Professional Documents
Culture Documents
IAS - Unit 1
IAS - Unit 1
UNIT - I
By
Mrs. K.Ramya
Mrs. P.Jayalakshmi
INFORMATION ASSURANCE AND SECURITY
UNIT I : INTRODUCTION
Fabricate message
Replay
Modification
Critical characteristics of information
•Confidentiality – ensures the disclosure of
information only to those persons with authority to see
it.
Be a business enabler
Protect the interconnecting element of an
organization’s systems
Be cost effective and cost beneficial
Establish responsibilities and accountability
Require a robust method
Be assessed periodically
Be restricted by social obligations
Be a business enabler :
• It allows the organization to achieve its intended objectives.
• organizations should identify which controls are to be
implemented and weigh the pros and cons associated with
each.
• Security rules or procedures used to protect vital assets while
simultaneously supporting the organization’s overall vision
and mission should be a goal of every senior manager or
executive.
• When information assurance is properly implemented, it
ensures business confidence and competitive advantage.
• E.g.bank developing a secure mobile application for banking
may increase customer satisfaction, reduce personnel costs,
and gain customers because of convenience.
Protect the interconnecting element of an organization’s
systems
• Information systems provide the interconnecting elements
of effective management of organizations.
• Effective protection from threats requires not only
information systems but also information assurance to be
an interconnecting, essential part of the entire
management system.
• Information assurance is a shared responsibility and
involves not only the IT organization and other employees.
• Information assurance should be incorporated into the
current management strategy system and requires
participation from all functional units(people, processes,
and technology)
• If it lacks in doing so, organization will be unable to garner
the required support and will not meet its business
objectives.
• Information assurance involves constant review,
monitoring, and improvement based on the risk decisions
made by management
Be cost effective and cost beneficial
• Information has varying value based on its criticality and
sensitivity.
• protection requirements should be proportional to the
value of the information/assets protected and the
associated risk. A thorough analysis of the costs and
benefits of information assurance may examine either
quantitative or qualitative aspects to ensure investment on
controls meet expectations.
• Security investments should take into consideration the
cost of designing, implementing, and maintaining the
controls; the values of information assets; the degree of
dependency on the information systems; the potential risk
and impact the organization is likely to face.
• Investing in information assurance is both a horizontal and
vertical effort.
Security Services:
What types of problems can occur?
Non
Integrity
Repudiation
Authentication Availability
Confidentiality
“The assurance that information is not disclosed
to unauthorized persons, processes or devices.”
Authentication
Security service “designed to establish the
validity of a transmission, message, or originator,
or a means of verifying an individual’s
authorizations to receive specific categories of
information”
Integrity
Security Countermeasures:
Who can enforce/check security?
TechnologyPolicy and Practice
People
• The heart and soul of secure systems.
• Awareness, literacy, training, education in
sound practice.
• Network
– Firewalls,Routers,
– IDS/IPS, ACL
• Platform
– Operating systems
• Spoofing code
Malicious
• Hoaxes
Man in the middle
• Back doors
Spam
• Password
Mail bombingcrack
• Brute force
Sniffer
• Dictionary
Social engineering
• Denial overflow
Buffer of service (DoS) and distributed denial
• of service (DDoS)
Timing
3.Design in the SecSDLC
Principles of Information
Security, Fourth Edition
– Based on structured sequence of procedures
• Using a methodology:
– Ensures a rigorous process
– Increases probability of success
• Traditional SDLC consists of six general phases
Figure 1-10 SDLC Waterfall Methodology
Principles of Information
Security, Fourth Edition
• Preliminary cost-benefit analysis developed
• At end
– Feasibility analysis performed
• Assess economic, technical, and behavioural
feasibilities
Analysis
• Consists of assessments of:
– The organization
– Current systems
– Capability to support proposed systems
• Determine what new system is expected to do
Principles of Information
Security, Fourth Edition
• Determine how it will interact with existing systems
• Ends with documentation
Logical Design
• Main factor is business need
– Applications capable of providing needed services are
selected
• Necessary data support and structures identified
• Technologies to implement physical solution determined
Principles of Information
Security, Fourth Edition
• Feasibility analysis performed at the end
Physical Design
• Technologies to support the alternatives
identified and evaluated in the logical design
are selected
• Components evaluated on make-or-buy
Principles of Information
Security, Fourth Edition
decision
• Feasibility analysis performed
– Entire solution presented to end-user
representatives for approval
Implementation
• Needed software created
• Components ordered, received, and tested
• Users trained and documentation created
• Feasibility analysis prepared
– Users presented with system for performance review and
Principles of Information
Security, Fourth Edition
acceptance test
Maintenance and Change
• Longest and most expensive phase
• Tasks necessary to support and modify system
– Last for product useful life
• Life cycle continues
– Process begins again from the investigation phase
Principles of Information
Security, Fourth Edition
• When current system can no longer support the organization’s
mission, a new project is implemented
The Security Systems Development Life
Cycle
• The same phases used in traditional SDLC
• Need to adapted to support implementation of an IS project
• Identify specific threats and creating controls to counter them
• SecSDLC is a coherent program not series of random,
seemingly unconnected actions
Principles of Information
Security, Fourth Edition
Investigation
• Identifies process, outcomes, goals, and constraints of the
project
• Begins with Enterprise Information Security Policy (EISP)
• Organizational feasibility analysis is performed
Principles of Information
Security, Fourth Edition
Analysis
• Documents from investigation phase are studied
• Analysis of existing security policies or programs
• Analysis of documented current threats and associated
controls
• Analysis of relevant legal issues that could impact design of
Principles of Information
Security, Fourth Edition
the security solution
• Risk management task begins
Logical Design
• Creates and develops blueprints for information security
• Incident response actions planned:
– Continuity planning
– Incident response
– Disaster recovery
Principles of Information
Security, Fourth Edition
• Feasibility analysis to determine whether project should be
continued or outsourced
Physical Design
• Needed security technology is evaluated
• Alternatives are generated
• Final design is selected
• At end of phase, feasibility study determines readiness of
organization for project
Principles of Information
Security, Fourth Edition
Implementation
• Security solutions are acquired, tested, implemented, and
tested again
• Personnel issues evaluated; specific training and education
programs conducted
• Entire tested package is presented to management for final
Principles of Information
Security, Fourth Edition
approval
Maintenance and Change
• Perhaps the most important phase, given the ever-changing
threat environment
• Often, repairing damage and restoring information is a
constant duel with an unseen adversary
• Information security profile of an organization requires
Principles of Information
Security, Fourth Edition
constant adaptation as new threats emerge and old threats
evolve
Security Professionals and the Organization
Principles of Information
Security, Fourth Edition
Senior Management
• Chief Information Officer (CIO)
– Senior technology officer
– Primarily responsible for advising senior executives on
strategic planning
• Chief Information Security Officer (CISO)
Principles of Information
Security, Fourth Edition
– Primarily responsible for assessment, management, and
implementation of IS in the organization
– Usually reports directly to the CIO
Information Security Project Team
• A number of individuals who are experienced in one or more
facets of required technical and nontechnical areas:
– Champion
– Team leader
– Security policy developers
Principles of Information
Security, Fourth Edition
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
Data Responsibilities
• Data owner: responsible for the security and use of a
particular set of information.
• Data custodian: responsible for storage, maintenance, and
protection of information.
• Data users: end users who work with information to
Principles of Information
Security, Fourth Edition
perform their daily jobs supporting the mission of the
organization.
Comparing the SDLC and the SecSDLC
Comparing the SDLC and the SecSDLC (continued)
NIST Approach to secure SDLC
The NIST Approach to Securing the SDLC
• Champion: A senior executive who promotes the project and ensures its support, both financially and
administratively, at the highest levels of the organization.
• Team leader: A project manager who may also be a departmental line manager or staff unit manager,
and who understands project management, personnel management, and information security
technical requirements.
• Security policy developers: People who understand the organizational culture, existing policies, and
requirements for developing and implementing successful policies.
• Risk assessment specialists: People who understand financial risk assessment techniques, the value
of organizational assets, and the security methods to be used.
• Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information
security from both a technical and nontechnical standpoint.
• Systems administrators: People with the primary responsibility for administering systems that house
the information used by the organization.
• End users: Those whom the new system will most directly affect.
InfoSec Professionals
Principles of Information
Security, Fourth Edition
Security as Art
• No hard and fast rules nor many universally accepted
complete solutions
• No manual for implementing security through entire system
Principles of Information
Security, Fourth Edition
Security as Science
• Dealing with technology designed to operate at high levels of
performance
• Specific conditions cause virtually all actions that occur in
computer systems
• Nearly every fault, security hole, and systems malfunction are
Principles of Information
Security, Fourth Edition
a result of interaction of specific hardware and software
• If developers had sufficient time, they could resolve and
eliminate faults
Security as a Social Science
• Social science examines the behaviour of individuals
interacting with systems
• Security begins and ends with the people that interact with
the system
• Security administrators can greatly reduce levels of risk
Principles of Information
Security, Fourth Edition
caused by end users, and create more acceptable and
supportable security profiles
Information Assurance Concepts-Defense-in-
Depth
Defense in depth: Design of security architecture
availability, integrity
and secrecy
One way to think about it
cybersecurity = availability, integrity and secrecy
of information systems and networks in the
face of attacks, accidents and failures with the
goal of protecting operations and assets
CIA Balance, Nonrepudiation and
Authentication
Basic Components of Security: (CIA)
CIA
Confidentiality: Who is authorized to use data? C I
Integrity: Is data „good?”
S
Availability: Can access data whenever need it?
A
CIA or CIAAAN
(other security components added to CIA)
Authentication S = Secure
Authorization
Non-repudiation
…
Need to Balance CIA
Example 1: C vs. I+A
Disconnect computer from Internet to increase confidentiality
Availability suffers, integrity suffers due to lost updates
• Hackers 22%
• Current and former employees 21%
• Foreign countries 11%
• Hacktivists and other activists 5%
• Organized crime 4%
Categories of Threats
Threat -circumstances that have a potential to cause harm,
potential risk of an asset’s loss of value.
– Black Hats : Bad guys, malicious hackers, They break into or otherwise violate
the system integrity of remote systems, with malicious intent. Having gained
unauthorized access, black-hat hackers destroy vital data, deny legitimate users
service, and just cause problems for their targets
– Gray Hats : Good or bad hacker; depends on the situation, Gray-hat hackers may
just be interested in hacking tools and technologies and are not malicious black
hats. Interested in hacker tools mostly from a curiosity standpoint.
• Ignorance
• Carelessness
• Network
• Physical access
Implications from Lack of Information Assurance
• Information System is a set of elements
(people, data / technology, and processes /
procedures) working together to provide
useful information .
• Also, information system (IS) is any
set of information technology and
people’s activities using that
technology to backup operations,
management, and decision-making
• An information system failure can
cause financial loss, commercial
embarrassment, loss of customers
and revenue streams, sanctions and
the loss of staff morale or
stakeholder allegiance in an
organization.
• Must apply both due care and due diligence to ensure a system
is operating within acceptable social and legal norms.
– Due care is the development and implementation of policies
and procedures to aid in performing the ongoing
maintenance necessary to keep an information assurance
process operating properly to protect assets and people from
threats.
– Systems must be working in accordance with the
expectations of a reasonable person in a situation.
– Due care prevents negligence.
– Due diligence is the reasonable investigation, research, and
understanding of the risks an organization faces before
committing to a particular course of action.
– The organization should do its homework and ensure
ongoing monitoring.
• Penalties from a Legal/Regulatory Authorities:
In the wake of countless corporate scandals and acts of negligence,
regulations and laws exist to ensure internal controls are implemented to
protect the interests of the public and stakeholders.
– Common themes from various legal/regulatory authorities are
• Abuse Hacking, theft, password sharing
• Critical infrastructure protection Finance and banking, natural
resources, power, water, food, logistics, and military
• Intellectual property Copyright, patent, and trademark
• Privacy Personal information