Information Assurance & Security 1 PDF

Summary

This document provides an introduction to Information Assurance and Information Security as a course topic. It describes the core concepts and pillars, including availability, integrity, confidentiality, authentication, and non-repudiation. Examples used in the context of digital transactions demonstrate the practical application of these concepts.

Full Transcript

LEMERY COLLEGES A. Bonifacio St., Bagong Sikat, Lemery, Batangas SCHOOL OF COMPUTER STUDIES Lesson 1 TOPIC: FUNDAMENTALS OF INFORMATION ASSURANCE AND INFORMATION SECURITY COURSE CONTENT 1.1...

LEMERY COLLEGES A. Bonifacio St., Bagong Sikat, Lemery, Batangas SCHOOL OF COMPUTER STUDIES Lesson 1 TOPIC: FUNDAMENTALS OF INFORMATION ASSURANCE AND INFORMATION SECURITY COURSE CONTENT 1.1 What is IA? Digital Forensic and Cyber Security Center (DFCSC) defines IA as:” the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation, and confidentiality of user data. 1.2 Five Information Assurance Pillars The five (5) IA pillars are “availability, integrity, authentication, confidentiality, and non-repudiation. These pillars and any measures taken to protect and defend information and IS, including providing for the restoration of information systems constitute the essential underpinnings for ensuring trust and integrity in information systems.” Availability- Data availability means that information is accessible to authorized users. It provides an assurance that your system and data can be accessed by authenticated users whenever they’re needed. Integrity, which means protecting against improper information modification or damage, and includes ensuring information nonrepudiation and authenticity. Confidentiality, which means preserving, authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information Authentication is the process of determining whether someone (or something) is, in fact, who (or what) it is declared to be. Non-repudiation, on the other hand, is defined by www.cryptomathic.com as “a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non- repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.” 1.3 What is Information Security Information security, shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction. It is a general term that can be used regardless of the form the data may take. Telephone Number E-mail +63 740 2200 [email protected] creating life’s champion LEMERY COLLEGES A. Bonifacio St., Bagong Sikat, Lemery, Batangas SCHOOL OF COMPUTER STUDIES The two (2) aspects of information security are (1) “Information assurance is an act of ensuring that data is not lost when critical issues arise. (2) IT security is sometimes referred to as information security applied to technology (most often used in some form of computer system). IT security specialists are responsible for keeping all of the technology within the company secure from malicious cyber- attacks that often attempt to breach critical private information or gain control of the internal systems. All institutions, both public and private, deal with a lot of confidential information. With the advent of modern technology, most of this information is now gathered, processed saved digitally, and, transmitted over computer networks. Write ways on how this information shall be secured properly to prevent loss of sensitive or confidential information, prevent hostile use of data, or avoid damage to the organization’s reputation. 1.4 PRINCIPLES OF SECURITY The CIA triad embodies the three concepts of “fundamental security objectives for both data, information, and computing services.” 1. CONFIDENTIALITY- is a set of rules that limits access to information.” The term is used to “prevent the disclosure of information to unauthorized individuals or systems. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people while making sure that the right people can in fact get it.” Let us take this as an example: “…credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, limiting the places where it might appear (in databases, backups, printed receipts, etc.), and restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. In summary, confidentiality is important in maintaining people’s privacy. Unauthorized disclosure of information will likely occur when confidentiality is lost. 2. INTEGRITY- is the assurance that the information is trustworthy and accurate. It involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people. This goal defines how we prevent our data from being altered. MiTM (Man in the Middle attacks) is an example threat for this goal. 3. AVAILABILITY- This means that assets are accessible to authorized parties at appropriate times. Availability is very much a concern beyond the traditional boundaries of computer security. We want to ensure that legitimate users will have reasonable access to their systems without fear of being attacked by unauthorized users. 2.1 ASSETS, ATTACKS, RISKS, THREATS, VULNERABILITIES AND COUNTERMEASURES In Information Security, ASSET refers to any pieces of information, devices, or some other parts related to them that support business activities. Assets are either components of a computer and/or the data that are stored in it. Basically, assets are the Telephone Number E-mail +63 740 2200 [email protected] creating life’s champion LEMERY COLLEGES A. Bonifacio St., Bagong Sikat, Lemery, Batangas SCHOOL OF COMPUTER STUDIES stuff that should be put under strict security measures because failure to do so may result in losses to the organization. To put it simply, assets are the main reason why we need to secure and assure our information system, that once these are exposed, it may lead to problems leading to the organizations’ losses. On a detailed part, mismanagement of the assets may lead to attacks. Attacks refer to activities that are intended to snatch assets with the intention of using them for bad interests. These attacks are everywhere whether in public or private sectors. One example of an attack is Data Breaches. Data Breaches is an event wherein a piece of information is accessed without the consent of the authorized. This data breach is widely observed in Web-based Information Systems because many assets exposed over the Internet are the attacker’s apple of the eye. In fact, victims rose to 80% in India in 2019. The chart below shows the different types of attacks that happened on the web recorded in the Month of September 2019. The following is the list of Assets that Information Assurance and Security is trying to protect; 1. Customer Data 2. IT and Network Infrastructure 3. Intellectual Property 4. Finances and Financial Data 5. Service Availability and Productivity 6. Reputation Hackers refer to anyone with a professional skill to access assets without any authorization. Their intention is basically to commit crimes, mostly to steal and destroy systems. Sometimes, systems were being hacked to hold the assets of the system hostage wherein ransom is being collected in condition to bring back the assets. However, good hackers also exist. They are the one who uses their skills in hardware and software to bypass the security of a device or a network. Their intention is to provide service to the victims of attacks. Either public or private sectors are hiring good hackers to help them keep their systems safe. Computer Security Professionals named hackers metaphorically using hat colors such as White, Black, and Gray. This name comes from the old spaghetti in the western country sides where black has been worn by bad cowboys, white has been worn by the good ones, and gray in neutral. The term hacker always means not good to us. However, it is very important for us to understand that our judgment of them shall always depend on their intentions. Aside from hackers, we also have someone who violates or breaks the security of the remote machines. They are known as Crackers. Initially, crackers get unauthorized access to vital data and deprive it of the original user or owner. Crackers can be identified as fortunately few and far between—experts who discover security ditches and exploit them and/or the script kiddie—one who knows how to get programs and run them legitimately. These hackers and Telephone Number E-mail +63 740 2200 [email protected] creating life’s champion LEMERY COLLEGES A. Bonifacio St., Bagong Sikat, Lemery, Batangas SCHOOL OF COMPUTER STUDIES crackers are the ones whom Information Security is trying to catch. Every Attacker, whether a Hacker or a Cracker, uses tools to perform their attacks. The following are the tools they utilize to achieve their intentions; 1. Protocol Analyzers (Sniffers). These applications put the host NIC into a mode that passes all traffic to the CPU rather than to the controller it is designed to receive. 2. Port Scanner is an application that intends to probe a host for an open port. 3. Finger scanning, is a way to acquire human biometrics like fingerprints. 4. Vulnerability Scanning Tools are automated tools that scan web-based applications and finds vulnerability. Examples are Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and insecure server configuration. 5. Exploit Software is a bit of technology, a chunk of data, or a series of commands that compromises a bug or vulnerability to trigger unintended or unforeseen behavior to occur on computer software, hardware, or anything electronic. 6. War dialers. This can be used to find backdoors into your network. This dials telephones to check if there is a line that contains data through a modem and the like. 7. Password Cracker. This software is used to retrieve a forgotten password or other network resources. Sometimes, these are used to access resources without permission. 8. Keystroke Loggers. Keylogger refers to a surveillance application that has the ability to record every keystroke that is made on the system. This intends to record a log file that is usually encrypted. Security and data breaches can happen on a large uncontrollable scale. This happens when an attacker or intruder gains access without the permission of the asset’s owner or keeper. They use a bypass mechanism that typically can reach the restricted areas. A security breach is a violation that can lead to damage and even loss of assets. Simply, Security Breaches refers to any action that would result in a violation of any rules of the Central Intelligence Agency. Most of these breaches disrupt services intentionally. However, some of them are accidental but both can cause hardware or software failures. The following are activities that cause Security Breaches; 1. Attack through Denial of Service (DoS). This refers to an attack that kills a machine or network, resulting in a legitimate user not using the destroyed asset. 2. Distributed denial-of-service (DDoS). This happens when an attacker floods network traffic to the target making it impossible for a legitimate user to be denied to use the network or a node. 3. Unacceptable Web Browsing. Acceptable web browsing is defined in an Acceptable Use Policy (AUP) like finding a file in the directory or browsing restricted sites. 4. Wiretapping. Wiretapping refers to the practice of connecting a listening device to a telephone line to secretly monitor a conversation. 5. Backdoors. This refers to the hidden access included by the developers. Backdoors are used to obtain exposure to the data repositories. 6. Data Modifications. Refers to the change in data that happens purposely or accidentally. It may also include incomplete and truncated data. Telephone Number E-mail +63 740 2200 [email protected] creating life’s champion

Use Quizgecko on...
Browser
Browser