WEEK 2

COURSE OUTLINE

COURSE CODE : IT 421

TITLE : Information and Security Assurance II

TARGET POPULATION : All BS Information Technology Students

INSTRUCTOR : MR. DENNIS RHAM S. MANCERAS

Overview:

Information assurance and security is the management and protection of

knowledge, information, and data. It combines two fields: Information assurance, which
focuses on ensuring the availability, integrity, authentication, confidentiality, and non-repudiation
of information and systems.

Managing Identity and Authentication

Controlling Access to Assets

Controlling access to assets is one of the central themes of security, and you’ll find that many
different security controls work together to provide access control. An asset includes information,
systems, devices, facilities, and personnel.

Information An organization’s information includes all of its data. Data might be stored in
simple files on servers, computers, and smaller devices. It can also be stored on huge databases
within a server farm. Access controls attempt to prevent unauthorized access to the
information.

Systems An organization’s systems include any information technology (IT) systems that provide
one or more services. For example, a simple file server that stores user files is a system.
Additionally, a web server working with a database server to provide an e-commerce service is
a system.

Devices refer to any computing system, including servers, desktop computers, portable laptop
computers, tablets, smartphones, and external devices such as printers. More and more
organizations have adopted policies allowing employees to connect their personally owned
device (such as a smartphone or tablet) to an organization’s network. Although the devices are
typically owned by the employees, organizational data stored on the devices is still an asset of
 the organization.

Facilities an organization’s facilities include any physical location that it owns or rents. This
could be individual rooms, entire buildings, or entire complexes of several buildings. Physical
security controls help protect facilities.

Personnel Personnel working for an organization are also a valuable asset to an organization.
One of the primary ways to protect personnel is to ensure that adequate safety practices are in
place to prevent injury or death.

Comparing Subjects and Objects

Access control addresses more than just controlling which users can access which fi les or
services. It is about the relationships between entities (that is, subjects and objects). Access is the
transfer of information from an object to a subject, which makes it important to understand the
definition of both subject and object. Subject A subject is an active entity that accesses a passive
object to receive information from, or data about, an object. Subjects can be users, programs,
processes, services, computers, or anything else that can access a resource. When authorized,
subjects can modify objects. Object An object is a passive entity that provides information to
active subjects. Some examples of objects include fi les, databases, computers, programs,
processes, services, printers, and storage media.

The CIA Triad and Access Controls

One of the primary reasons organizations implement access control mechanisms is to pre-
vent losses. There are three categories of IT loss: loss of confidentiality, availability, and integrity
(CIA). Protecting against these losses is so integral to IT security that they are frequently
referred to as the CIA Triad (or sometimes the AIC Triad or Security Triad).

Confidentiality Access controls help ensure that only authorized subjects can access
objects. When unauthorized entities can access systems or data, it results in a loss of
confidentiality.

Integrity ensures that data or system configurations are not modified without
authorization, or if unauthorized changes occur, security controls detect the changes. If
unauthorized or unwanted changes to objects occur, it results in a loss of integrity.

Availability Authorized requests for objects must be granted to subjects within a reason-
able amount of time. In other words, systems and data should be available to users and
other subjects when they are needed. If the systems are not operational or the data is not
accessible, it results in a loss of availability.

Types of Access Controls

Generally, an access control is any hardware, software, or administrative policy or

procedure that controls access to resources. The goal is to provide access to authorized subjects
and prevent unauthorized access attempts. Access control includes the following overall steps:

1. Identify and authenticate users or other subjects attempting to access resources.

2. Determine whether the access is authorized.

3. Grant or restrict access based on the subject’s identity.

4. Monitor and record access attempts.

A broad range of controls is involved in these steps. The three primary control types are
preventive, detective, and corrective. Whenever possible you want to prevent any type of
security problem or incident. Of course, this isn’t always possible and unwanted events occur.
When they do, you want to detect the event as soon as possible. If you detect an event, you
want to correct it. There are also four other access control types, commonly known as
deterrent, recovery, directive, and compensating access controls. As you read about the controls
in the following list, you’ll notice that some examples are used in more than one access control
type. For example, a fence (or perimeter-defining device) placed around a building can be a
preventive control because it physically bars someone from gaining access to a building
compound. However, it is also a deterrent control because it discourages someone from trying
to gain access.

Preventive Access Control A preventive control attempts to thwart or stop unwanted or

unauthorized activity from occurring. Examples of preventive access controls include
fences, locks, biometrics, mantraps, lighting, alarm systems, separation-of-duties policies,
job rotation policies, data classification, penetration testing, access control methods,
encryption, auditing, the presence of security cameras or closed-circuit television (CCTV),
smartcards, callback procedures, security policies, security awareness training, antivirus
software, firewalls, and intrusion prevention systems.

Detective Access Control A detective control attempts to discover or detect unwanted or

unauthorized activity. Detective controls operate after the fact and can discover the activity
only after it has occurred. Examples of detective access controls include security guards,
motion detectors, recording and reviewing of events captured by security cameras or CCTV,
job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets,
intrusion detection systems, violation reports, supervision and reviews of users, and
incident investigations.

Corrective Access Control A corrective control modifies the environment to return

systems to normal after an unwanted or unauthorized activity has occurred. Corrective
controls attempt to correct any problems that occurred because of a security incident.
Corrective controls can be simple, such as terminating malicious activity or rebooting a
system. They also include antivirus solutions that can remove or quarantine a virus, backup
and restore plans to ensure that lost data can be restored, and active intrusion detection
systems that can modify the environment to stop an attack in progress.

Deterrent Access Control A deterrent access control attempts to discourage security

policy violations. Deterrent and preventive controls are similar, but deterrent controls often
depend on individuals deciding not to take an unwanted action. In contrast, a preventive
 control blocks the action. Some examples include policies, security awareness training,
locks, fences, security badges, guards, mantraps, and security cameras.

Directive Access Control A directive access control attempts to direct, confine, or control
the actions of subjects to force or encourage compliance with security policies. Examples of
directive access controls include security policy requirements or criteria, posted
notifications, escape route exit signs, monitoring, supervision, and procedures.

Compensating Access Control A compensating access control provides an alternative

when it isn’t possible to use a primary control, or when necessary to increase the
effectiveness of a primary control. As an example, a security policy might dictate the use of
smart cards by all employees, but it might take a long time for new employees to get a
smartcard. The organization could issue hardware tokens to employees as a compensating
control. These tokens provide stronger authentication than just a username and password.

Access controls are also categorized by how they are implemented. Controls can be
implemented administratively, logically/technically, or physically. Any of the access control
types mentioned previously can include any of these implementation types.

Administrative Access Controls Administrative access controls are the policies and
procedures defined by an organization’s security policy and other regulations or
requirements. They are sometimes referred to as management controls. These controls
focus on personnel and business practices. Examples of administrative access controls
include policies, procedures, hiring practices, background checks, classifying and labeling
data, security aware- ness and training efforts, reports and reviews, personnel controls,
and testing.

Logical/Technical Controls Logical access controls (also known as technical access

controls) are the hardware or software mechanisms used to manage access and to provide
protection for resources and systems. As the name implies, they use technology. Examples
of logical or technical access controls include authentication methods (such as passwords,
smartcards, and biometrics), encryption, constrained interfaces, access control lists, proto-
cols, firewalls, routers, intrusion detection systems, and clipping levels.

Physical Controls Physical access controls are items you can physically touch. They
include physical mechanisms deployed to prevent, monitor, or detect direct contact with
systems or areas within a facility. Examples of physical access controls include guards,
fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop
locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms.

Authorization and Accountability

Two additional security elements in an access control system are authorization and
accountability.

Authorization Subjects are granted access to objects based on proven identities. For
example, administrators grant users access to files based on the user’s proven identity.

Accountability Users and other subjects can be held accountable for their actions when
 auditing is implemented. Auditing tracks subjects and records when they access objects,
creating an audit trail in one or more audit logs. For example, auditing can record when a
user reads, modifies, or deletes a file. Auditing provides accountability.

Additionally, assuming the user has been properly authenticated, audit logs provide non-
repudiation. The user cannot believably deny taking an action recorded in the audit logs. An
effective access control system requires strong identification and authentication mechanisms, in
addition to authorization and accountability elements. Subjects have unique identities and
prove their identity with authentication. Administrators grant access to subjects based on their
identities providing authorization. Logging user actions based on their proven identities
provides accountability. In contrast, if users didn’t need to log on with credentials, then all users
would be anonymous. It isn’t possible to restrict authorization to specific users if everyone is
anonymous. While logging could still record events, it would not be able to identify which users
performed any actions.

Authorization

Authorization indicates who is trusted to perform specific operations. If the

action is allowed, the subject is authorized; if disallowed, the subject is not authorized. Here’s a
simple example: if a user attempts to open a file, the authorization mechanism checks to ensure
that the user has at least read permission on the file. It’s important to realize that just because
users or other entities can authenticate to a system, that doesn’t mean they are given access to
anything and everything. Instead, subjects are authorized access to specific objects based on
their proven identity. The process of authorization ensures that the requested activity or object
access is possible based on the privileges assigned to the subject. Administrators grant users
only the privileges they need to perform their jobs following the principle of least privilege.
Identification and authentication are “all-or-nothing” aspects of access control. Either a user’s
credentials prove a professed identity, or they don’t. In contrast, authorization occupies a wide
range of variations. For example, a user may be able to read a file but not delete it, or they may
be able to print a document but not alter the print queue.

Authentication Factors

The three basic methods of authentication are also known as types or factors. They are
as follows:

Type 1 A Type 1 authentication factor is something you know. Examples include a pass- word,
personal identification number (PIN), or passphrase.

Type 2 A Type 2 authentication factor is something you have. Physical devices that a user
possesses can help them provide authentication. Examples include a smartcard, hardware
token, memory card, or Universal Serial Bus (USB) drive.

Type 3 A Type 3 authentication factor is something you are or something you do. It is a physical
characteristic of a person identified with different types of biometrics. Examples in the
something-you-are category include fingerprints, voice prints, retina patterns, iris pat- terns,
face shapes, palm topology, and hand geometry. Examples in the something-you-do category
 include signature and keystroke dynamics, also known as behavioral biometrics

Accountability

Auditing, logging, and monitoring provide accountability by ensuring that

subjects can be held accountable for their actions. Auditing is the process of tracking and
recording subject activities within logs. Logs typically record who took an action, when and
where the action was taken, and what the action was. One or more logs create an audit trail
that researchers can use to reconstruct events and identify security incidents. When
investigators review the contents of audit trails, they can provide evidence to hold people
accountable for their actions. There’s a subtle but important point to stress about
accountability. Accountability relies on effective identification and authentication, but it does
not require effective authorization. In other words, after identifying and authenticating users,
accountability mechanisms such as audit logs can track their activity, even when they try to
access resources that they aren’t authorized to access.

Activity

1. A ____________ modifies the environment to return systems to normal after an unwanted or

unauthorized activity has occurred. What are the common email vulnerability issues?

2. _______________ are the policies and procedures defined by an organization’s security policy
and other regulations or requirements. It is a session- oriented protocol that provides
confidentiality and integrity.

3. Discuss the CIA Triad.

4. Discuss the differences of Type 1, 2, 3 Authentication factors.

5. Research on how the CIA Triad is being applied globally.

Laboratory Challenge

● Create the introduction and objectives of your proposed research