IAS1-PL1.pdf

Transcript

Information
Assurance and
Security 1
Prelim Lesson 1

Prof. John C. Valdoria, MIT
College of Industrial Technology
Introduction to Information Assurance
 Information Assurance (IA) is the study of how to
protect your information assets from destruction,
degradation, manipulation and exploitation. But also, how
to recover should any of those happen.
These are some aspects of information needed protection:
Availability: timely, reliable access to data and information services for authorized users;
Integrity: protection against unauthorized modification or destruction of information;
Confidentiality: assurance that information is not disclosed to unauthorized persons;
Authentication: security measures to establish the validity of a transmission, message,
or originator.
Non-repudiation: assurance that the sender is provided with proof of a data delivery
and recipient is provided with proof of the sender’s identity, so that neither can later deny
having processed the data.
 The simple truth is that IT security cannot be accomplished in a
vacuum, because there are a multitude of dependencies and interactions
among all four security engineering domains. So threats/risks to IA should
be considered along these dimensions as well.

Four major categories of Information Assurance:
Physical security
Personnel security
IT security
Operational security
Proper Practice of Information Assurance

enforcing hard-to-guess passwords
encrypting hard drives
locking sensitive documents in a safe
assigning security clearances to staffers
using SSL for data transfers
having off-site backup of documents
Physical security refers to the protection of hardware, software, and data
against physical threats to reduce or prevent disruptions to operations and
services and loss of assets.

Personnel security is a variety of ongoing measures taken to reduce the
likelihood and severity of accidental and intentional alteration, destruction,
misappropriation, misuse, misconfiguration, unauthorized distribution, and
unavailability of an organization’s logical and physical assets, as the result
of action or inaction by insiders and known outsiders, such as business
partners.
IT security is the inherent technical features and functions that collectively
contribute to an IT infrastructure achieving and sustaining confidentiality,
integrity, availability, accountability, authenticity, and reliability.”

Operational security involves the implementation of standard operational
security procedures that define the nature and frequency of the interaction
between users, systems, and system resources, the purpose of which is to:
achieve and sustain a known secure system state at all times, and
prevent accidental or intentional theft, release, destruction, alteration,
misuse, or sabotage of system resources.
 According to Raggad’s taxonomy of information security, a
computing environment is made up of five continuously interacting
components: activities, people, data, technology, and networks. IA includes
computer and information security.

According to Blyth and Kovacich, IA can be thought of as protecting
information at three distinct levels:
physical: data and data processing activities in physical space;
information infrastructure: information and data manipulation abilities
in cyberspace;
perceptual: knowledge and understanding in human decision space.
The lowest level focus of IA is the Physical level:
Computers, physical networks, telecommunications and supporting
systems such as power, facilities and environmental controls. Also at this level
are the people who manage the systems.

Desired Effects: to affect the technical performance and the capability of
physical systems, to disrupt the capabilities of the defender.
Attacker’s Operations: physical attack and destruction, including:
electromagnetic attack, visual spying, intrusion, scavenging and removal,
wiretapping, interference, and eavesdropping.

Defender’s Operations: physical security, OPSEC, TEMPEST.
Thus, IA includes aspects of:
COMPSEC: computer security;
COMSEC: communications and network security;
ITSEC: (which includes both COMPSEC and COMSEC);
OPSEC: operations security.
The second level focus of IA is the information Infrastructure level:
This covers information and data manipulation ability maintained in
cyberspace, including: data structures, processes and programs, protocols, data
content and databases.
Desired Effects: to influence the effectiveness and performance of information
functions supporting perception, decision making, and control of physical
processes.
Attacker’s Operations: impersonation, piggybacking, spoofing, network
attacks, malware, authorization attacks, active misuse, and denial of service
attacks.
Defender’s Operations: information security technical measures such as:
encryption and key management, intrusion detection, anti-virus software,
auditing, redundancy, firewalls, policies and standards.
 The third level focus of IA is the Perceptual level, also called social
engineering:
This is abstract and concerned with the management of perceptions of
the target, particularly those persons making security decisions.

Desired Effects: to influence decisions and behaviors.
Attacker’s Operations: psychological operations such as: deception,
blackmail, bribery and corruption, social engineering, trademark and
copyright infringement, defamation, diplomacy, creating distrust.
Defender’s Operations: personnel security including psychological testing,
education, and screening such as biometrics, watermarks, keys, passwords.
 The flip side of Information Assurance is Information Warfare
(IW).In fact, one can think of the offensive part of IW as “information
operations,” and the defensive part as information assurance.

Type I involves managing an opponent’s perception through deception
and psychological operations. In military circles, this is called Truth
Projection.
Type II involves denying, destroying, degrading, or distorting the
opponent’s information flows to disrupt their ability to carry out or co-
ordinate operations.
Type III gathers intelligence by exploiting the opponent’s use of
information systems.
 Necessary for IW, as for any related activity, are motive, means,
and opportunity. In general, the offensive players in the world of IW
come in six types:

Insiders: consists of employees, former employees and contractors.
Hackers: one who gains unauthorized access to or breaks into
information systems for thrills, challenge, power, or profit.
Criminals: target information that may be of value to them: bank
accounts, credit card information, intellectual property, etc.
Corporations: actively seek intelligence about competitors or steal trade
secrets.
Governments and agencies: seek the military, diplomatic, and economic
secrets of foreign governments, foreign corporations, and adversaries.
May also target domestic adversaries.
Terrorists: usually politically motivated and may seek to cause maximal
damage to information infrastructure as well as endanger lives and
property.
Information Assurance Functional Components
IA is both proactive and reactive involving: protection, detection,
capability restoration, and response.
IA environment protection pillars: “ensure the availability, integrity,
authenticity, confidentiality, and non-repudiation of information”

Attack detection: “timely attack detection and reporting is key to initiating
the restoration and response processes.”
Capability restoration: “relies on established procedures and mechanisms
for prioritizing restoration of essential functions. Capability restoration may
rely on backup or redundant links, information system components, or
alternative means of information transfer.”
What is an Asset?

An asset is the resource being protected, including: physical assets:
devices, computers, people; logical assets: information, data (in transmission,
storage, or processing), and intellectual property; system assets: any software,
hardware, data, administrative, physical, communications, or personnel
resource within an information system. Assets have value so are worth
protecting.
Often a security solution/policy is phrased in terms of the following three categories:
Objects: the items being protected by the system (documents, files, directories,
databases, transactions, etc.)
Subjects: entities (users, processes, etc.) that execute activities and request
access to objects.
Actions: operations, primitive or complex, that can operate on objects and must be
controlled.
 For example, in the Unix operating system, processes (subjects)
may have permission to perform read, write or execute (actions) on files
(objects). In addition, processes can create other processes, create and
delete files, etc. Certain processes (running with root permission) can do
almost anything. That is one approach to the security problem.

Both subjects and objects have associated attributes. The security
mechanisms may operate in terms on the attributes and manipulation of
the attributes can be used to subvert security.
Critical Aspects
Information assets (objects) may have critical aspects:
availability: authorized users are able to access it;
accuracy: the information is free of error and has the value expected;
authenticity: the information is genuine;
confidentiality: the information has not been disclosed to unauthorized
parties;
integrity: the information is whole, complete and uncorrupted;
utility: the information has value for the intended purpose;
possession: the data is under authorized ownership and control.
Questions?
References
Goodrich & Tamassia (2015) Data Structures and Algorithms in Java Fourth Edition.
https://enos.itcollege.ee/~jpoial/algorithms/GT/Data%20Structures%20
and%20Algorithms%20in%20Java%20Fourth%20Edition.pdf

Shaffer (2011). A Practical Introduction to Data Structures and Algorithm Analysis
http://people.cs.vt.edu/~shaffer/Book/Java3e20110103.pdf

Tutorial points (2015). Data Structures and Algorithm Tutorials Point Simply Easy Learning.
https://www.tutorialspoint.com/data_structures_algorithms
/%20data_structures_algorithms%20tutorial.pdf