Information Assurance

and Security (IAS)

Lec 1
Introduction: Computer and Network
Security Strategy, History and Terminology
What is Data?
What is Information?

YTV: Information Assurance

https://www.youtube.com/watch?v=euRX6o9ALXk
• How can we assure that information is being used in the
way intended and by the people intended?
• Information: Which information?
• What quality of information?
• What are its characteristics?
• Way: Viewed? Changed? Reconveyed?
• Intended: By whom? With what degree of certainty?
• People: Browsers? Other user agents? Computer
programs?
What is Information Assurance?
• Information assurance and security is the management
and protection of knowledge, information, and data.
https://www.capella.edu
• Information assurance (IA) is the practice of protecting
against and managing risk related to the use, storage and
transmission of data and information systems.
techtarget.com
• Information assurance (IA) is the practice of assuring
information and managing risks related to the use,
processing, storage, and transmission of information. wiki
The US Government's definition of
information assurance is:

“measures that protect and defend information and

information systems by ensuring their availability,
integrity, authentication, confidentiality, and non-
repudiation.”
What is Computer Security?
• Computer security, cybersecurity or information technology
security (IT security) is the protection of computer systems and
networks from the theft of or damage to their hardware,
software, or electronic data, as well as from the disruption or
misdirection of the services they provide. wiki
Information security roles of professionals
within an organization
Information security performs four important roles:
1. Protects the organization's ability to function.
2. Enables the safe operation of applications implemented on
the organization's IT systems.
3. Protects the data the organization collects and uses.
4. Safeguards the technology the organization uses.
Security team can be as large as 1000+ people and as
small as 2 people, depending on:

1. Organization size
2. Security need
3. Organizational priority
How?
1. Monitoring
2. Enforce policy and compliance
3. Ensure regulatory compliance and audit
4. Risk assessment
5. Business supporting
6. Security solution testing and implementation
7. Security awareness
8. Security Incident handling
Note: The roles and responsibilities can be divided based
on the team strength and experience. Some of the
activities need technical skills and some need security
management skills. Tasks can be prioritized and done as
agreed.

Responsibilities in information security are not fixed, they

are created, removed and modified with time,
regulations, organizations, technologies, etc.
Security Mindset
“The Security Mindset: The Key to Success in the Security Field”
-www.tripwire.com

• Security mindset involves thinking about how things can be made to

fail.
• This kind of thinking is not natural for most people. It’s not natural
for engineers. Good engineering involves thinking about how things
can be made to work; the security mindset involves thinking about
how things can be made to fail. It involves thinking like an attacker,
an adversary or a criminal. You don’t have to exploit the
vulnerabilities you find, but if you don’t see the world that way, you’ll
never notice most security problems.
Security Mindset
• The security mindset is a peculiar mix of curiosity and paranoia
that turns life into a perpetual game of asking “what if”
questions, such as the following:

• “What if my phone gets stolen?”

• “What if I try my key in a different lock?”
• “What if someone types too much text into our online
registration form?”
Design Principle.
Fundamental Security Design Principles
1. Economy of Mechanism
2. Fail-safe Defaults
3. Complete Mediation
4. Open Design
5. Separation of Privilege
6. Least Privilege
7. Least Common Mechanism
8. Psychological Acceptability
9. Isolation
10.Encapsulation
11. Modularity
12.Layering
13.Least Astonishment
-binaryterms.com
1. Economy of Mechanism
• This fundamental security principle defines that the security
measures implemented in the software and the hardware must
be simple and small. This would ease the testers to test the
security measures thoroughly.

• If the designed security mechanism is complex then it is likely

that the tester would get a chance to exploit the weakness in
the design.
2. Fail-safe Defaults
• This principle says that if any user wants access to any
mechanism then whether the access is permitted or denied
should be based on authorization rather than elimination.

• By default, all the mechanism should have a lack of access and

the function of a security mechanism is to identify the condition
where the access to the security mechanism should be
permitted. This means by default access to all mechanism
should be denied, unless any privilege attribute is provided.
3. Complete Mediation
• Some systems are designed to operate continuously such
systems remember access decision. So, there must be an
access control mechanism which would check every access
occurring on the system.

• This principle says that the system should not trust the access
decisions it recovers from the system cache. This particular
security design principle says that there must be a mechanism
in the system that checks each access through the access
control mechanism.
4. Open Design

• This security principle suggests that the security mechanism

design should be open to the public. Like in the cryptographic
algorithm, the encryption key is kept secret while the encryption
algorithm is opened for a public investigation.

• This principle is followed by the NIST (National Institute of

Standards and Technology) to standardize the algorithms
because it helps in worldwide adoption of NIST approved
algorithms.
5. Separation of Privilege
• This security principle states that whenever a user tries to gain
access to a system, the access should not be granted based on
a single attribute or condition.

• Instead, there must be multiple situations or conditions or

attribute which should be verified to grant access to the system.
We also term this as a multifactor user authentication as this
principle says that multiple techniques must be implemented to
authenticate a user.
6. Least Privilege
• The least privilege security design principle states that each
user should be able to access the system with the least
privilege. Only those limited privileges should be assigned to
the user which are essential to perform the desired task.

• An example of considering and implementing this principle is

role-based access control. The role-based designed security
mechanism should discover and describe various roles of the
users or processes.
7. Least Common Mechanism
• Following the least common mechanism, a security design
principle there should be minimum common functions to share
between the different user. This principle reduces the count of
communication paths and therefore further reduces the
hardware and software implementation.

• Ultimately this principle reduces the threat of unwanted access

to the system as it becomes easy to verify if there are some
unwanted access to the shared function.
8. Psychological Acceptability
• This security design principle says that the security
mechanisms design to protect the system should not interfere
with the working of the user every now and then.

• As this would irritate the user ad user may disable this security
mechanism on the system. Therefore, it is suggested that the
security mechanism should introduce minimum hurdles to the
user of the system.
9. Isolation
• This security design principle is considered in three
circumstances. The first condition, the system that has critical
data, processes or resources must be isolated such that it
restricts public access. It can be done in two ways.

• The system with critical resources can be isolated in two ways

physical and logical isolation. The physical isolation is one
where the system with critical information is isolated from the
system with public access information.
10. Encapsulation
• This security design principle is a form of isolation which is
designed on the principle of object-oriented principles. Here the
processes of the protected system can only access the data
object of the system and these processes can only be invoked
from a domain entry point.
11. Modularity
• This security designing principle says that the security
mechanism must be generated as separate and protected
modules and the security mechanism must be generated using
the modular architecture.

• This principle helps in updating the security mechanism

independently without modifying the entire system.
12. Layering
• Multiple security layers must be used in order to protect the
opponent from accessing crucial information. Applying multiple
security layers provides multiple barriers to the adversary if he
tries to access the protected system.
13. Least Astonishment
• This security design principle states that the user interface of
the system must not amaze the user while accessing the secure
system. He should be able to understand how the security
mechanism is essential to protect the system.

• So, this is all about the security design principles which should
be considered while designing the security mechanism for a
system.
Quiz 1 Prelim
Next meeting:
• System and Security Life Cycle
• Security Implementation Mechanism
- Gates, guard , guns; Cryptography
• Information Assurance analysis model