3-INFORMATION SECURITY AND CIA TRIAD.pdf

Full Transcript

ITE 115

INFORMATION ASSURANCE AND
SECURITY

John Paulus Serafin Gazzingan
Instructor
INFORMATION ASSURANCE AND
SECURITY

SCAN ME!!!

Disclaimer: This registration is part of a phishing simulation for training and educational purposes. Any
information entered during this exercise will be used solely for educational purposes and will be deleted
after the simulation. No real harm will be done to your account or system.
INFORMATION ASSURANCE AND
SECURITY

Lesson 1.1

Introduction to Information Security
INFORMATION ASSURANCE AND
SECURITY
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

AVAILABILITY. It permits authorized users—persons or computer systems—to access information
without interference or obstruction and to receive it in the proper format.

Consider research libraries, which require identification before admission. The contents of the library
are protected by librarians so that only authorized patrons have access to them. Before a patron gets
free access to the book stacks, the librarian must accept identification. When approved users get
access to the stacks, they expect to discover the material they need in a usable format and in a
language they understand, which in this case usually means bound in a book and written in English.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

ACCURACY. When information is free of faults or errors and has the value that the end user expects, it is
said to be accurate. If data have been altered, whether purposefully or unintentionally, it is no longer
accurate.

Take a bank account, for example. You believe that the information on your checking account is a true
reflection of your financial situation. External or internal faults can lead to incorrect information in your
checking account. The value of the information is affected if a bank teller, for example, incorrectly adds
or subtracts too much from your account. Alternatively, you could enter an inaccurate amount into your
account register by accident. In any case, an incorrect bank balance could lead to errors, such as
bouncing a check.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

AUTHENTICITY. Information authenticity refers to the attribute or state of being genuine or original, as
opposed to a copy or fabrication. When information is in the same state as when it was created, placed,
saved, or transferred, it is said to be authentic. Consider some popular e-mail misconceptions for a
moment. When you get e-mail, you assume it was created and sent by a certain person or group—you
assume you know where the e-mail came from
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

This isn’t always the case, though. The act of sending an e-mail message with a modified field, known as
e-mail spoofing, is an issue for many individuals nowadays, because the modified field is frequently the
originator’s address. Spoofing: the sender’s address can receive e-mail recipients into believing that
messages are real, causing them to open e-mail that they would not have otherwise.

Phishing is a type of spoofing in which an attacker tries to get personal or financial information through
deception, most commonly by impersonating another person or organization. Mention law enforcement
or private detectives, pretending to be someone you are not is referred to as pretexting. When employed
in a phishing attack, e-mail spoofing leads users to a Web server that does not represent the
organization it claims to represent, with the goal of stealing personal information such as account
numbers and passwords.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

The Facebook and Google scam. In this classic case of business email compromise (BEC), a
Lithuanian man named Evaldas Rimasauskas stole over $100 million from Facebook and Google.
Rimasauskas and his co-conspirators created fairly convincing forged email accounts of Taiwan-based
Quanta Computer, which actually does business with Facebook and Google. They sent carefully crafted
phishing emails with fake invoices, contracts and letters to employees at both these tech giants, falsely
billing them for millions of dollars over a period of two years between 2013 to 2015. The Facebook and
Google employees paid more than $100 million to Rimasauskas’ fake company’s bank accounts, which
he reportedly laundered through banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.
https://www.graphus.ai/blog/worst-phishing-attacks-in-history/
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

CONFIDENTIALITY. When information is safeguarded from disclosure or exposure to unauthorized
individuals or systems, it is said to be confidential. Confidentiality ensures that only those with the
necessary rights and privileges have access to information. Confidentiality is violated when information
is viewed by unauthorized individuals or systems. You can take a number of steps to maintain
information confidentiality, including the following:

1.Classification of data;
2.Document storage that is secure;
3.Implementation of broad security policies;
4.Information custodians and end users must be educated.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

Confidentiality, like the majority of information traits, is interdependent on others, and is most closely
tied to the characteristic known as privacy. In Chapter 12, "Legal and Ethical Issues in Security," the
relationship between these two traits is discussed in greater depth.

When it comes to personal information regarding employees, customers, or patients, secrecy is
extremely important. Individuals who trade with an organization, whether it is a federal agency like the
Internal Revenue Service or a corporation, want their personal information to be kept private. When
businesses reveal confidential information, problems develop.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

Almost every day, as a customer, you give up pieces of personal information in exchange for
convenience or value. You reveal part of your spending patterns by utilizing a "members only" card at the
grocery shop. When you participate in an online survey, you are exchanging elements of your personal
history in exchange for internet access. Your personal information is studied, sold, replaced, and
circulated in bits and pieces, eventually coalescing into profiles and even whole dossiers about yourself
and your life.

Salami theft is a criminal enterprise that employs a similar strategy. A deli worker understands that
stealing an entire salami is impossible, but a few pieces here and there may be taken home without
being noticed. The deli employee eventually steals a full salami. Salami theft occurs in information
security when an employee steals a few pieces of data at a time; knowing that taking more would be
caught, but finally the person acquires something complete or usable.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

INTEGRITY. When information is whole, complete, and uncorrupted, it has integrity. When information is
vulnerable to corruption, damage, destruction, or other disruption of its authentic state, its integrity is
jeopardized. Information might be corrupted as it is being stored or delivered. Many computer viruses
and worms are created with the express intent of causing data corruption. As a result, looking for
changes in file integrity is another important way of ensuring information integrity, in which a file is read
by a particular algorithm that computes a single big integer called a hash value based on the value of the
bits in the file. Any combination of bits has a unique hash value.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

External influences, such as hackers, aren’t always to blame for file corruption. Noise in the
transmission medium, for example, might cause data to be corrupted. When data are transmitted on a
circuit with a low voltage level, the data can be altered and corrupted. Internal and external hazards to
information integrity can be compensated for using redundancy bits and check bits. Algorithms, hash
values, and error-correcting codes protect the integrity of the data during transmission. Data that have
had its integrity tampered with are resent.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

UTILITY. The attribute or state of having value for some goal or end is known as information utility. When
information can be used for a certain purpose, it is valuable. It is useless to have information that is
available but not in a manner that is understandable to the end user. To a private citizen in the United
States, for example, census data may quickly become overwhelming and difficult to analyze. For a
politician, though, census data offer details on a district’s residents, such as ethnicity, gender, and age.
These data can aid in the development of a politician’s future campaign strategy.
INFORMATION ASSURANCE AND
SECURITY

Expanded CIA Triad

POSSESSION. The quality or state of ownership or control of information is referred to as "possession."
If one acquires information, regardless of format or other features, it is said to be in one’s possession.
While a violation of confidentiality always results in a breach of possession, a breach of possession
does not necessarily result in a breach of confidentiality.

Assume a corporation uses an encrypted file system to keep its important customer data. An ex-
employee plans to duplicate the tape backups and sell the customer information to the competition. A
breach of custody occurs when the tapes are removed from their secure environment. However,
because the data are encrypted, neither the employee nor anyone else can read it without the correct
decryption tools; thus, no breach of confidentiality has occurred. People who sell company secrets now
face more harsh fines and the possibility of jail time. Furthermore, employers are becoming increasingly
hesitant to recruit people who have a history of dishonesty.
INFORMATION ASSURANCE AND
SECURITY

Components of an Information System

An information system (IS), is much more than computer hardware; it is the full combination of
software, hardware, data, people, procedures, and networks that enable the company to utilize
information resources. Information can be input, processed, output, and stored using these six
important components. Each of these IS components has its own set of strengths and weaknesses, as
well as unique features and applications. Additionally, each component of the information system has
its own set of security needs.
INFORMATION ASSURANCE AND
SECURITY

Components of an Information System

SOFTWARE. Applications, operating systems, and various command utilities make up the software
component of the IS. Perhaps the most challenging IS component to safeguard is software. A significant
chunk of information-related attacks is based on exploiting faults in software programming. Reports of
holes, bugs, vulnerabilities, or other basic faults in software abound in the information technology
sector. In truth, defective software affects many aspects of daily life, from smartphone crashes to faulty
vehicle control computers that result in recalls.

Software is the lifeblood of an organization’s information flow. Unfortunately, software products are
frequently developed under project management limitations, which limit time, money, and people.
Information security is frequently introduced as an afterthought rather than being created as a core
component from the start. As a result, software programs become an easy target for unintentional or
deliberate attacks.
INFORMATION ASSURANCE AND
SECURITY

Components of an Information System

HARDWARE. Hardware refers to the physical technology that contains and executes software, stores,
and transfers data, and provides interfaces for entering and removing data from a system. Physical
security policies deal with hardware as a physical asset and how to keep it safe from harm or theft.

Traditional physical security methods, such as locks and keys, restrict access to and interaction with an
information system’s hardware components. Because a breach of physical security might result in the
loss of information, it is critical to secure the physical location of computers as well as the computers
themselves. Unfortunately, most information systems are constructed on hardware platforms that, if
unlimited access to the hardware is permitted, cannot ensure any level of information security.
INFORMATION ASSURANCE AND
SECURITY

Components of an Information System

DATA: The most valuable asset in a computer system. It needs protection during storage, processing,
and transmission, as it is often a target of malicious attacks. Using robust database management
systems can help protect data from unauthorized access and exploitation.

In systems built in recent years, when done correctly, this should increase the data and application's
security. Unfortunately, many system development projects do not fully utilize the database
management system’s security features, and the database is sometimes deployed in less secure ways
than traditional file systems.
INFORMATION ASSURANCE AND
SECURITY

Components of an Information System

PEOPLE: individuals can be the weakest link in a company’s information security program. Individuals
will continue to be the weakest link until policy, education and training, awareness, and technology are
appropriately implemented to prevent people from mistakenly or intentionally harming or losing
information. The human desire to cut corners and the ubiquitous character of human error can be
exploited by social engineering. It can be used to control people’s actions in order to gain access to
system information.
INFORMATION ASSURANCE AND
SECURITY

Components of an Information System

PROCEDURES. Procedures are another aspect of an IS that is usually disregarded. Procedures are step-
by-step instructions for completing a task. When an unauthorized user obtains an organization’s
methods, the integrity of the data is jeopardized.

For example, a bank consultant learned how to wire funds utilizing processes that were easily available
at the computer center. This bank consultant ordered millions of dollars to be wired to his own account
by taking advantage of a security flaw (lack of verification). Before the matter was resolved, lax security
practices resulted in a loss of over 10 million dollars. Most companies offer procedures to their
legitimate employees so that they can access the information system, but many of them fail to provide
adequate training on how to secure the processes. As crucial as physically securing the information
system is educating staff about security protocols. Procedures, after all, are data in and of themselves.
As a result, knowledge of processes, like other vital information, should only be shared with individuals
of the organization who need to know.
INFORMATION ASSURANCE AND
SECURITY

Components of an Information System

NETWORKS. The networking component of an IS is responsible for most of the demand for better
computer and information security. When information systems are linked to local area networks (LANs),
and these LANs are linked to other networks, such as the Internet, new security concerns emerge
quickly. Physical technology that supports physical security methods, such as locks and keys, are still
useful for restricting access to the interaction with the hardware components of an information system;
but when components of systems are networked, this technique is no longer significant. Network
security measures, as well as the development of alarm and intrusion detection sensors to alert system
owners to rogue intrusions, are critical.
INFORMATION ASSURANCE AND
SECURITY

Balancing Information Security and Access

It is difficult to achieve complete information security even with the best design and implementation.
Remember James Anderson’s statement, where he stressed the importance of balancing security and
access. Information security is a process, not a goal, so it can’t be perfect. It is possible to make a
system accessible to anyone, anywhere, at any time, and using any method. However, such unrestricted
access jeopardizes the information’s security. A totally secure information system, on the other hand,
would not allow anyone access.

The security level must allow fair access while protecting against risks in order to establish balance—
that is, to operate an information system that satisfies both the user and the security expert. When it
comes to balancing information security and access. Due to today’s security concerns and difficulties,
an information system or data-processing department can become too invested in system management
and security. When the end user’s demands are overshadowed by a focus on safeguarding and
administering information systems, an imbalance can arise.
INFORMATION ASSURANCE AND
SECURITY

Approaches to Information Security Implementation

Information security might start with a grassroots effort by system administrators to improve their
systems' security. A bottom-up strategy is what this is known as. The technical expertise of individual
administrators is a fundamental benefit of the bottom-up approach/strategy. Working with information
systems on a daily basis, these administrators have a wealth of experience that can substantially aid the
construction of a security system. They are aware of and comprehend the dangers to their systems, as
well as the processes required to successfully protect them. Unfortunately, because it lacks a number
of important elements, such as participant support and organizational staying power, this technique
rarely works.
INFORMATION ASSURANCE AND
SECURITY

Approaches to Information Security Implementation

1. Bottom-Up Approach: The company’s security model is applied by system administrators or
people who are working in network security or as cyber-engineers. The main idea behind this
approach is for individuals working in this field of information systems to use their knowledge and
experience in cybersecurity to guarantee the design of a highly secure information security model.

Key Advantages: An individual’s technical expertise in their field ensures that every system
vulnerability is addressed and that the security model is able to counter any potential threats.

Disadvantage:: Due to the lack of cooperation between senior managers and relevant directives, it
is often not suitable for the requirements and strategies of the organization.
INFORMATION ASSURANCE AND
SECURITY

Approaches to Information Security Implementation

The top-down strategy, in which upper-level managers launch the project by issuing policy, procedures,
and processes, dictating the goals and expected outcomes, and assigning responsibilities for each
required activity, has a greater success rate. Strong upper-management support, a devoted champion,
usually dedicated financing, a clear planning and implementation procedure, and the ability to influence
corporate culture are all features of this method. A formal development plan known as a systems
development life cycle is also used in the most successful top-down approach.
INFORMATION ASSURANCE AND
SECURITY

Approaches to Information Security Implementation

2. Top-Down Approach: This type of approach is initialized and initiated by the executives of the
organization.

They formulate policies and outline the procedures to be followed.
Determine the project’s priorities and expected results
Determine liability for every action needed
INFORMATION ASSURANCE AND
SECURITY

Approaches to Information Security Implementation

This approach looks at each department’s data and explores how it’s connected to find vulnerabilities.
Managers have the authority to issue company-wide instructions while still allowing each person to play
an integral part in keeping data safe. Compared to an individual or department, a management-based
approach incorporates more available resources and a clearer overview of the company’s assets and
concerns.

A top-down approach generally has more lasting power and efficacy than a bottom-up approach
because it makes data protection a company-wide priority instead of placing all the responsibility on
one person or team. Data vulnerabilities exist in all offices and departments, and each situation is
unique. The only way for an information security program to work is by getting every manager, branch,
department, and employee in agreement with a company-wide plan.
INFORMATION ASSURANCE AND
SECURITY

Approaches to Information Security Implementation