INFORMATION ASSURANCE AND SECURITY

UNIT - I

By
Mrs. K.Ramya
Mrs. P.Jayalakshmi
INFORMATION ASSURANCE AND SECURITY
 UNIT I : INTRODUCTION

 Information Assurance Basics

 The Need for Information Assurance
 Key information security concepts
 Critical characteristics of information
 The MSR Model of Information Assurance
 Security in system lifecycle
 NIST approach to secure SDLC
 Security professionals and organizations
 Communities of interest
 Information security-is it an art or science?
 Defense in Depth
 Information Assurance in Cyber security
 CIA Triangle
 Need for security
 Categories of Threat
 Software attack types, other vulnerabilities
 Implications from Lack of Information Assurance
Information Assurance Basics
What is Information Assurance (IA)?

Measures that protect and defend information and

information systems by ensuring their availability,
integrity, authentication, confidentiality, and
nonrepudiation.
These measures include providing for restoration of
information systems by incorporating protection,
detection, and reaction capabilities.
What is Information Assurance (IA)?

Information assurance defines and applies a

collection of policies, standards, methodologies,
services, and mechanisms to maintain mission
integrity with respect to people, process, technology,
information, and supporting infrastructure.
Information assurance provides for confidentiality,
integrity, availability, possession, utility, authenticity,
nonrepudiation, authorized use, and privacy of
information in all forms and during all exchanges.
Need For information assurance
• The information assets and infrastructure of
organizations are constantly threatened.
• The dynamic threat environment has increased
the need for information assurance.
• Information assurance is not just a technology
issue but is a business and social issue as well.
• GOAL - protect the information and
infrastructure that supports the mission and
vision of an organization through compliance to
regulations, risk management, and
organizational policies.
• Information Assurance is
integral to every
organization’s information
systems risk management
plan to ensure and protect
data and systems’
confidentiality, integrity and
availability.
• This will serve as a guarantee
that information will be
available to authorized users
• Information stored in the system comes under
attack from multiple sources in diverse forms.
• malicious code ,attacks to system ,Illegitimate
privilege access ,complex cyber terrorism
pulled off by organized groups or foreign
agencies.
• The vulnerabilities that can be easily
exploited are:
• Social engineering attacks -wherein a user will
be misled into revealing vital personal or
critical information like system passwords to a
source that disguises itself as legitimate.
• DDoS-attacks that are intended to overwhelm
a network and bring it to a standstill blocking
all communication channels.
• Malicious codes and malwares like worms,
viruses, Trojans that are created and deployed
with the explicit aim of infiltrating, damaging
and destroying an information system.
 Key Information Security Concepts

• Access: A subject or object’s ability to use, manipulate,

modify, or affect another subject or object.
– Authorized users have legal access to a system, whereas
hackers must gain illegal access to a system. Access
controls regulate this ability.

• Asset :The organizational resource that is being protected.

– An asset can be logical -eg. Web site, software
information, or data;
– Asset can be physical- e.g. person, computer system,
hardware, or other tangible object.
 Attack
• Attack :
• An intentional or unintentional
act that can damage or
otherwise compromise
information and the systems
that support it.
• Attacks can be active or passive, intentional or
unintentional, and direct or indirect
• Active attack: An attacker trying to modify any data
intentionally
• Passive attack: Someone who casually reads sensitive
information not intended for his or her use is committing a
passive attack.
Interception
Traffic Analysis

Observe traffic pattern

Interruption

Block delivery of message

Fabrication

Fabricate message
Replay
Modification
 Critical characteristics of information
•Confidentiality – ensures the disclosure of
information only to those persons with authority to see
it.

•Integrity – ensures that information remains in its

original form; information remains true to the creators
intent.
• Authentication – information or information
resources conforms to reality; it is not
misrepresented as something it is not.
•Possession – information or information
resource remains in the custody of authorized
personnel.

•Availability – information or information

resource is ready for use within stated
operational parameters
•Privacy – ensures the protection of personal
information from observation or intrusion as
well as adherence to relevant privacy
compliances.

•Utility – information is fit for a purpose and

in a usable state
•Authorized Use – ensures cost-incurring
services are available only to authorized
personnel.

•Nonrepudiation – ensures the originator of a

message or transaction may not later deny action
The MSR Model of Information Assurance

• A common model and understanding

of information assurance is necessary if an
organization is to speak a common risk
language and understand common objectives.
Maconachy, Schou, Ragsdale
(MSR) Cube
• MSR model contd..
• It shows three dimensions. If extrapolated, the three
dimensions of each axis become a 3×3×3 cube with 27 cells
representing areas that must be addressed to secure
today’s information systems.
• To ensure system security, each of the 27 areas must be
properly addressed during the security process.
• For example, the intersection of technology, integrity, and
storage requires a control or safeguard that addresses the
need to use technology to protect the integrity of
information while in storage.
• One such control might be a system for detecting host
intrusion that protects the integrity of information by
alerting security administrators to the potential
modification of a critical file.
• A common omission from such a model is the need for
guidelines and policies that provide direction for the
practices and implementations of technologies
MSR Model contd..
 MSR Model contd..
The seven principles specify that information assurance
should do the following:

 Be a business enabler
Protect the interconnecting element of an
organization’s systems
Be cost effective and cost beneficial
Establish responsibilities and accountability
Require a robust method
Be assessed periodically
Be restricted by social obligations
Be a business enabler :
• It allows the organization to achieve its intended objectives.
• organizations should identify which controls are to be
implemented and weigh the pros and cons associated with
each.
• Security rules or procedures used to protect vital assets while
simultaneously supporting the organization’s overall vision
and mission should be a goal of every senior manager or
executive.
• When information assurance is properly implemented, it
ensures business confidence and competitive advantage.
• E.g.bank developing a secure mobile application for banking
may increase customer satisfaction, reduce personnel costs,
and gain customers because of convenience.
Protect the interconnecting element of an organization’s
systems
• Information systems provide the interconnecting elements
of effective management of organizations.
• Effective protection from threats requires not only
information systems but also information assurance to be
an interconnecting, essential part of the entire
management system.
• Information assurance is a shared responsibility and
involves not only the IT organization and other employees.
• Information assurance should be incorporated into the
current management strategy system and requires
participation from all functional units(people, processes,
and technology)
• If it lacks in doing so, organization will be unable to garner
the required support and will not meet its business
objectives.
• Information assurance involves constant review,
monitoring, and improvement based on the risk decisions
made by management
Be cost effective and cost beneficial
• Information has varying value based on its criticality and
sensitivity.
• protection requirements should be proportional to the
value of the information/assets protected and the
associated risk. A thorough analysis of the costs and
benefits of information assurance may examine either
quantitative or qualitative aspects to ensure investment on
controls meet expectations.
• Security investments should take into consideration the
cost of designing, implementing, and maintaining the
controls; the values of information assets; the degree of
dependency on the information systems; the potential risk
and impact the organization is likely to face.
• Investing in information assurance is both a horizontal and
vertical effort.

• Information assurance is also a crosscutting program.

• All information systems and services of an organization

have an information assurance requirement. Therefore, an
investment should be made in every project for information
assurance. This can be thought of as a variable cost.
Information Assurance: Shared Responsibilities:
• System owners, including cloud or outsourced service providers,
should share information about planned and implemented
security controls so that users can be aware of current efforts
and know that the relevant systems are sufficiently secure.

• Identified critical systems should meet a predefined baseline

acceptance level of security.

• information assurance is a team effort .The assignment of

responsibilities may be to internal or external parties. Clearly
defined security responsibilities (both individual and functional
level) encourage best practices by users.
Information Assurance: Robust Approach
• Information assurance requires a complete and integrated approach that
considers a wide range of processes. This comprehensive approach
extends throughout the entire information life cycle.
• Security controls operate more effectively in concert with the proper
functioning of other business process controls. Interdependencies within
an information system exist by definition; therefore, a thorough study
should be performed before a determination of compatibility and
feasibility of controls is made.

Information Assurance: Reassessed Periodically

• Security requirements change rapidly in parallel with emerging
technologies, threats, and vulnerabilities. Therefore, there are always new
risks.
• an audit or review should be performed to determine the level of
compliance to implemented controls. Increases in complexity or rate of
change will necessitate more mature change and configuration
management (CM) approaches. Organizations should continuously
monitor the performance of controls by conducting regular assessments
of their information systems and ensure information
Organizations must consider social obligations:
• rights and desires of the organization versus the rights of
organizational employees and customers should be taken
care.
• This involves understanding the security needs of
information owners and users.
• Expectations and policies may change concerning the
suitable use of security controls.
• Organizations need to balance between security risks they
are willing to accept versus human rights or social factors.
• Could solve issues such as security and the workplace
privacy conflict. e.g. Employee monitoring and a bring-your-
own-device (BYOD) policy are areas where social obligations
and information assurance often require extensive analysis.
 Confidentiality

Security Services:
What types of problems can occur?
Non
Integrity
Repudiation

Authentication Availability
 Confidentiality
“The assurance that information is not disclosed
to unauthorized persons, processes or devices.”
 Authentication
Security service “designed to establish the
validity of a transmission, message, or originator,
or a means of verifying an individual’s
authorizations to receive specific categories of
information”
 Integrity

“The assurance that data can not be created,

changed, or deleted without proper
authorization”
 Availability
“Timely, reliable access to data and
information services for authorized users.”
 Non-Repudiation
“The assurance the sender of the data is
provided with proof of delivery and the recipient
is provided with proof of the sender’s identity,
so neither can later deny having processed the
data”
Transmission Storage Processing
Information States
Where is the data?
 Transmission

Time in which the data is in transit between

processing/process steps.
 Storage

Time during which data is on a persistent

medium such as a hard drive or tape.
 Processing

Time during which the data is actually in the

control of a processing step.
 People

Security Countermeasures:
Who can enforce/check security?
TechnologyPolicy and Practice
 People
• The heart and soul of secure systems.
• Awareness, literacy, training, education in
sound practice.

• Must follow policy and practice or the systems

will be compromised no matter how good the
design!
• Both strength and vulnerability.
 Policy and Practice (operations)
• System users
• System administrators
• Software conventions
• Trust validation

Also a countermeasure and a vulnerability.

 Technology
• Crypto systems,Hardware,Software

• Network
– Firewalls,Routers,
– IDS/IPS, ACL

• Platform
– Operating systems

• Especially vulnerable to misconfiguration and

other “people” errors.
Security in System Life Cycle
The Systems Development Life Cycle (SDLC)
• An SDLC is a methodology for the design and implementation of
an information system.
• Methodology ensures- rigorous process-goals, increases
prob(success)
• Adopt a Methodology-decide the key milestones-team is
selected and made accountable for accomplishing the project
goals.
• The traditional SDLC consists of six general phases.
• The waterfall model illustrates that each phase begins with the
results and information gained from the previous phase.
• End of each phase the team determines if the project should be
continued, discontinued, outsourced, postponed, or returned to
an earlier phase
 SDLC contd..
• This determination depends on whether the project is
proceeding as expected/needs additional expertise,
organizational knowledge, or other resources.

• Once the system is implemented, it is maintained and

modified over the remainder of its working life.

• Any information systems implementation may have multiple

iterations as the cycle is repeated over time.

• Only by constant examination and renewal can any system,

especially an information security program, perform up to
expectations in a constantly changing environment.
SDLC waterfall model
 SDLC contd..
Investigation
– The first phase, investigation, is the most important.
– What problem is the system being developed to solve? The
investigation phase begins by examining the event or plan
that initiates the process.
– During this phase, the objectives, constraints, and scope of
the project are specified.
– A preliminary cost-benefit analysis evaluates the perceived
benefits and their appropriate levels of cost.
– At the conclusion of this phase and at every phase
afterward, a process will be undertaken to assess economic,
technical, and behavioral feasibilities and ensure that
implementation is worth the organization’s time and effort.
 SDLC contd..
Analysis
– The analysis phase begins with the information gained
during the investigation phase.

– This phase consists primarily of assessments of the

organization, its current systems, and its capability to
support the proposed systems.

– Analysts begin by determining what the new system is

expected to do and how it will interact with existing
systems.

– This phase ends with documentation of the findings and an

update of the feasibility analysis.
 SDLC contd..
Logical Design
– Information gained from the analysis phase is used to
begin creating a systems solution for a business problem.
– The logical design, is the blueprint for the desired solution.
– The logical design is implementation independent,
meaning that it contains no reference to specific
technologies, vendors, or products. Instead, it addresses
how the proposed system will solve the problem at hand.
– In this stage, analysts generate estimates of costs and
benefits to allow for a general comparison of available
options.
– At the end of this phase, another feasibility analysis is
performed.
 SDLC contd..
Physical Design
– Here specific technologies are selected to support the
alternatives identified and evaluated in the logical
design.
– The selected components are evaluated based on a
make-or-buy decision—the option to develop
components in-house or purchase them from a vendor.
– Final designs integrates various components and
technologies.
– After yet another feasibility analysis, the entire
solution is presented to the organization’s
management for approval.
 SDLC contd..
Implementation
– In the implementation phase, any needed
software is created.
– Components are ordered, received, and tested.
– Afterward, users are trained and supporting
documentation created.
– Once all components are tested individually, they
are installed and tested as a system.
– A feasibility analysis is again prepared, and the
sponsors are then presented with the system for a
performance review and acceptance test.
 SDLC contd..
Maintenance and Change
– Consists of the tasks necessary to support and modify
the system for the remainder of its useful life cycle.
– At periodic points, the system is tested for compliance,
and the feasibility of continuance versus discontinuance
is evaluated. Upgrades, updates, and patches are
managed.
– The people who manage and support the systems must
continually monitor their effectiveness in relation to the
organization’s environment.
– When a current system can no longer support the
evolving mission of the organization, the project is
terminated and a new project is implemented.
 The Security Systems
Development Life Cycle (SecSDLC)
 The Security Systems Development Life Cycle
(SecSDLC)

• It may differ in intent and specific activities, but the

overall methodology is similar to the SDLC.
• The SecSDLC process involves the identification of
specific threats and creating specific controls to
counter those threats.
• It unifies the process and makes a coherent program
rather than a series of random, unconnected
actions.
Phases of the SecSDLC
 1.Investigation in the SecSDLC

• Frequently this phase begins with EISP(Enterprise

Information Security Policy),outlines the security
program within the organisation.
• Teams of responsible managers, employees, and
contractors are organized; problems are analyzed;
and the scope of the project is defined along with
specific goals and objectives and any additional
constraints not covered in the program policy
• A feasibility analysis determines whether the
organization has the resources and commitment to
conduct a successful security analysis and design.
 2.Analysis in the SecSDLC

• Documents from investigation phase is studied.

• Development team conducts a preliminary analysis of
existing security policies or programs is prepared along
with known threats and current controls
• Includes an analysis of relevant legal issues that could
affect the design of the security solution
• Risk management begins in this stage. Focuses on
identifying, assessing, and evaluating the levels of risk
in an organization, specifically the threats to its
security and to the information it stores and processes.
 Risk Management
• To better understand the analysis phase of the
SecSDLC, you should know something about
the kinds of threats facing organizations.
• In this context, a threat is an object, person, or
other entity that represents a constant danger
to an asset.
Threats to Information Security
 Some Common Attacks

• Spoofing code
Malicious
• Hoaxes
Man in the middle
• Back doors
Spam
• Password
Mail bombingcrack
• Brute force
Sniffer
• Dictionary
Social engineering
• Denial overflow
Buffer of service (DoS) and distributed denial
• of service (DDoS)
Timing
 3.Design in the SecSDLC

• The design phase actually consists of two

distinct phases:
– In the logical design phase, team members create
and develop a blueprint for security, and examine
and implement key policies.
– In the physical design phase, team members
evaluate the technology needed to support the
security blueprint, generate alternative solutions,
and agree upon a final design.
 Security Models

• Security managers often use established

security models to guide the design process
• Security models provide frameworks for
ensuring that all areas of security are
addressed
• Organizations can adapt or adopt a framework
to meet their own information security needs
 Policy

• A critical design element of the information

security program is the information security
policy
• Management must define three types of
security policy:
– General or security program policy
– Issue-specific security policies
– Systems-specific security policies
 SETA
• Another integral part of the InfoSec program is the
Security Education Training and Awareness
program
• The SETA program consists of three elements:
security education, security training, and security
awareness
• The purpose of SETA is to enhance security by
– Improving awareness
– Developing skills and knowledge
– Building in-depth knowledge
 Design

• Attention turns to the design of the controls

and safeguards used to protect information
from attacks by threats.
• There are three categories of controls:
– Managerial
– Operational
– Technical
 Managerial Controls
• Address the design and implementation of the
security planning process and security
program management.
• Management controls also address:
– Risk management
– Security control reviews
 Operational Controls

• Cover management functions and lower-level

planning including:
– Disaster recovery
– Incident response planning
• Operational controls also address:
– Personnel security
– Physical security
– Protection of production inputs and outputs
 Technical Controls

• Address those tactical and technical issues

related to designing and implementing
security in the organization
• Technologies necessary to protect information
are examined and selected
 Contingency Planning

• Essential preparedness documents provide

contingency planning (CP) to prepare, react,
and recover from circumstances that threaten
the organization
– Incident response planning (IRP)
– Disaster recovery planning (DRP)
– Business continuity planning (BCP)
 Physical Security

• Addresses the design, implementation, and

maintenance of countermeasures that protect
the physical resources of an organization
• Physical resources include:
– People
– Hardware
– Supporting information system elements
 5.Implementation in the SecSDLC

• The security solutions are acquired, tested,

implemented, and tested again

• Personnel issues are evaluated, and specific training

and education programs conducted

• Perhaps the most important element of the

implementation phase is the management of the
project plan:
– Planning the project
– Supervising the tasks and action steps within the project
– Wrapping up the project
 6.Maintenance

• Once implemented, it must be operated, properly

managed, and kept up to date by means of
established procedures
• If the program is not adjusting it may be necessary
to begin the cycle again.
• As new threats emerge and old threats evolve, an
organization’s information security profile must
constantly adapt to prevent threats from
successfully penetrating sensitive data.
• Threats both from outside and within must be
constantly monitored and checked.
 The Systems Development Life Cycle
• Systems Development Life Cycle (SDLC):
– Methodology for design and implementation of
information system
• Methodology:
– Formal approach to problem solving

Principles of Information
Security, Fourth Edition
– Based on structured sequence of procedures
• Using a methodology:
– Ensures a rigorous process
– Increases probability of success
• Traditional SDLC consists of six general phases
 Figure 1-10 SDLC Waterfall Methodology

Principles of Information Security, Fourth Edition

 Investigation
• What problem is the system being developed to
solve?
• Objectives, constraints, and scope of project
specified

Principles of Information
Security, Fourth Edition
• Preliminary cost-benefit analysis developed
• At end
– Feasibility analysis performed
• Assess economic, technical, and behavioural
feasibilities
 Analysis
• Consists of assessments of:
– The organization
– Current systems
– Capability to support proposed systems
• Determine what new system is expected to do

Principles of Information
Security, Fourth Edition
• Determine how it will interact with existing systems
• Ends with documentation
 Logical Design
• Main factor is business need
– Applications capable of providing needed services are
selected
• Necessary data support and structures identified
• Technologies to implement physical solution determined

Principles of Information
Security, Fourth Edition
• Feasibility analysis performed at the end
 Physical Design
• Technologies to support the alternatives
identified and evaluated in the logical design
are selected
• Components evaluated on make-or-buy

Principles of Information
Security, Fourth Edition
decision
• Feasibility analysis performed
– Entire solution presented to end-user
representatives for approval
 Implementation
• Needed software created
• Components ordered, received, and tested
• Users trained and documentation created
• Feasibility analysis prepared
– Users presented with system for performance review and

Principles of Information
Security, Fourth Edition
acceptance test
 Maintenance and Change
• Longest and most expensive phase
• Tasks necessary to support and modify system
– Last for product useful life
• Life cycle continues
– Process begins again from the investigation phase

Principles of Information
Security, Fourth Edition
• When current system can no longer support the organization’s
mission, a new project is implemented
 The Security Systems Development Life
Cycle
• The same phases used in traditional SDLC
• Need to adapted to support implementation of an IS project
• Identify specific threats and creating controls to counter them
• SecSDLC is a coherent program not series of random,
seemingly unconnected actions

Principles of Information
Security, Fourth Edition
 Investigation
• Identifies process, outcomes, goals, and constraints of the
project
• Begins with Enterprise Information Security Policy (EISP)
• Organizational feasibility analysis is performed

Principles of Information
Security, Fourth Edition
 Analysis
• Documents from investigation phase are studied
• Analysis of existing security policies or programs
• Analysis of documented current threats and associated
controls
• Analysis of relevant legal issues that could impact design of

Principles of Information
Security, Fourth Edition
the security solution
• Risk management task begins
 Logical Design
• Creates and develops blueprints for information security
• Incident response actions planned:
– Continuity planning
– Incident response
– Disaster recovery

Principles of Information
Security, Fourth Edition
• Feasibility analysis to determine whether project should be
continued or outsourced
 Physical Design
• Needed security technology is evaluated
• Alternatives are generated
• Final design is selected
• At end of phase, feasibility study determines readiness of
organization for project

Principles of Information
Security, Fourth Edition
 Implementation
• Security solutions are acquired, tested, implemented, and
tested again
• Personnel issues evaluated; specific training and education
programs conducted
• Entire tested package is presented to management for final

Principles of Information
Security, Fourth Edition
approval
 Maintenance and Change
• Perhaps the most important phase, given the ever-changing
threat environment
• Often, repairing damage and restoring information is a
constant duel with an unseen adversary
• Information security profile of an organization requires

Principles of Information
Security, Fourth Edition
constant adaptation as new threats emerge and old threats
evolve
Security Professionals and the Organization

• Wide range of professionals required to support a diverse

information security program
• Senior management is key component
• Additional administrative support and technical expertise are
required to implement details of IS program

Principles of Information
Security, Fourth Edition
 Senior Management
• Chief Information Officer (CIO)
– Senior technology officer
– Primarily responsible for advising senior executives on
strategic planning
• Chief Information Security Officer (CISO)

Principles of Information
Security, Fourth Edition
– Primarily responsible for assessment, management, and
implementation of IS in the organization
– Usually reports directly to the CIO
Information Security Project Team
• A number of individuals who are experienced in one or more
facets of required technical and nontechnical areas:
– Champion
– Team leader
– Security policy developers

Principles of Information
Security, Fourth Edition
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
 Data Responsibilities
• Data owner: responsible for the security and use of a
particular set of information.
• Data custodian: responsible for storage, maintenance, and
protection of information.
• Data users: end users who work with information to

Principles of Information
Security, Fourth Edition
perform their daily jobs supporting the mission of the
organization.
Comparing the SDLC and the SecSDLC
Comparing the SDLC and the SecSDLC (continued)
NIST Approach to secure SDLC
 The NIST Approach to Securing the SDLC

• NIST Special Publication 800-64 rev. 2 maintains

that early integration of security in the SDLC
enables agencies to maximize return on
investment through:
– Early identification and mitigation of security
vulnerabilities and misconfigurations
– Awareness of potential engineering challenges
– Identification of shared security services and reuse
of security strategies and tools
– Facilitation of informed executive decision making
Principles of Information Security, Fifth Edition
 The NIST Approach: Initiation
• Security at this point is looked at in terms of
business risks, with information security office
providing input.
• Key security activities include:
– Delineation of business requirements in terms of
confidentiality, integrity, and availability
– Determination of information categorization and
identification of known special handling requirements
to transmit, store, or create information
– Determination of any privacy requirements
Principles of Information Security, Fifth Edition
 The NIST Approach:
Development/Acquisition
• Key security activities include:
– Conducting risk assessment and using results to
supplement baseline security controls
– Analyzing security requirements
– Performing functional and security testing
– Preparing initial documents for system
certification and accreditation
– Designing security architecture

Principles of Information Security, Fifth Edition

 The NIST Approach:
Implementation/Assessment
• System is installed and evaluated in
operational environment.
• Key security activities include:
– Integrating information system into its
environment
– Planning and conducting system certification
activities in synchronization with testing of
security controls
– Completing system accreditation activities

Principles of Information Security, Fifth Edition

 The NIST Approach: Operations and
Maintenance
• Systems are in place and operating, enhancements
and/or modifications to the system are developed and
tested, and hardware and/or software are added or
replaced.
• Key security activities include:
– Conducting operational readiness review
– Managing configuration of system
– Instituting process and procedure for assured operations
and continuous monitoring of information system’s security
controls
– Performing reauthorization as required
Principles of Information Security, Fifth Edition
 The NIST Approach: Disposal
• Provides for disposal of system and closeout
of any contracts in place
• Key security activities include:
– Building and executing disposal/transition plan
– Archival of critical information
– Sanitization of media
– Disposal of hardware and software

Principles of Information Security, Fifth Edition

Principles of Information Security, Fifth Edition
Security Professionals and Organisations
 InfoSec Project Team

• Champion: A senior executive who promotes the project and ensures its support, both financially and
administratively, at the highest levels of the organization.

• Team leader: A project manager who may also be a departmental line manager or staff unit manager,
and who understands project management, personnel management, and information security
technical requirements.

• Security policy developers: People who understand the organizational culture, existing policies, and
requirements for developing and implementing successful policies.

• Risk assessment specialists: People who understand financial risk assessment techniques, the value
of organizational assets, and the security methods to be used.

• Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information
security from both a technical and nontechnical standpoint.

• Systems administrators: People with the primary responsibility for administering systems that house
the information used by the organization.

• End users: Those whom the new system will most directly affect.
 InfoSec Professionals

• It takes a wide range of professionals to

support a diverse information security program
– Chief Information Officer (CIO)
– Chief Information Security Officer (CISO)
– Security Managers
– Security Technicians
– Data Owners
– Data Custodians
– Data Users
 Certifications
• Many organizations seek professional certification
so that they can more easily identify the
proficiency of job applicants
– CISSP(Certified Information Systems Security
Professional)
– SSCP(Systems Security Certified Practitioner)
– GIAC(Global Information Assurance Certification)
– SCP(Security Certified Professional)
– Security +
– CISM(Certified Information Security Manager)
 Major IT Professional Organizations and Ethics

• Association for Computing Machinery (ACM)

– promotes education and provides discounts for students
– educational and scientific computing society
• International Information Systems Security Certification Consortium
(ISC2)
– develops and implements information security certifications and
credentials
• System Administration, Networking, and Security Institute (SANS)
– Global Information Assurance Certifications (GIAC)
• Information Systems Audit and Control Association (ISACA)
– focus on auditing, control and security
• Computer Security Institute (CSI)
– sponsors education and training for information security
• Information Systems Security Association (ISSA)
– information exchange and educational development for
information security practitioners
 Other Security Organizations

• Internet Society (ISOC)

– develop education, standards, policy, and education and training to
promote the Internet
• Internet Engineering Task Force (IETF)
– develops Internet's technical foundations
• Computer Security Division (CSD) of National Institute for Standards and
Technology (NIST)
– Computer Security Resource Center (CSRC)
• Computer Emergency Response Team (CERT)**
– CERT Coordination Center (CERT/CC)
– Carnegie Mellon University Software Engineering Institute
• Computer Professionals for Social Responsibility (CPSR)
– promotes ethical and responsible development and use of computing
– watchdog for development of ethical computing
 Communities of interest

• community of interest A group of people who

are united by similar interests or values within
an organization and who share a common goal
of helping the organization to meet its
objectives.
 Communities of interest
• ‡3 communities of interest:
• Information Security Management and Professionals :
• The roles of them are aligned with the goals and mission of the information
security community of interest.
• focus on protecting the organization’s information systems and stored information
from attacks.
• ‡ Information Technology Management and Professionals :
• Consist of IT managers, skilled professionals in systems design, programming,
networks, and other related disciplines .
• focus more on costs of system creation and operation, ease of use for system users,
and timeliness of system creation, as well as transaction response time.
• Organizational Management and Professionals:
• general management team and rest of the resources in the organization make up
the other major community of interest.
• This large group is almost always made up of subsets of other interests as well,
including executive management, production management, human resources,
accounting, and legal staff, to name just a few.
 Information Security: Is it an Art or a
Science?
• Implementation of information security often described as
combination of art and science
• “Security artisan” idea: based on the way individuals perceive
systems technologists since computers became commonplace

Principles of Information
Security, Fourth Edition
 Security as Art
• No hard and fast rules nor many universally accepted
complete solutions
• No manual for implementing security through entire system

Principles of Information
Security, Fourth Edition
 Security as Science
• Dealing with technology designed to operate at high levels of
performance
• Specific conditions cause virtually all actions that occur in
computer systems
• Nearly every fault, security hole, and systems malfunction are

Principles of Information
Security, Fourth Edition
a result of interaction of specific hardware and software
• If developers had sufficient time, they could resolve and
eliminate faults
 Security as a Social Science
• Social science examines the behaviour of individuals
interacting with systems
• Security begins and ends with the people that interact with
the system
• Security administrators can greatly reduce levels of risk

Principles of Information
Security, Fourth Edition
caused by end users, and create more acceptable and
supportable security profiles
Information Assurance Concepts-Defense-in-
Depth
 Defense in depth: Design of security architecture

• Spheres of Security: foundation of the security

framework.
• the spheres of security illustrate how information
is under attack from a variety of sources.
• The sphere of use, illustrates the ways in which
people access information
• Information, as the most important asset in this
model, is at the center of the sphere.
Figure 6-16 – Spheres of Security

Principles of Information Security - Chapter

Slide 145
6
 Defense in depth: sphere of protection

• The sphere of protection, illustrates that between each layer

of the sphere of use there must exist a layer of protection,
represented in the figure by the shaded bands.
• Information security is designed and implemented in three
layers: policies, people and technology, commonly referred
to as PPT.
• Each of the layers contains controls and safeguards that
protect the information and information system assets of
the organization
• Three levels of control:
– Managerial
– Operational
– Technical
 Defense in depth: Managerial controls

• Managerial controls are security processes

that are designed by strategic planners and
implemented by the security administration of
the organization.

• It addresses the design and implementation of

the security planning process and security
program management.
 Defense in depth: Operational controls
• Operational controls are management and lower-level
planning functions that deal with the operational
functionality of security in the organization, such as
disaster recovery and incident response planning.
• Address personnel security, physical security, and the
protection of production inputs and outputs.
• Guide the development of education, training, and
awareness programs for users, administrators, and
management.
• Address hardware and software systems maintenance
and the integrity of data.
 Defense in depth: Technical controls

• Technical controls are the

strategic and technical
implementations of security in
the organization.
• It includes logical access
controls, such as identification,
authentication, authorization,
accountability (including audit
trails), cryptography, and the
classification of assets and
users.
 Defense in depth: Security Perimeter
• A security perimeter defines the boundary between the outer
limit of an organization’s security and the beginning of the
outside world.
• A security perimeter is the level of security that protects all
internal systems from outside threat.
• The perimeter does not protect against internal attacks from
employee.
• Within security perimeters the organization can establish
security domains, or areas of trust within which users can
freely communicate
• The key components of the security perimeter— firewalls,
DMZs(demilitarized zone), proxy servers, and IDPSs
 Defense in depth: firewall

• A firewall is usually a computing device or a specially

configured computer that allows or prevents access to a
defined area based on a set of rules.

• Firewalls are usually placed on the security perimeter,

just behind or as part of a gateway router.

• DMZ (demilitarized zone) is a computer host or small

network inserted as a "neutral zone" between a
company's private network and the outside public
network. It prevents outside users from getting direct
access to a server that has company data.
 Defense in depth: Proxy Servers

• An alternative to firewall subnets or DMZs is a proxy server, or

proxy firewall.
• A proxy server performs actions on behalf of another system.
• When deployed, a proxy server is configured to look like a Web
server and is assigned the domain name that users would be
expecting to find for the system and its services.
• This gives requestors the response they need without allowing
them to gain direct access to the internal and more sensitive
server
• For more frequently accessed Web pages, proxy servers can
cache or temporarily store the page, and thus are sometimes
called cache servers
Defense in depth: Intrusion Detection and Prevention Systems (IDPSs)

• To detect unauthorized activity within the inner network

or on individual machines, organizations can implement
intrusion detection and prevention systems (IDPSs)

• Host-based IDPSs are usually installed on the machines

they protect to monitor the status of various files
stored on those machines

• Network-based IDPSs look at patterns of network traffic

and attempt to detect unusual activity based on
previous baselines
Information Assurance in Cyber security
 Some Definitions

According to the U.S. Dept of Commerce:

information security: The protection of information against
unauthorized disclosure, transfer, modification, or
destruction, whether accidental or intentional.
 Some Definitions
According to H.R. 4246 “Cyber Security Information Act”:

Cyber security: “The vulnerability of any computing system, software

program, or critical infrastructure to, or their ability to resist, intentional
interference, compromise, or incapacitation through the misuse of, or by
unauthorized means of, the Internet, public or private
telecommunications systems or other similar conduct that violates
Federal, State, or international law, that harms interstate commerce of
the United States, or that threatens public health or safety.”
 Some Definitions
According to S. 1901 “Cybersecurity Research and Education
Act of 2002”:

cybersecurity: “information assurance, including scientific, technical, management, or any

other relevant disciplines required to ensure computer and network security, including, but
not limited to, a discipline related to the following functions:

(A) Secure System and network administration and operations.

(B) Systems security engineering.
(C) Information assurance systems and product acquisition.
(D) Cryptography.
(E) Threat and vulnerability assessment, including risk management.
(F) Web security.
(G) Operations of computer emergency response teams.
(H) Cybersecurity training, education, and management.
(I) Computer forensics.
(J) Defensive information operations.
 Some Definitions

According to S. 1900 “Cyberterrorism Preparedness

Act of 2002 ”:

cybersecurity: “information assurance, including information security,

information technology disaster recovery, and information privacy.”
 One way to think about it
cybersecurity = security of information systems
and networks

+ with the goal of

protecting operations
and assets
 One way to think about it

cybersecurity = security of information systems

and networks with the goal of protecting
operations and assets

security in the face of

attacks, accidents and
failures
 One way to think about it

cybersecurity = security of information systems

and networks in the face of attacks, accidents
and failures with the goal of protecting
operations and assets

availability, integrity
and secrecy
 One way to think about it
cybersecurity = availability, integrity and secrecy
of information systems and networks in the
face of attacks, accidents and failures with the
goal of protecting operations and assets
CIA Balance, Nonrepudiation and
Authentication
 Basic Components of Security: (CIA)

 CIA
 Confidentiality: Who is authorized to use data? C I
 Integrity: Is data „good?”
S
 Availability: Can access data whenever need it?

A
 CIA or CIAAAN
(other security components added to CIA)
 Authentication S = Secure
 Authorization
 Non-repudiation
 …
 Need to Balance CIA
 Example 1: C vs. I+A
 Disconnect computer from Internet to increase confidentiality
 Availability suffers, integrity suffers due to lost updates

 Example 2: I vs. C+A

 Have extensive data checks by different people/systems to increase
integrity
 Confidentiality suffers as more people see data, availability suffers
due to locks on data under verification.
Need For Security
 Need for Security
Most Attacks are done by

• Hackers 22%
• Current and former employees 21%
• Foreign countries 11%
• Hacktivists and other activists 5%
• Organized crime 4%
 Categories of Threats
 Threat -circumstances that have a potential to cause harm,
potential risk of an asset’s loss of value.

 Attack- An ongoing act against an asset that could result in a

loss of its value.

 Exploit- A vulnerability that can be used to cause a loss to an

asset.

 Threat agent- A person or other entity that may cause a loss

in an asset’s value.

 Vulnerability- A potential weakness in an asset or its

defensive control system.
12 Categories of threat
 Vulnerabilities

• Vulnerability = A weakness in a security system

• Types of vulnerabilities:
• Perpetrators-A person who carries out a harmful, illegal, or immoral act
• Attacks can be categorized as either passive or active.
 Passive and active attacks are used on both network security
infrastructures and on hosts.
 Active attacks alter the system or network they’re attacking, whereas
passive attacks attempt to gain information from the system.
 Active attacks affect the availability, integrity, and authenticity of data;
 Passive attacks are breaches of confidentiality. In addition to the active
and passive categories, attacks are categorized as either inside attacks
or outside attacks.
 An attack originating from within the security perimeter of an
organization is an inside attack and usually is caused by an “insider”.
 An outside attack originates from a source outside the security
perimeter, such as the Internet or a remote access connection
• External attacks
– White Hats : Good guys, ethical hackers , They are ethical hackers who use their
hacking skills for defensive purposes. White-hat hackers are usually security
professionals with knowledge of hacking and the hacker toolset and who use
this knowledge to locate weaknesses and implement countermeasures.

– Black Hats : Bad guys, malicious hackers, They break into or otherwise violate
the system integrity of remote systems, with malicious intent. Having gained
unauthorized access, black-hat hackers destroy vital data, deny legitimate users
service, and just cause problems for their targets

– Gray Hats : Good or bad hacker; depends on the situation, Gray-hat hackers may
just be interested in hacking tools and technologies and are not malicious black
hats. Interested in hacker tools mostly from a curiosity standpoint.
• Ignorance
• Carelessness
• Network
• Physical access
Implications from Lack of Information Assurance
• Information System is a set of elements
(people, data / technology, and processes /
procedures) working together to provide
useful information .
• Also, information system (IS) is any
set of information technology and
people’s activities using that
technology to backup operations,
management, and decision-making
• An information system failure can
cause financial loss, commercial
embarrassment, loss of customers
and revenue streams, sanctions and
the loss of staff morale or
stakeholder allegiance in an
organization.
• Must apply both due care and due diligence to ensure a system
is operating within acceptable social and legal norms.
– Due care is the development and implementation of policies
and procedures to aid in performing the ongoing
maintenance necessary to keep an information assurance
process operating properly to protect assets and people from
threats.
– Systems must be working in accordance with the
expectations of a reasonable person in a situation.
– Due care prevents negligence.
– Due diligence is the reasonable investigation, research, and
understanding of the risks an organization faces before
committing to a particular course of action.
– The organization should do its homework and ensure
ongoing monitoring.
• Penalties from a Legal/Regulatory Authorities:
In the wake of countless corporate scandals and acts of negligence,
regulations and laws exist to ensure internal controls are implemented to
protect the interests of the public and stakeholders.
– Common themes from various legal/regulatory authorities are
• Abuse Hacking, theft, password sharing
• Critical infrastructure protection Finance and banking, natural
resources, power, water, food, logistics, and military
• Intellectual property Copyright, patent, and trademark
• Privacy Personal information

• Loss of Information Assets

• Operational Losses and Operational Risk Management
• Customer Losses
• Loss of Image and Reputation