Lesson 1: Fundamentals of Information Assurance & Security (PDF)

1. Define IA and INFOSEC; 2. discuss the importance of studying information assurance and security (IAS); 3. write their own IS principle/s based on the discussion made in class; and 4. analyze a simple case related to IAS. What is IA? Digital Forensic and Cyber Security Center (DFCSC) defines IA as: “…the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assuranceincludes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form as well. These protections apply to data in transit, both physical and electronic forms as well as data at rest in various types of physical and electronic storage facilities” (http://csf102.dfcsc.uri.edu, https://en.wikipedia.org/wiki/Information_assurance) Why Information Assurance is Needed? Information Assurance is very much needed in the business. Therefore, “ IA increases the utility of information to authorized users and reduces the utility of information to those unauthorized.” (Source: https://infogalactic.com, https://en.wikipedia.org/wiki/Information_assurance) In line with this, DFCSC stated that “IA practitioners must consider corporate governance issues such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to information systems.” (http://csf102.dfcsc.uri.edu, https://en.wikipedia.org/wiki/Information_assurance) Information Assurance Process IA process, as enumerated in https://infogalactic.com, https://en.wikipedia.org/wiki/Information_assurance involves the following: “1. Enumeration and classification of the information assets to be protected. 2. Conduct of risk assessment for those information assets (to be done by IA practitioners). 3. Enumerate possible threats capable of assets exploitation by determining vulnerabilities in the information assets. 4. Consider the probability of a threat exploiting vulnerability in an asset 5. Determine the effect and impact of a threat-exploiting vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. 6. Summarizing the products of the threats' impact and the probability of their occurrence in the information asset.” Five Information Assurance Pillars The five (5) IA pillars, as discussed in https://interparestrust.org/terminology/term/information assurance, are “... availability, integrity, authentication, confidentiality, and non- repudiation. These pillars and any measures taken to protect and defend information and IS, to include providing for the restoration of information systems constitute the essential underpinnings for ensuring trust and integrity in information systems.” , ) Thecryptologycomponents of IA primarily concentrate on the last four pillars, namely: “… integrity, authentication, confidentiality, and non-repudiation. These pillars are applied in accordance with the mission needs of particular organizations.” (https://itlaw.wikia.org/wiki/Information_assurance) Tylercybersecurity.com defines these pillars as follows: “Integrity, which means protecting against improper information modification or damage, and includes ensuring information non- repudiation and authenticity; Confidentiality, which means preserving, authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; Authentication is the process of determining whether someone (or something) is, in fact, who (or what) it is declared to be…”(https://www.tylercybersecurity.com/blog/fundamental-objectives- of-information-security-the-cia-triad, https://www.studocu.com/en/document/bangalore-university/operating- systems/lecture-notes/chapter-1-introduction-to-computer- security/2575050/view, https://www.cise.ufl.edu/~nemo/crypto/slides/ch01_overview_nemo.ppt, https://www.plagscan.com/highlight?doc=132890096&source=35, https://www.studocu.com/en/document/bangalore-university/operating- systems/lecture-notes/chapter-1-introduction-to-computer- security/2575050/view ) Non-repudiation, on the other hand, is defined by www.cryptomathic.com as “a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.” Information Security (INFOSEC) “Information security, shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...).” (http://indiancybersecurity.com/informaton_security_protection.php, https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf) The two (2) aspects of information security are explained in below. “Information assurance is an act of ensuring that data is not lost when critical issues arise. IT security is sometimes referred to as information security applied to technology (most often used some form of computer system). IT security specialists are responsible for keeping all of the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems.” (Sources: https://isepolido.wordpress.com, http://indiancybersecurity.com/informaton_security_protection.php) All institutions, both public and private, deal with a lot of confidential information. With the advent of modern technology, most of this information is now gathered, processed and saved digitally and transmitted over computer networks. Write ways on how this information shall be secured properly to prevent loss of sensitive or confidential information, prevent hostile use of data or avoid damage to the organization’s reputations. WHY SECURITY? PRINCIPLES OF SECURITY The CIA triad embodies the three concepts on “fundamental security objectives for both data, information and computing services.” (https://www.cise.ufl.edu/~nemo/crypto/slides/ch01_overview_nemo.ppt) These concepts are presented in the figure below: Fig 2: CIA Triad To clearly understand these concepts, please refer to the discussion below: 1. CONFIDENTIALITY  “…is a set of rules that limits access to information.” (https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA)  The term used to “prevent the disclosure of information to unauthorized individuals or systems.” (http://csf102.dfcsc.uri.edu, http://indiancybersecurity.com/informaton_security_protection.php, https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf)  “Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it.” (http://www.clevernetsol.net/why-is-cybersecurity-important/, https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA, https://www.studocu.com/en/document/bangalore-university/operating-systems/lecture- notes/chapter-1-introduction-to-computer-security/2575050/view ) “The terms privacy and secrecy are sometimes used to distinguish between the protection of personal data (privacy) and the protection of data belonging to an organization (secrecy).” (https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635) Let us take this as an example: “…credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, backups, printed receipts, etc.), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breachof confidentiality has occurred.”(http://csf102.dfcsc.uri.edu,https://en.wikipedia.org/wiki/Infor mation_assurance, http://indiancybersecurity.com/ informaton_security_protection.php, https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf) In summary, confidentiality is important in maintaining people’s privacy. Unauthorized disclosure of information will likely to occur when confidentiality is loss. 2. INTEGRITY  …is the assurance that the information is trustworthy and accurate.” (https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CI)  “…involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle.” (https://www.coursera.org/lecture/introduction-cybersecurity-cyber-attacks/cybersecurity- definition-etu7J, https://www.studocu.com/en/document/bangalore-university/operating- systems/lecture-notes/chapter-1-introduction-to-computer-security/2575050/view, https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA, http://dlearn.eu/why-data-integrity-is-important-for-security/, https://www.justanswer.com/computer/brdph-1-explain-detail-concept-confidentiality.html)  “Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality).” (https://cyberthreatportal.com/elements-of-cybersecurity, https://www.studocu.com/en/document/bangalore-university/operating-systems/lecture- notes/chapter-1-introduction-to-computer-security/2575050/view, https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA)  This goal defines how we avoid our data from being altered. MiTM (Man in the middle attacks) is the example threat for this goal. Additional qualifications like “being authorized to do what one does or following the correct procedures have also been included under the term integrity ensuring that users of a system, even if authorized, are not permitted to modify data items in such a way that assets(i.e., accounting records) of the company are lost or corrupted.” ( https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635) DISCUSS. 2. AVAILABILITY  It means that assets are accessible to authorized parties at appropriate times.  “Availability is very much a concern beyond the traditional boundaries of computer security. We want to ensure that legitimate users will have reasonable access to their systems without fear of being attacked by unauthorized users.” (https://whatis.techtarget.com/definition/Confidentiality- integrity-and-availability-CIA, https://www.slideshare.net/FatWreckCulley/network-security- fundamentals-29523635 ) Assignment: Why do we need to keep important corporate information confidential? What kinds of abuses can you think of in the absence of controls on confidentiality? What criminal activities could be reduced or eliminated if confidentiality controls were effectively implemented? REFERENCES Definition of information assurance. Retrieved from https://interparestrust.org/terminology/term/ information assurance on July 13, 2020. Elements of Cyber Security. https://cyberthreatportal.com/elements-of-cybersecurity, https://www.studocu.com/en/document/bangalore-university/operating-systems/lecture- notes/chapter-1-introduction-to-computer-security/2575050/view Information assurance definition. Retrieved from https://itlaw.wikia.org/wiki/Information_assurance on July 14, 2020. Information security. Retrieved from https://isepolido.wordpress.com/2013/06/ on July 15, 2020. Information security. https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf Information security and protection. Retrieved from http://indiancybersecurity.com/ informaton_security_protection.php on July 15, 2020. Metivier, Becky (2017). Fundamental objective of information security: the CIA triad. Retrieved from https://www.tylercybersecurity.com/blog/fundamental-objectives-of-information-security-the-cia- triad on July 14, 2020. System fundamental for Cyber Security. Retrieved from http://csf102.dfcsc.uri.edu on July 14, 2020. The CIA Triad. Retrieved from https://whatis.techtarget.com/definition/Confidentiality-integrity-and- availability-CIA on July 14, 2020. What is information assurance? Retrieved from https://infogalactic.com/info/Information_assurance on July 14, 2020. What is information security? Retrieved from https://infogalactic.com/info/Information_security on July 15, 2020. What is non-repudiation? Retrieved fromhttps://www.cryptomathic.com/products/authentication- signing/digital- signatures-faqs/what-is-non-repudiation on July 14, 2020. Why is cyber security important? Retrieved from http://www.clevernetsol.net/why-is- cybersecurity- important/ on July 15, 2020. World Heritage Encyclopedia Edition (2020). Information assurance. Retrieved from http://self.gutenberg.org/articles/eng/Information_assurance on July 14, 2020. https://www.studocu.com/en/document/bangalore-university/operating- systems/lecture- notes/chapter-1-introduction-to-computer- security/2575050/view https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635

Lesson 1: Fundamentals of Information Assurance & Security (PDF)

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue