Aksum University

College of Engineering & Technology

Department of Computing-Information Systems

Information Assurance and Security

1
 “The most secured computers are those not connected to
the Internet and shielded from any interference”

Chapter - One
Introduction to Information
Assurance and Security

2
 Overview of Information
assurance & security
(What is security?)
 Security is a continuous process of protecting an object
from attack. That object may be a person, an organization
such as a business, or property such as a computer
system or a file.
 Security is the quality or state of being secure—to be
free from danger.
 When we consider a computer system, for example, its
security involves the security of all its resources such as
its physical hardware components such as readers,
printers, the CPU, the monitors, and others. In addition to
its physical resources, it also stores non-physical
3
resources such as data and information .
 Overview (Cont’d …)
(What is info assurance?
How does it differ from info security?)

 Information Security: is concerned with the

confidentiality, integrity and availability of data
regardless of the form that data may take.
 Information assurance focuses on the reasons for
assurance that information is protected, and is thus
reasoning about information security.
 It is the practice of assuring information and managing
risks related to the use, processing, storage, and
transmission of information or data and the systems and
processes used for those purposes.
4
 Overview (Cont’d …)
what is security in Distributed computer system ?

 In a distributed computer system such as a network, the

protection covers physical and non-physical resources
that make up the network including communication
channels and connectors like modems, bridges,
switches, and servers, as well as the files stored on
those servers.
 In each one of these cases, therefore, security means
preventing unauthorized access, use, alteration, and
theft or physical damage to these resources.
5
 Overview (Cont’d …)
Security Goals

 Security involves the following three goals:

• Confidentiality: closed information.
– Concealment of information or resources
• Integrity: Original information.
– Trustworthiness of data or resources
• Availability: Available at any time for use.
– Ability to use information or resources

6
 Overview (Cont’d …)
Security Goals

Confidentiality: only sender, intended receiver should

“understand” message contents
– sender encrypts message
– receiver decrypts message
Message Integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards)
without detection.
Access and Availability: services must be accessible
and available to users when they want.
7
 Overview (Cont’d …)
Security Goals

8
 Overview (Cont’d …)
Confidentiality
 To prevent unauthorized disclosure of information to
third parties. This includes the disclosure of
information about resources.
 Need for keeping information secret arises from use
of computers in sensitive fields such as government
and industry.
 Access mechanisms, such as cryptography, support
confidentiality
– Example: encrypting income tax return
9
 Overview (Cont’d …)
Integrity
• To prevent unauthorized modification of resources and maintain
the status quo. It includes the integrity of system resources,
information, and personnel. The alteration of resources like
information may be caused by a desire for personal gain or a need
for revenge.
• Often requires preventing unauthorized changes.
• Includes data integrity (content) and origin integrity ( source of
data also called authentication)
• Include prevention mechanisms and detection mechanisms
– Example: Newspaper prints info leaked from White House and
gives wrong source
• Includes both correctness and trustworthiness
10
 Overview (Cont’d …)
Availability
• To prevent unauthorized withholding of system
resources from those who need them when they need
them.
• Is an aspect of reliability and system design
• Attempts to block availability, called denial of
service attacks are difficult to detect
– Example: bank with two servers –one is blocked,
the other provides false information

11
 Reasons for
Implementing security
(Why do we need security?)

 Increased reliance on Information technology with

or with out the use of networks
 The use of IT has changed our lives drastically.
 We depend on E-mail, Internet banking, and several
other governmental activities that use IT
 Increased use of E-Commerce and the World wide
web on the Internet as a vast repository of various
kinds of information (immigration databases, flight
tickets, stock markets etc.)

12
 Reasons (Cont’d …)
(Why do we need security?)

 Computer Security - the collection of tools

designed:
– to protect data/services and
– to thwart hackers
 Network security or internet security-
security measures needed to protect data
during their transmission.

13
 Reasons (Cont’d …)
(What if not secured?)
 Damage to any IT-based system or activity can
result in severe disruption of services and losses.
 Results of Security Breach:
 Destruction of Resources
 Corruption of Data and Applications
 Denial of Services
 Theft of Services
 Theft of Resources

14
 Reasons (Cont’d …)
(That is why…)
 ..we need security
– To safeguard the confidentiality, integrity,
authenticity and availability of data transmitted over
insecure networks.
– Internet is not the only insecure network in this world
– Many internal networks in organizations are prone to
insider attacks
– In fact, insider attacks are greater both in terms of
likelihood of happening and damage caused

15
 Reasons (Cont’d …)
(security controls)

Security controls
– Authentication (Password--- What we know
Cards---------What we have
Biometrics--- who we are
– Encryption
– Administrative procedures
– Standards
– Physical Security
– Laws

16
 Reasons (Cont’d …)
(security policy, service & mechanism )

• A security policy is a statement of what is allowed

and what is not allowed.
• A security service is a measure to address a threat
– E.g. authenticate individuals to prevent
unauthorized access
• A security mechanism is a means to provide a
service
– E.g. encryption, cryptographic protocols

17
 Reasons (Cont’d …)
(security services)
Five Categories of Security Services
A. Authentication (who created or sent the data)
B. Access control (prevent misuse of resources)

C. Confidentiality (privacy)
D. Integrity (has not been altered)
E. Non-repudiation (the order is final)

18
 Enterprise Security

 Enterprise security continues to be one of the main

challenges organizations have to face on a daily
basis.
 Since Cyber threats are real and they can happen to
any organization, Organizations must now focus
much more on information and data:
– understanding where it is and how it is managed
both within and outside the enterprise boundary

19
 Enterprise Security(Cont’d..)
Enterprise security encompasses:
 Information security: how information
technology supports safe business practices.
 Business security: security processes and the
security control framework, in the context of the
business.
 Physical security: how facilities and access
control support the logical security model.
 Operational risk management: providing a risk-
based approach.
20
 Cyber Defense
(what is cyber? What abt Cyberspace?)

 Cyber is a prefix used to describe a person, thing,

or idea as part of the computer and information age.
 Cyberspace is a domain characterized by the use of
electronics and the electromagnetic spectrum to
store, modify, and exchange information.
 There is a consensus that cyberspace is a complex
and rapidly changing environment. We can imagine
it in its present and future time as follow:

21
 Cyber Defense
(Cont’d)

PRESENT
 Cyber security is a young and immature field
 The attackers are more innovative than defenders
 Defenders are mired in FUD (fear, uncertainty and
doubt) and fairy tales
FUTURE
 Cyber security will become a scientific discipline
 It will be application & technology centric
 It will never be “solved” but will be “managed”
22
 Cyber Defense
(Cont’d)

Defending schemes:
 OLD: Defend the entire network to the same degree
 NEW: Defend selectively and dynamically
 OLD: End user Blame and harass
 NEW: The end user is part of the solution
 OLD: Defend against yesterday’s attacks
 NEW: Be proactive, get ahead of the curve, future-
proof

23
 //End of chap-1

THE END OF
CHAP-ONE !!!
Q&A?
24