancy, firewalls, policies and standards. The third level focus of IA is the Perceptual level, also called social engineering: This is abstract and concerned with the management of perceptions of the target, particularly those persons making security decisions. Desired Effects: to influence decisions and behaviors. Attacker’s Operations: psychological operations such as: deception, blackmail, bribery and corruption, social engineering, trademark and copyright infringement, defamation, diplomacy, creating distrust. Defender’s Operations: personnel security including psychological testing, education, and screening such as biometrics, watermarks, keys, passwords. The flip side of Information Assurance is Information Warfare (IW).In fact, one can think of the offensive part of IW as “information operations,” and the defensive part as information assurance. Type I involves managing an opponent’s perception through deception and psychological operations. In military circles, this is called Truth Projection. Type II involves denying, destroying, degrading, or distorting the opponent’s information flows to disrupt their ability to carry out or co- ordinate operations. Type III gathers intelligence by exploiting the opponent’s use of information systems. Necessary for IW, as for any related activity, are motive, means, and opportunity. In general, the offensive players in the world of IW come in six types: Insiders: consists of employees, former employees and contractors. Hackers: one who gains unauthorized access to or breaks into information systems for thrills, challenge, power, or profit. Criminals: target information that may be of value to them: bank accounts, credit card information, intellectual property, etc. Corporations: actively seek intelligence about competitors or steal trade secrets. Governments and agencies: seek the military, diplomatic, and economic secrets of foreign governments, foreign corporations, and adversaries. May also target domestic adversaries. Terrorists: usually politically motivated and may seek to cause maximal damage to information infrastructure as well as endanger lives and property. Information Assurance Functional Components IA is both proactive and reactive involving: protection, detection, capability restoration, and response. IA environment protection pillars: “ensure the availability, integrity, authenticity, confidentiality, and non-repudiation of information” Attack detection: “timely attack detection and reporting is key to initiating the restoration and response processes.” Capability restoration: “relies on established procedures and mechanisms for prioritizing restoration of essential functions. Capability restoration may rely on backup or redundant links, information system components, or alternative means of information transfer.” What is an Asset? An asset is the resource being protected, including: physical assets: devices, computers, people; logical assets: information, data (in transmission, storage, or processing), and intellectual property; system assets: any software, hardware, data, administrative, physical, communications, or personnel resource within an information system. Assets have value so are worth protecting. Often a security solution/policy is phrased in terms of the following three categories: Objects: the items being protected by the system (documents, files, directories, databases, transactions, etc.) Subjects: entities (users, processes, etc.) that execute activities and request access to objects. Actions: operations, primitive or complex, that can operate on objects and must be controlled. For example, in the Unix operating system, processes (subjects) may have permission to perform read, write or execute (actions) on files (objects). In addition, processes can create other processes, create and delete files, etc. Certain processes (running with root permission) can do almost anything. That is one approach to the security problem. Both subjects and objects have associated attributes. The security mechanisms may operate in terms on the attributes and manipulation of the attributes can be used to subvert security. Critical Aspects Information assets (objects) may have critical aspects: availability: authorized users are able to access it; accuracy: the information is free of error and has the value expected; authenticity: the information is genuine; confidentiality: the information has not been disclosed to unauthorized parties; integrity: the information is whole, complete and uncorrupted; utility: the information has value for the intended purpose; possession: the data is under authorized ownership and control. Questions? References Goodrich & Tamassia (2015) Data Structures and Algorithms in Java Fourth Edition. https://enos.itcollege.ee/~jpoial/algorithms/GT/Data%20Structures%20 and%20Algorithms%20in%20Java%20Fourth%20Edition.pdf Shaffer (2011). A Practical Introduction to Data Structures and Algorithm Analysis http://people.cs.vt.edu/~shaffer/Book/Java3e20110103.pdf Tutorial points (2015). Data Structures and Algorithm Tutorials Point Simply Easy Learning. https://www.tutorialspoint.com/data_structures_algorithms /%20data_structures_algorithms%20tutorial.pdf

Use Quizgecko on...
Browser
Browser