Information Assurance & Security 1
Information assurance and security are related
but separate concepts.
“The terms are inherently linked and share an
ultimate goal of preserving the integrity of
information.”
IAS was combined on two fields:
⬡ Information assurance, which focuses on
ensuring the availability, integrity, authentication,
confidentiality, and non-repudiation of
information and systems. These measures may
include providing for restoration of information
systems by incorporating protection, detection,
and reaction capabilities.
⬡ Information security, which centers on the
protection of information and information
systems from unauthorized access, use,
disclosure, disruption, modification, or
destruction in order to provide confidentiality,
integrity, and availability.
Information Assurance vs. Information Security
- Both disciplines involve a variety of similar issues,
including risk management, cyber security, corporate
governance, compliance, auditing, business
continuity, disaster recovery, forensic science,
security engineering, and criminology.
“Information assurance and security is the management
and protection of knowledge, information, and data.”
SECURITY MINDSET a peculiar mix of curiosity and
paranoia that turns life into a perpetual game of asking
“what if” questions,
ex: 1. “What if my phone gets stolen?” (HAHAH relate).
Consider the following scenarios that typify the
mindset:
- When you encounter a Web form that asks you to
enter a number between “1” and “100”, you wonder
what would happen if you enter things like “101”, “-
1”, or “`);”.
- You’ve researched how a garage door opener
remote works because you were curious if others
could open your garage door without permission.
- When logging into your computer, you’ve
deliberately mistyped your username or password
just to see what happens.
TWO TYPES OF MINDSET IN IAS
1. Thinking like an ATTACKER –
⬡ Understand techniques for circumventing
security.
⬡ Look for ways security can break, not reasons why
it won’t.
2. Thinking like a DEFENDER –
⬡ Know what you’re defending, and against whom.
⬡ Weigh benefits vs. costs: No system is ever
completely secure.
⬡ “Rational paranoia!”
------- IAS CORE PRINCIPLES ------
1. AVAILABILITY- Refers to how users are
given access to sensitive information within
your enterprise’s infrastructure.
2. INTEGRITY- Ensures that information
remains in its original form; information
remains true to the creators intent.
3. AUTHENTICATION- Security measures to
establish the validity of a transmission,
message, or originator
4. CONFIDENTIALITY- Ensures the
disclosure of information only to those
person with authority to
see it.
5. NON-REPUDIATION- Assurance that the
sender is provided with proof of a data
delivery and recipient is provided with proof
of the sender’s identity, so that neither can
later deny having processed the data.
HOW PRINCIPLES OF INFORMATION
ASSURANCE HELP IN PRACTICE
Every modern organization needs to understand
how to plan and execute a successful information
assurance system. All businesses deal with
sensitive information that could be
disastrous if tampered with or destroyed, whether
intentionally or accidentally. Altered or stolen
sensitive information can lead to social security
or credit card numbers falling into
criminals’ hands, huge losses in both personal
and global revenue, and many other damaging
consequences.
So how do the principles of information
assurance help avoid those disasters? Let’s take a
look at the recent hack of multiple high-profile
Twitter accounts data breach as examples.
SECURITY LESSONS FROM
HACKED TWITTER ACCOUNTS
 Information Assurance & Security 1
Although Twitter has not yet released the
exact details regarding how the attack
occurred, we do know that the starting point
was a “phone spear phishing attack.” That
phrasing could mean a number of different
things.

The hacker could have used caller ID

spoofing, for instance, to make it appear
that their phone calls came from a Twitter
internal support member.
Whatever the exact tactic they used, we
know that the cybercriminal eventually
managed to access the individual accounts
of multiple influential users. This
was accomplished both by obtaining
individual employee credentials and by
bypassing various network controls.

All 5 principles of information
assurance were violated during this
attack:
• NONREPUDIATION was compromised
because the hacker was able to appear as if
they were Joe Biden, Elon Musk, and other
public figures.
• Users who sent Bitcoins to the hacker did so
because the INTEGRITY of this sensitive
information had been meddled with, and they
believed the money would be directed to
someone else.
• Although there were numerous
AUTHENTICATION measures in place, the
hacker was able to steal proof of identity through
phishing and bypass other controls that allowed
them to reach the admin panel.
• The sensitive information in this case was too
AVAILABLE to outside users, and thus the
CONFIDENTIALITY usually assumed for private
social media accounts was violated.
Twitter has since recovered from the attack and
is working to strengthen its information
assurance practices. But all organizations can
learn from this and similar cyber attacks when
forming their information assurance plans.
Diligently considering and practicing the 5
principles of information assurance will help your
organization avoid disrupted business
operations, lost time and revenue, and damaged
customer relationships.
The system life cycle is a series of stages that
are worked through during the development of
new information system. A lot of time and money
can be wasted if a system is developed that
doesn’t work properly or do exactly what is
required of it. A new system is much more likely
to be successful if it is carefully planned and
developed.
FEASIBILITY STUDY- 1st stage of the system life
cycle. An investigation that is carried out by a
systems analyst to find out what the main
problems are with the existing system and if it is
technically possible and cost -effective to solve
these problems by developing a computer
based solution.
Feasibility report contents:
⬡ A description of the existing system outlining
what is being done and how it is being done;
⬡ A set of problem statements describing
exactly what the problems are with the existing
system;
⬡ A set of system objectives which describe
what the new system must be able to do;
⬡ A description of some alternative solutions;
⬡ A description of the technical, economic, legal
and social factors that have been considered;
 Information Assurance & Security 1
⬡ A recommended course of action. on the boundaries of what is
acceptable
ANALYSIS DURING the analysis stage systems - Erroneous (or exceptional) test data is
analysts investigate the existing system to used to check that a system can
identify exactly what the problems are with the identify data that is wrong and reject it
existing system.
TESTING USING NORMAL, EXTREME AND
Systems analysts will use a variety of fact- ERRONEOUS DATA
finding methods to gather information for
example:

Questionnaires, Interviews, Observation,

Examining documents

DESIGN - Alternative possible solutions are

identified, Alternative solutions evaluated, The
best solution is identified
MAINTENANCE A new information system may
A design specification is produced containing need to be changed due to:
information about:
- Change in needs of user.
- Input - Problems not found during testing.
- Output - Improvements required in the way the
- Data storage system works.
- User interface
THE SECURITY LIFECYCLE
- Backup and recovery procedures
- Security procedures

TEST PLAN TYPICAL FORMAT FOR A TEST PLAN

IMPLEMENTATION This stage involves: Setting
up the system so that it matches the design
specification. Testing carried out using the plan
to make sure that all the parts of the system
work correctly with normal, extreme and
erroneous data.
- Normal test data is used to check that a
system can handle the sort of data that
would be expected during day -to -day
use.
- Extreme test data is used to check that
a system can cope with data that lies
The Security Lifecycle is a process that must be
continuously executed. It is an ongoing process
that can help guide a security organization.
IDENTIFY - The very first step in any security
program is to know what it is that you are trying
to protect.
Questions to consider when trying identifying
your enterprise resources.
- Where are the assets physically located?
 Information Assurance & Security 1
- Are they in a secured data center or
scattered about multiple office
locations?
- How many servers, firewalls and routers
do you have?
- What flavor of OS is running on each
system?
- What applications and services are
running on each server?
- Who is the customer for each system?
- Does the application support the HR,
finance or the marketing department?
- What is the priority of the application?
- Is this a front end customer application
or an internal, third tier application?
ASSESS - Once all of your assets have been
identified and documented, the next step is to
perform a thorough security assessment on said
assets. This step covers all aspects of
assessment, from reviewing your current
processes and procedures to actually
performing vulnerability scans.
Some of the items that should be examined
might be:
- Password and User Account Policies.
- Review of User ids and Groups
- Review of Administrator or Root
accounts
- Review of web server configurations
- Review of what is being logged and who
has access to the logs.
- Trusted relationships with other servers
PROTECT - After assessing your network and
obtaining more granular information about it,
it’s important to protect your network by
bringing systems up to speed with your
previously established policy and standards.
This phase of the lifecycle is sometimes referred
to as the ‘mitigation’ phase, since the objective
is to mitigate any risks identified during the
assessment phase.
MONITOR - The last step of the information
security lifecycle is to monitor the security you
have in place and the security you’ve recently
changed and updated.
Specific Security Mechanisms
ENCIPHERMENT- Is hiding or covering data
and can provide confidentiality. It makes use of
mathematical algorithms to transform data into
a form that is not readily intelligible.
The transformation and subsequent recovery of
the data depend on an algorithm and zero or
more encryption keys. Cryptography and
Steganography techniques are used for
enciphering.
DATA INTEGRITY- The data integrity mechanism
appends a short check value to the data which
is created by a specific process from the
data itself. The receiver receives the data and
the check value. The receiver then creates a
new check value from the received data and
compares the newly created check value with
the one received. If the two check values match,
the integrity of data is being preserved. 6
DIGITAL SIGNATURE- A digital signature is a
way by which the sender can electronically sign
the data and the receiver can electronically
verify it. The sender uses a process in which
the sender owns a private key related
to the public key that he or she has
announced publicly. The receiver uses the
sender's public key to prove the message is
indeed signed by the sender who claims to
have sent the message.
AUTHENTICATION EXCHANGE- A mechanism
intended to ensure the identity of an entity by
means of information exchange. The two
entities exchange some messages to prove their
identity to each other. For example the three-
way handshake in TCP.
TRAFFIC PADDING- The insertion of bits into
gaps in a data stream to frustrate traffic analysis
attempts
 Information Assurance & Security 1
ROUTING CONTROL- Enables selection of
particular physically secure routes for certain
data and allows routing changes which means
selecting and continuously changing different
available routes between the sender and the
receiver to prevent the attacker from traffic
analysis on a particular route.
NOTARIZATION- use of a trusted third party to
control the communication between the
two parties. It prevents repudiation. The
receiver involves a trusted third party to
store the request to prevent the sender
from later denying that he or she has
made such a request.
ACCESS CONTROL- A variety of mechanisms are
used to enforce access rights to resources/data
owned by a system, for example, PINS, and
passwords.
CRYPTOGRAPHY- the study of secure
communications techniques that allow only the
sender and intended recipient of a message to
view its contents. The term is derived from the
Greek word kryptos, which means hidden.
3 independent dimensions:
Type of operations used for transforming plain
text to cipher text
All the encryption algorithms are abased on two
general principles:
substitution, in which each element in the
plaintext is mapped into another element,
and transposition, in which elements in the
plaintext are rearranged.
The number of keys used
If the sender and receiver uses same key then it
is said to be symmetric key (or) single key (or)
conventional encryption. If the sender and
receiver use different keys then it is said to be
public key encryption.
The way in which the plain text is processed
A block cipher processes the input and block of
elements at a time, producing output block for
each input block.
A stream cipher processes the input elements
continuously, producing output
element one at a time, as it goes along.
Types of Cryptography
-Secret Key Cryptography
-Public Key Cryptography
-Hash Functions
1. Secret Key Cryptography or
Symmetric cryptography
 It uses a single key to encrypt data.
 Both encryption and decryption in
symmetric cryptography use the
same key, making this the easiest
form of cryptography.
 The cryptographic algorithm utilizes
the key in a cipher to encrypt the
data, and
when the data must be accessed
again, a person entrusted with the
secret key
can decrypt the data.
 Secret Key Cryptography can be
used on both in-transit and at-rest
data, but is commonly only used on
at-rest data, as sending the secret to
the recipient of the message can
lead to compromise.
Examples:
⬡ AES
⬡ DES
⬡ Caesar Cipher
 Information Assurance & Security 1

2. Public Key Cryptography
 It uses two keys to encrypt data.
 One is used for encryption, while the
other key can decrypts the message.
 Unlike symmetric cryptography, if one
key is used to encrypt, that same key
cannot decrypt the message, rather the
other key shall be used.
 One key is kept private, and is called
the “private key”, while the other is
shared publicly and can be used by
anyone, hence it is known as the “public
key”.
 The mathematical relation of the keys is
such that the private key cannot be
derived from the public key, but the
public key can be derived from the
private.
 The private key should not be
distributed and should remain with the
owner only. The public key can be given
to any other entity.
3. Hash Functions
 Are irreversible, one-way functions
which protect the data, at the cost
of not being able to recover the
original message.
 Hashing is a way to transform a
given string into a fixed length
string. A good
hashing algorithm will produce
unique outputs for each input given.
 The only way to crack a hash is by
trying every input possible, until you
get the exact same hash.
 A hash can be used for hashing data
(such as passwords) and in
certificates.
Hash Functions some of the most
famous hashing algorithms are:
⬡ MD5
⬡ SHA-1
⬡ SHA-2 family which includes SHA-224,
SHA-256, SHA-384, and SHA-512
⬡ SHA-3
⬡ Whirlpool
⬡ Blake 2
⬡ Blake 3

Examples:
⬡ ECC
⬡ Diffie-Hellman
⬡ DSS