Pervasive Themes in

IT
Information Assurance And Security
2 Introduction

 To begin with;
 “Information is data endowed with
relevance and purpose.
 Data/information is a valuable resource
that must be strictly controlled and
managed, as with any corporate resource.
 Like many other technologies,
information technology can be used both
to promote stability and security and to
10/13/2022

threaten the same.

 3 Introduction…
 As society increasingly relies on digitally stored and
accessed information;
 Traditional information security technologies, policies,
management and practices cannot satisfy the security
and assurance needs of modern information systems
 Addressing only the protection of information against
unauthorized disclosure, transfer, modification, or
destruction, traditional information security cannot
deliver the level of information assurance

10/13/2022
4 Introduction…

 (IA) have become increasingly important in

an era in which information is recognized as a
key asset by many organizations.
 As a result, Information Assurance (IA)
technologies are introduced to also detect
intrusions and operate through attacks in such
a way that a certain level of information
security can be ensured in the presence of
attacks.
10/13/2022
 5 Information Assurance (IA)
 IA is the study of how to protect information assets from
destruction, degradation, manipulation and exploitation.
 But also, how to recover should any of those happen.
OR
 Measures that protect and defend information and
information systems (IS) by ensuring their availability,
integrity, authentication, confidentiality, and non-
repudiation
 Notice that it is both proactive and reactive.
10/13/2022
 6 IA
 It includes providing for restoration of IS by incorporating
protection, detection, and reaction capabilities.
 IA is much broader than Information Security.
 In particular,
Information Security focuses on protection or
prevention, while IA focuses on integration of
protection, detection and reaction;
Attack recovery or restoration may be atopic out of the
scope of Information Security, but it is certainly a
critical component of IA; 10/13/2022
7 IA…
Intrusion detection is not a major concern of
Information Security, but they are certainly crucial
for IA
The goal of Information Security technologies is to
prevent attacks from happening, while the goal of IA
is to ensure that even if some attacks intrude into an
IS, certain levels of availability, integrity,
authentication, confidentiality, or non-repudiation can
still be guaranteed.

10/13/2022
 IA…
 AI8 should be viewed as spanning four security
engineering domains:
 Physical security: protection of hardware, software, and
data against physical threats to reduce disruptions to
operations and services and loss of assets.
 Personnel security: measures taken to reduce the
likelihood of accidental and intentional altération,
destruction, mis-use and unauthorized distribution, as the
result of action or inaction by insiders and known
outsiders, such as business partners.”

10/13/2022
 9 IA…
 IT security: inherent technical features and functions that
collectively contribute to an IT infrastructure achieving
and sustaining confidentiality, integrity, availability,
accountability, authenticity, and reliability.
 Operational security: implementation of standard
operational security procedures that define the nature and
frequency of the interaction between users, systems, and
system resources,

10/13/2022
10 IA…

 The purpose of operational security is to

1. achieve and sustain a known secure
system state at all times,
2. prevent accidental or intentional theft,
release, destruction, alteration, misuse,
or sabotage of system resources.”

10/13/2022
11 IA…

 Assurance ensures that even if some

attacks intrude into an information
system, certain levels of availability,
integrity, authentication, confidentiality,
or non-repudiation can still be guaranteed

10/13/2022
12 IA

 Information systems security

(INFOSEC): The protection of
information systems against unauthorized
access to or modification of information,
whether in storage, processing or transit.

10/13/2022
13 IA Technologies

 IA technologies can be “clustered” into

three generations as shown below;
 1st Generation: prevent intrusions.
 The goal is to prevent attacks from
succeeding.
 The representative technologies are
Trusted Computing Base, access
control and physical security, multiple
levels of security, and cryptography10/13/2022
14 IA Technologies …

 2nd Generation: detect intrusions.

 Since not all attacks can be prevented,
intrusions will occur.
 Hence, the goal of 2nd generation IA
technologies is to detect intrusions.
 Some representative technologies are
firewalls, intrusion detection systems,
and boundary controllers.
10/13/2022
 15 IA Technologies …
 3rd Generation: operate through attacks (or
survivability).
 Since some attacks will succeed, we need the 3rd
generation IA technologies.
 The goal is to enable information systems to
continue delivering essential services with security
assurance in the presence of sustained attacks
 E.g. Backup

10/13/2022
 16 IA Technologies …
 NOTE;
 Among the three generations of IA technologies, each
generation is crucial in achieving the goals of
Information Assurance, and no one can replace another.

10/13/2022
 17 What is Security
 Security: mechanisms that protect an organizational
assets against intentional or accidental threats/attack.
 It also refers to the state of being free from any form of
danger.
 In other words it is protection against adversaries who
would do harm intentionally or otherwise.
 Information security: The protection of information
asset against unauthorized disclosure, transfer,
modification, or destruction, whether accidental or
intentional
10/13/2022
 18 Asset
 An asset is the resource being protected, including:
 physical assets: devices, computers, people;
 logical assets: information, data (in transmission, storage,
or processing), and intellectual property;
 system assets: any software, hardware, data,
administrative, physical, communications, or personnel
resource within an information system.
 Assets have value so are worth protecting against threats

10/13/2022
 19 Threat
 A category of entities, or a circumstance, that poses a potential danger to an asset

 Usually (through unauthorized access, destruction,

disclosure, modification or denial of service)
 Any situation or event, whether intentional or
unintentional, that will adversely affect a system and
consequently an organization.
 Threats can be categorized by intent: accidental or
purposeful: (error, fraud, hostile intelligence);

10/13/2022
20 Forms of threats

 Interruption: an asset becomes unusable,

unavailable, or lost.
 Interception: an unauthorized party gains access to
an information asset.
 Modification: an unauthorized party tampers with
an asset.
 Fabrication: an asset has been counterfeit.

 NB: Give examples of each of these.

10/13/2022
Attack
21

 An act that causes damage to or otherwise

compromises information and/or systems that
support it.
 Passive attack: an attack in which the attacker
observes interaction with the system.
 Active attack: an attack in which the attacker
directly interacts with the system.
 Unintentional attack: an attack where there is
not a deliberate goal of misuse
10/13/2022
 22 Levels of Security
 Physical security: to protect physical items, objects, or
areas from unauthorized access and misuse.
 Personal security: to protect the individual or group of
individuals who are authorized to access the
organization and its operations.
 Operations security: to protect the details of a
particular operation or series of activities.
 Communications security: to protect communications
media, technology, and content.
10/13/2022
23 Levels of Security …

 Network security: to protect networking

components, connections, and contents.
 Information security: to protect
information assets.

10/13/2022
 24 Information Security goals
 Availability: Enables authorized users, persons or
computer systems to access information without
interference or obstruction, and to receive it in the
required format.
 Accuracy: Ensure information is free from mistakes or
errors and it has the value that the end user expects.
 If information has been intentionally or
unintentionally modified, it is no longer accurate.

10/13/2022
 25 Information Security goals …
 Authenticity : security measures to establish the validity
of a transmission channel, message, or originator.
 Information only is authentic when it is in the same
state in which it was created, placed, stored, or
transferred.
 Confidentiality : Not disclosed or exposed to
unauthorized individuals or systems.
 Confidentiality ensures that only those with the rights
and privileges to access information are able to do so.
10/13/2022
26 Information Security goals…

 Integrity: protection against unauthorized

modification or destruction of
information;
 The integrity of information is
threatened when the information is
exposed to corruption, damage,
destruction, or other disruption of its
authentic state.
 Non-repudiation: assurance that the
10/13/2022

sender is provided with proof of a data

27 Threats to information
 Hackers: enjoy intellectual challenges of
overcoming software limitations and
how to increase capabilities of systems
 Crackers: illegally break into other
people’s secure systems and networks
with the intention of causing damage
 Cyber Terrorists: threaten/attack other
people’s computers to further a social or
political agenda

10/13/2022
28 Threats to information…
 Phishing’: sending out ‘scam’ e-mails
with the criminal intent of deceit and
extortion
 Phishing is a technique used by
strangers to "fish" for information about
you, information that you would not
normally disclose to a stranger, such as
your bank account number, PIN e.t.c
 Spam: unsolicited and/or undesired bulk
e-mail messages, often ‘selling’ a product.
10/13/2022
 Threats to information…
 29
Malware: Malicious Software deliberately created to
damage, disrupt or destroy network services, computer
software and data.
 Types of Malware;
1. Viruses: programs that conceal themselves, infect a
computer & information and keep on replicating
2. Worms: Programs that are capable of independently
propagating throughout a computer network.
 They replicate fast and consume large amounts of the
host computers memory.

10/13/2022
30 Malware...

3. Trojan horses: Programs that contain

hidden functionality that can harm the
host computer and the data it contains.
 Trojan horses enter a computer by
hiding inside an apparently
legitimate program, such as a screen
saver.

10/13/2022
31 Threats to information…

 Defacing websites: Defacing refers to the act of

making or removing part of the object designed to
hold the viewers attention
 Denial of Service: Flooding a network with a lot
traffic such that it becomes non-responsive
 Purpose: Make a network service unusable,
usually by overloading the server or network
 Eavesdropping: Intercepting and decoding a
communication between two parties by an attacker

10/13/2022
32 Threats to information…

Social Problems
 People can be just as dangerous as
unprotected computer systems
 People can be lied to, manipulated,
bribed, threatened, harmed, tortured,
etc. to give up valuable information
 Most humans will breakdown once
they are at the “harmed” stage, unless
they have been specially trained 10/13/2022


33 Who is vulnerable?

 Financial institutions and banks

 Internet service providers
 Pharmaceutical companies
 Government and defense agencies
 Contractors to various government agencies
 Multinational corporations
 ANYONE ON THE NETWORK
10/13/2022
 34
Counter Measures to
Threats/Attacks
 Authorization: The granting of a right or privilege,
which enables a subject to legitimately have access to a
system or a system’s object.
 Authentication: A mechanism that determines whether
a user is who he or she claims to be.
 Backup: Process of periodically keeping a copy of
critical information and programs to offline storage
media.
 Encryption: The encoding of the data by a special
algorithm that renders the data unreadable by any
program without the decryption key. 10/13/2022
 35 Counter Measures to
 Threats/Attacks…
Proxy Servers: This is computer that sits between
browser and Web server.
 It intercepts all requests to Web server to try to fulfill
requests itself.
 Firewalls: Designed to prevent unauthorized access
to/from a private network.
 Can be implemented in both hardware and software, or
a combination of both
 Passwords: When choosing passwords, they should be
meaningless random junk! A mix of characters & figures.
For example, “sdfo839f” is a good password 10/13/2022
How a firewall works
36

10/13/2022
 37 Counter Measures to
Threats/Attacks…
 Turn On Your Browser's Security Features
 Install the Latest Version of Web Browser and Keep It
Up To Date
 Update Windows Automatically
 Use a Standard User Account: Although an
administrator account provides complete control over a
computer, using a standard account prevents other people
(hackers) from tampering with your computer security
settings
 There are three different types of user accounts:
10/13/2022
38 Counter Measures to
Threats/Attacks…
 Standard
 Administrator
 Guest

10/13/2022
39 levels of impact

 Can define 3 levels of impact from a

security breach
 Low
 Moderate
 High

10/13/2022
 40 Low level
 The loss could be expected to have a limited adverse
effect on organizational operations, organizational assets,
or individuals.
 A limited adverse effect means that, for example, the loss
of confidentiality, integrity, or availability might
 Cause a degradation in mission capability to an extent
and duration that the organization is able to perform its
primary functions, but the effectiveness of the
functions is noticeably reduced;
 Result in minor damage to organizational assets;
10/13/2022
41 Low level…

 Result in minor financial loss; or

 Result in minor harm to individuals.

10/13/2022
 42 Moderate Level Impact
 The loss could be expected to have a serious adverse
effect on organizational operations, organizational assets,
or individuals.
 A serious adverse effect means that, for example, the loss
might
 Cause a significant degradation in mission capability
to an extent and duration that the organization is able
to perform its primary functions, but the effectiveness
of the functions is significantly reduced;

10/13/2022
43 Moderate Level Impact…

 Result in significant damage to

organizational assets;
 Result in significant financial loss; or
 Result in significant harm to
individuals that does not involve loss
of life or serious, life-threatening
injuries

10/13/2022
 44 High level
 The loss could be expected to have a severe or
catastrophic adverse effect on organizational operations,
organizational assets, or individuals.
 A severe or catastrophic adverse effect means that, for
example, the loss might
 Cause a severe degradation in or loss of mission
capability to an extent and duration that the
organization is not able to perform one or more of its
primary functions;
 Result in major damage to organizational assets;
10/13/2022
45 High level …

 Result in major financial loss; or

 Result in severe or catastrophic harm to
individuals involving loss of life or
serious life threatening injury

10/13/2022
46 PROACTIVE AND REACTIVE

 Proactive is defined as an approach which focuses on eliminating

problems before they have a chance to appear.
 Reactive is defined as an approach based on responding to events
after they have happened.
 The difference between these two approaches is the
perspective each one provides in assessing actions and
events.

10/13/2022