ITNAS 1: Information Assurance and Security 1 Lecture PDF
Document Details
Carlos Hilado Memorial State University
Methuselah Azucena Daba-ay
Tags
Summary
This document is a lecture on information assurance and security, covering concepts like information, security domains, and security measures. It explores the different perspectives of IA, highlighting computer security, personnel security, and physical security.
Full Transcript
ITNAS 1: Information Assurance and Security 1 Prepared by: METHUSELAH AZUCENA DABA-AY, MSCS [email protected] Thought Experiment Suppose you visit an e-commerce website such as your bank, stock broker, etc....
ITNAS 1: Information Assurance and Security 1 Prepared by: METHUSELAH AZUCENA DABA-AY, MSCS [email protected] Thought Experiment Suppose you visit an e-commerce website such as your bank, stock broker, etc. Before you type in highly sensitive information, you’d like to have some assurance that your information will be protected. Do you have such assurance? How can you know? What security-relevant things do you want to happen, or not happen when you use such a website? Thought Experiment You might want: Privacy of your data Protection against phishing Integrity of your data Authentication Authorization Confidentiality Non-repudiation Availability What else? Which of these do you think fall under Information Assurance? What is Information? Information Assurance, so what is “information”? How does information differ from data? “Information is data endowed with relevance and purpose. Converting data into information thus requires knowledge. Knowledge by definition is specialized.” (Blyth and Kovacich, p. 17) And what characteristics should information possess to be useful? It should be: accurate, timely, complete, verifiable, consistent, available. What is Information? According to Raggad, the following are all distinct conceptual resources: Data: raw facts with a known coding system Information: processed data Knowledge: accepted facts, principles, or rules of thumb that are useful for specific domains. Knowledge can be the result of inferences and implications produced from simple information facts. What is Information Assurance? What about “assurance”? What does that mean? Assurance from what or to do what? According to the U.S. Department of Defense, IA involves: Actions taken that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities. Information Assurance (IA) is the study of how to protect your information assets from destruction, degradation, manipulation and exploitation. But also, how to recover should any of those happen. What is IA? Information Assurance is such a broad field that there is no universally accepted definition. Researchers often give their own spin to IA, usually reflecting their own concerns. In these slides, are several different views of IA. A Different View of IA According to Debra Herrmann (Complete Guide to Security and Privacy Metrics), IA should be viewed as spanning four security engineering domains: physical security personnel security IT security operational security The simple truth is that IT security cannot be accomplished in a vacuum, because there are a multitude of dependencies and interactions among all four security engineering domains. (Herrmann, p. 10) So threats/risks to IA should be considered along these dimensions as well. Four Security Domains Quotes from Debra Herrmann, Complete Guide to Security and Privacy Metrics: “Physical security refers to the protection of hardware, software, and data against physical threats to reduce or prevent disruptions to operations and services and loss of assets.” “Personnel security is a variety of ongoing measures taken to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution, and unavailability of an organization’s logical and physical assets, as the result of action or inaction by insiders and known outsiders, such as business partners.” Four Security Domains “IT security is the inherent technical features and functions that collectively contribute to an IT infrastructure achieving and sustaining confidentiality, integrity, availability, accountability, authenticity, and reliability.” “Operational security involves the implementation of standard operational security procedures that define the nature and frequency of the interaction between users, systems, and system resources, the purpose of which is to: 1 achieve and sustain a known secure system state at all times, and; 2 prevent accidental or intentional theft, release, destruction, alteration, misuse, or sabotage of system resources.” Yet Another Perspective According to Raggad’s taxonomy of information security, a computing environment is made up of five continuously interacting components: activities, people, data, technology, networks. A comprehensive security plan must take all of these into account. Does protecting a computing environment merely mean protecting these five components? Yet Another View: Components of IA IA includes computer and information security, but more besides. According to Blyth and Kovacich, IA can be thought of as protecting information at three distinct levels: physical: data and data processing activities in physical space; information infrastructure: information and data manipulation abilities in cyberspace; perceptual: knowledge and understanding in human decision space. IA Overview If you entrench yourself behind strong fortifications, you compel the enemy to seek a solution elsewhere. –Carl von Clausewitz A recent headline in the AAS read: “The Biggest Threat to Computer Security? Carelessness” Principle of Easiest Penetration: An attacker on any information system will use the simplest means of subverting system security.
