Information Assurance & Security 1.pdf

Full Transcript

LEMERY COLLEGES
A. Bonifacio St., Bagong Sikat, Lemery, Batangas
SCHOOL OF COMPUTER STUDIES

Lesson 1
TOPIC: FUNDAMENTALS OF INFORMATION ASSURANCE AND INFORMATION
SECURITY

COURSE CONTENT

1.1 What is IA?

Digital Forensic and Cyber Security Center (DFCSC) defines IA as:” the practice of assuring information and managing risks
related to the use, processing, storage, and transmission of information or data and the systems and processes used for those
purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation, and
confidentiality of user data.

1.2 Five Information Assurance Pillars

The five (5) IA pillars are “availability, integrity, authentication, confidentiality, and
non-repudiation. These pillars and any measures taken to protect and defend
information and IS, including providing for the restoration of information systems
constitute the essential underpinnings for ensuring trust and integrity in information
systems.”

Availability- Data availability means that information is accessible to authorized users. It provides an assurance that your
system and data can be accessed by authenticated users whenever they’re needed.
Integrity, which means protecting against improper information modification or damage, and includes ensuring information
nonrepudiation and authenticity.
Confidentiality, which means preserving, authorized restrictions on access and disclosure, including means for protecting
personal privacy and proprietary information
Authentication is the process of determining whether someone (or something) is, in fact, who (or what) it is declared to be.
Non-repudiation, on the other hand, is defined by www.cryptomathic.com as “a legal concept that is widely used in information
security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-
repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity
of that message.”

1.3 What is Information Security
Information security, shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording, or destruction. It is a general term that can be used regardless of the
form the data may take.

Telephone Number E-mail
+63 740 2200 [email protected]

creating life’s champion
LEMERY COLLEGES
A. Bonifacio St., Bagong Sikat, Lemery, Batangas
SCHOOL OF COMPUTER STUDIES

The two (2) aspects of information security are (1) “Information assurance is an act of ensuring that data is not lost when critical
issues arise. (2) IT security is sometimes referred to as information security applied to technology (most often used in some
form of computer system).

IT security specialists are responsible for keeping all of the technology within the company secure from malicious cyber-
attacks that often attempt to breach critical private information or gain control of the internal systems.

All institutions, both public and private, deal with a lot of confidential information. With the advent of modern technology, most
of this information is now gathered, processed saved digitally, and, transmitted over computer networks. Write ways on how
this information shall be secured properly to prevent loss of sensitive or confidential information, prevent hostile use of data, or
avoid damage to the organization’s reputation.

1.4 PRINCIPLES OF SECURITY

The CIA triad embodies the three concepts of “fundamental security objectives for both data,
information, and computing services.”

1. CONFIDENTIALITY- is a set of rules that limits access to information.” The term is
used to “prevent the disclosure of information to unauthorized individuals or systems.
Measures undertaken to ensure confidentiality are designed to prevent sensitive
information from reaching the wrong people while making sure that the right people can in fact get it.”

Let us take this as an example: “…credit card transaction on the Internet requires the credit card number to be transmitted from
the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce
confidentiality by encrypting the card number during transmission, limiting the places where it might appear (in databases,
backups, printed receipts, etc.), and restricting access to the places where it is stored. If an unauthorized party obtains the card
number in any way, a breach of confidentiality has occurred. In summary, confidentiality is important in maintaining people’s
privacy. Unauthorized disclosure of information will likely occur when confidentiality is lost.

2. INTEGRITY- is the assurance that the information is trustworthy and accurate. It involves maintaining the consistency,
accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be
taken to ensure that data cannot be altered by unauthorized people. This goal defines how we prevent our data from
being altered. MiTM (Man in the Middle attacks) is an example threat for this goal.

3. AVAILABILITY- This means that assets are accessible to authorized parties at appropriate times. Availability is very
much a concern beyond the traditional boundaries of computer security. We want to ensure that legitimate users will
have reasonable access to their systems without fear of being attacked by unauthorized users.

2.1 ASSETS, ATTACKS, RISKS, THREATS, VULNERABILITIES AND COUNTERMEASURES

In Information Security, ASSET refers to any pieces of information, devices, or some other parts related to them that support
business activities. Assets are either components of a computer and/or the data that are stored in it. Basically, assets are the

Telephone Number E-mail
+63 740 2200 [email protected]

creating life’s champion
LEMERY COLLEGES
A. Bonifacio St., Bagong Sikat, Lemery, Batangas
SCHOOL OF COMPUTER STUDIES

stuff that should be put under strict security measures because failure to do so may result in losses to the organization. To put
it simply, assets are the main reason why we need to secure and assure our information system, that once these are exposed,
it may lead to problems leading to the organizations’ losses. On a detailed part, mismanagement of the assets may lead to
attacks. Attacks refer to activities that are intended to snatch assets with the intention of using them for bad interests. These
attacks are everywhere whether in public or private sectors. One example of an attack is Data Breaches.

Data Breaches is an event wherein a piece of information is accessed without the consent of the authorized. This data breach
is widely observed in Web-based Information Systems because many assets exposed over the Internet are the attacker’s apple
of the eye. In fact, victims rose to 80% in India in 2019. The chart below shows the different types of attacks that happened on
the web recorded in the Month of September 2019.

The following is the list of Assets that Information Assurance and Security is trying to protect;
1. Customer Data
2. IT and Network Infrastructure
3. Intellectual Property
4. Finances and Financial Data
5. Service Availability and Productivity
6. Reputation

Hackers refer to anyone with a professional skill to access assets without any authorization. Their intention is basically to
commit crimes, mostly to steal and destroy systems. Sometimes, systems were being hacked to hold the assets of the system
hostage wherein ransom is being collected in condition to bring back the assets. However, good hackers also exist. They are
the one who uses their skills in hardware and software to bypass the security of a device or a network. Their intention is to
provide service to the victims of attacks. Either public or private sectors are hiring good hackers to help them keep their systems
safe. Computer Security Professionals named hackers metaphorically using hat colors such as White, Black, and Gray. This
name comes from the old spaghetti in the western country sides where black has been worn by bad cowboys, white has been
worn by the good ones, and gray in neutral.

The term hacker always means not good to us. However, it is very important for us to understand that our judgment of them
shall always depend on their intentions. Aside from hackers, we also have someone who violates or breaks the security of the
remote machines. They are known as Crackers. Initially, crackers get unauthorized access to vital data and deprive it of the
original user or owner. Crackers can be identified as fortunately few and far between—experts who discover security ditches
and exploit them and/or the script kiddie—one who knows how to get programs and run them legitimately. These hackers and

Telephone Number E-mail
+63 740 2200 [email protected]

creating life’s champion
LEMERY COLLEGES
A. Bonifacio St., Bagong Sikat, Lemery, Batangas
SCHOOL OF COMPUTER STUDIES

crackers are the ones whom Information Security is trying to catch. Every Attacker, whether a Hacker or a Cracker, uses tools
to perform their attacks. The following are the tools they utilize to achieve their intentions;
1. Protocol Analyzers (Sniffers). These applications put the host NIC into a mode that passes all traffic to the CPU
rather than to the controller it is designed to receive.
2. Port Scanner is an application that intends to probe a host for an open port.
3. Finger scanning, is a way to acquire human biometrics like fingerprints.
4. Vulnerability Scanning Tools are automated tools that scan web-based applications and finds vulnerability.
Examples are Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and insecure server
configuration.
5. Exploit Software is a bit of technology, a chunk of data, or a series of commands that compromises a bug or
vulnerability to trigger unintended or unforeseen behavior to occur on computer software, hardware, or anything
electronic.
6. War dialers. This can be used to find backdoors into your network. This dials telephones to check if there is a line that
contains data through a modem and the like.
7. Password Cracker. This software is used to retrieve a forgotten password or other network resources. Sometimes,
these are used to access resources without permission.
8. Keystroke Loggers. Keylogger refers to a surveillance application that has the ability to record every keystroke that
is made on the system. This intends to record a log file that is usually encrypted.

Security and data breaches can happen on a large uncontrollable scale. This happens when an attacker or intruder gains
access without the permission of the asset’s owner or keeper. They use a bypass mechanism that typically can reach the
restricted areas.
A security breach is a violation that can lead to damage and even loss of assets. Simply, Security Breaches refers to any
action that would result in a violation of any rules of the Central Intelligence Agency. Most of these breaches disrupt services
intentionally. However, some of them are accidental but both can cause hardware or software failures.

The following are activities that cause Security Breaches;
1. Attack through Denial of Service (DoS). This refers to an attack that kills a machine or network, resulting in a
legitimate user not using the destroyed asset.
2. Distributed denial-of-service (DDoS). This happens when an attacker floods network traffic to the target making
it impossible for a legitimate user to be denied to use the network or a node.
3. Unacceptable Web Browsing. Acceptable web browsing is defined in an Acceptable Use Policy (AUP) like finding
a file in the directory or browsing restricted sites.
4. Wiretapping. Wiretapping refers to the practice of connecting a listening device to a telephone line to secretly
monitor a conversation.
5. Backdoors. This refers to the hidden access included by the developers. Backdoors are used to obtain exposure
to the data repositories.
6. Data Modifications. Refers to the change in data that happens purposely or accidentally. It may also include
incomplete and truncated data.

Telephone Number E-mail
+63 740 2200 [email protected]

creating life’s champion