INFORMATION ASSURANCE

AND SECURITY 1

Slide 1
JERWIN S. TAGUINOD, MIT
INSTRUCTOR
 Slide 1
What is Information
Assurance?
INFORMATION ASSURANCE: INTRODUCTION
Slide 2
• AI is the practice of assuring information
and managing risks related to the use,
processing, storage, and transmission of
information or data and the systems and
processes used for those purposes.
Information assurance includes protection
of the integrity, availability, authenticity,
non-repudiation and confidentiality of user
data.
INFORMATION ASSURANCE: INTRODUCTION
Slide 2
• It uses physical, technical and administrative
controls to accomplish these tasks. While
focused predominantly on information in
digital form, the full range of IA
encompasses not only digital but also
analog or physical form.
INFORMATION ASSURANCE: INTRODUCTION
Slide 2
• These protections apply to data in transit,
both physical and electronic forms as well
as data at rest in various types of physical
and electronic storage facilities. Information
assurance as a field has grown from the
practice of information security.
INFORMATION ASSURANCE: OVERVIEW
Slide 2
• Information assurance is the process of
adding business benefit through the use of
IRM (Information Risk Management) which
increases the utility of information to
authorized users, and reduces the utility of
information to those unauthorized. It is
strongly related to the field of information
security, and also with business continuity.
INFORMATION ASSURANCE: OVERVIEW
Slide 2
• IA relates more to the business level and
strategic risk management of information and
related systems, rather than the creation and
application of security controls. Therefore in
addition to defending against malicious hackers
and code (e.g., viruses), IA practitioners
consider corporate governance issues such as
privacy, regulatory and standards compliance,
auditing, business continuity, and disaster
recovery as they relate to information systems.
INFORMATION ASSURANCE: OVERVIEW
Slide 2
• Further, while information security draws
primarily from computer science, IA is an
interdisciplinary field requiring expertise in
business, accounting, user experience, fraud
examination, forensic science, management
science, systems engineering, security
engineering, and criminology, in addition to
computer science. Therefore, IA is best thought
of as a superset of information security (i.e.
umbrella term), and as the business outcome of
Information Risk Management.
INFORMATION ASSURANCE: OVERVIEW
Slide 2
• Information Assurance is also the term used by
governments, including the government of the
United Kingdom, for the provision of holistic security
to information systems. In this use of the term, the
interdisciplinary approach set out above is somewhat
lessened in that, while security/ systems
engineering, business continuity/ enterprise
resilience, forensic investigation and threat analysis is
considered, management science, accounting and
criminology is not considered in developing
mitigations to the risks developed in the risk
assessments conducted.
INFORMATION ASSURANCE: OVERVIEW
Slide 2
• HMG Information Assurance Standard 1&2,
which has replaced HMG Information
Security Standard, sets out the principles
and requirements of risk management in
accordance with the above principles and is
one of the Information Assurance Standards
currently used within the UK public sector.
INFORMATION ASSURANCE PROCESS
Slide 2
• Begins with the enumeration and
classification of the information assets to be
protected
• Next, the IA practitioner will perform a risk
assessment for those assets.
• Vulnerabilities in the information assets are
determined in order to enumerate the
threats capable of exploiting the assets.
INFORMATION ASSURANCE PROCESS
Slide 2
• The assessment then considers both the
probability and impact of a threat exploiting
vulnerability in an asset, with impact usually
measured in terms of cost to the asset's
stakeholders.
• The sum of the products of the threats'
impact and the probability of their
occurring is the total risk to the information
asset.
INFORMATION ASSURANCE PROCESS
Slide 2
• With the risk assessment complete, the IA
practitioner then develops a risk
management plan.
• This plan proposes countermeasures that
involve mitigating, eliminating, accepting, or
transferring the risks, and considers
prevention, detection, and response to
threats.
COUNTERMEASURES OF IA PROCESS
Slide 2
• technical tools such as firewalls and anti-virus
software
• policies and procedures requiring such
controls as regular backups and configuration
hardening
• employee training in security awareness or
organizing personnel into dedicated
computer emergency response team (CERT)
or computer security incident response team
(CSIRT).
INFORMATION ASSURANCE PROCESS
Slide 2
• After the risk management plan is
implemented, it is tested and evaluated,
often by means of formal audits.
• The IA process is an iterative one, in that the
risk assessment and risk management plan
are meant to be periodically revised and
improved based on data gathered about
their completeness and effectiveness.
INFORMATION SECURITY: HISTORY
Slide 2
Caesar cipher c. 50 B.C.
 invented by Julius Caesar
 which was created in order to prevent
his secret messages from being read
should a message fall into the wrong
hands, but for the most part protection
was achieved through the application of
procedural handling controls.
INFORMATION SECURITY: HISTORY
Slide 2
complex classification system (mid-19th
century)
 to allow governments to manage their
information according to the degree of
sensitivity.
The British Government codified this, to
some extent, with the publication of the
Official Secrets Act in 1889.
INFORMATION SECURITY: HISTORY
Slide 2
First World War
 multi-tier classification systems were
used to communicate information to and
from various fronts, which encouraged
greater use of code making and breaking
sections in diplomatic and military
headquarters
INFORMATION SECURITY: HISTORY
Slide 2
United Kingdom (1919)
 led to the creation of the Government
Code and Cypher School
Encoding became more sophisticated
between the wars as machines were
employed to scramble and unscramble
information.
INFORMATION SECURITY: HISTORY
Slide 2
Second World War
 The volume of information shared by
the Allied countries
necessitated formal alignment of
classification systems and procedural
controls.
INFORMATION SECURITY: HISTORY
Slide 2
1990s
 the computer security industry
witnessed a revolution in the mainstream
emergence of the hacking subculture.
Hackers suddenly had different motives:
greed, ideology, and revenge.
INFORMATION SECURITY: HISTORY
Slide 2
Early 2022
 a Russian hacker was arrested for
attempting to extort $10,000 from a U.S.
bank after breaking into one of its Web
servers and stealing a customer list with
names, addresses, and bank account
numbers.
Almost every civilized nation has some
sort of information warfare program
designed to cripple the computing infra-
structure of an adversary’s military.
INFORMATION SECURITY: HISTORY
Slide 2
Early 2022
 Finally, a huge number of attacks have
originated from disgruntled employees
and former employees of companies who
know and exploit the soft spots in a
corporate security policy.
INFORMATION SECURITY: HISTORY
Slide 2
End of the 20th century and 21st century
 saw rapid advancements in
telecommunications, computing
hardware and software, and data
encryption.
The availability of smaller, more
powerful and less expensive computing
equipment made electronic data
processing within the reach of small
business and the home user.
INFORMATION SECURITY: HISTORY
Slide 2
End of the 20th century and 21st century
 These computers quickly became
interconnected through the Internet
The rapid growth and widespread use of
electronic data processing and electronic
business conducted through the Internet,
along with numerous occurrences of
international terrorism, fueled the need
for better methods of protecting the
computers and the information they
store, process and transmit.
INFORMATION SECURITY: HISTORY
Slide 2
End of the 20th century and 21st century
 The academic disciplines of computer
security and information assurance
emerged along with numerous
professional organizations – all sharing
the common goals of ensuring the
security and reliability of information
systems.
INFORMATION SECURITY
Slide 2
End of the 20th century and 21st century
 sometimes shortened to InfoSec.
is the practice of defending information
from unauthorized access, use,
disclosure, disruption, modification,
perusal, inspection, recording or
destruction. It is a general term that can
be used regardless of the form the data
may take (electronic, physical, etc...)
Two major aspects of information security
Slide 2
1. IT Security
 Sometimes referred to as computer Security.
Information Technology Security
is information security applied to
technology (most often some form of
computer system).
 It is worthwhile to note that a computer
does not necessarily mean a home
desktop.
Two major aspects of information security
Slide 2
2. Information Assurance
 The act of ensuring that data is not lost
when critical issues arise.
 These issues include but are not limited
to: natural disasters, computer/server
malfunction, physical theft, or any other
instance where data has the potential of
being lost.
INFORMATION SECURITY: DEFINITIONS
Slide 2
Preservation of confidentiality, integrity
and availability of information. Note: In
addition, other properties, such as
authenticity, accountability, non-repudiation
and reliability can also be involved
The protection of information and
information systems from unauthorized
access, use, disclosure, disruption,
modification, or destruction in order to
provide confidentiality, integrity, and
availability.
INFORMATION SECURITY: DEFINITIONS
Slide 2
Ensures that only authorized users
(confidentiality) have access to accurate and
complete information (integrity) when
required (availability).
is the process of protecting the intellectual
property of an organization.
is a risk management discipline, whose job
is to manage the cost of information risk to
the business.
INFORMATION SECURITY: DEFINITIONS
Slide 2
A well-informed sense of assurance that
information risks and controls are in
balance.
is the protection of information and
minimises the risk of exposing information
to unauthorised parties.
COMPUTER SECURITY
Slide 2
is a branch of computer technology known
as information security as applied to
computers and networks.
The objective of computer security
includes protection of information and
property from theft, corruption, or natural
disaster, while allowing the information and
property to remain accessible and
productive to its intended users.
COMPUTER SECURITY
Slide 2
generic name for the collection of tools
designed to protect data and to thwart
hackers
Computer System Security
Slide 2
the collective processes and mechanisms
by which sensitive and valuable information
and services are protected from publication,
tampering or collapse by unauthorized
activities or untrustworthy individuals and
unplanned events respectively.
NETWORK SECURITY
Slide 2
 measures to protect data during their
transmission.
is the protection of the underlying
networking infrastructure from
unauthorized access, misuse, or theft. It
involves creating a secure infrastructure for
devices, applications, users, and
applications to work in a secure manner.
INTERNET SECURITY
Slide 2
 measures to protect data during their
transmission over a collection of
interconnected networks.
is a term that describes security for
activities and transactions made over the
internet.
It’s a particular component of the larger
ideas of cybersecurity and computer
security, involving topics including browser
security, online behavior and network
security.
Form of Damage interrelated to software or
intruder
Slide 2
Damage or destruction of computer
systems.
Damage or destruction of internal data.
Loss of sensitive information to hostile
parties.
Use of sensitive information to steal items
of monitory value.
Form of Damage interrelated to software or
intruder
Slide 2
Use of sensitive information against the
organization's customers which may result
in legal action by customers against the
organization and loss of customers.
Damage to the reputation of an
organization.
Monitory damage due to loss of sensitive
information, destruction of data, hostile use
of sensitive data, or damage to the
organization's reputation.
PRINCIPLES OF SECURITY (GOALS)
Slide 2
PRINCIPLES OF SECURITY (GOALS)
Slide 2
 CONFIDENTIALITY
Slide 2
is a set of rules that limits access to information.
Measures undertaken to ensure confidentiality
are designed to prevent sensitive information
from reaching the wrong people, while making
sure that the right people can in fact get it.
Training can help familiarize authorized people
with risk factors and how to guard against them.
Is the term used to prevent the disclosure of
information to unauthorized individuals or
systems.
CONFIDENTIALITY
Slide 2
For example, a credit card transaction on the
Internet requires the credit card number to be
transmitted from the buyer to the merchant and
from the merchant to a transaction processing
network.
The system attempts to enforce confidentiality
by encrypting the card number during
transmission, by limiting the places where it
might appear (in databases, log files, backups,
printed receipts, and so on), and by restricting
access to the places where it is stored.
CONFIDENTIALITY
Slide 2
If an unauthorized party obtains the card
number in any way, a breach of confidentiality
has occurred.
Confidentiality is necessary (but not sufficient)
for maintaining the privacy of the people whose
personal information a system holds.
Preserving authorized restrictions on
information access and disclosure, including
means for protecting personal privacy and
proprietary information.
CONFIDENTIALITY
Slide 2
A loss of confidentiality is the unauthorized
disclosure of information. “Prevention of
unauthorized disclosure of information.
INTEGRITY
Slide 2
INTEGRITY
Slide 2
is the assurance that the information is
trustworthy and accurate.
involves maintaining the consistency, accuracy,
and trustworthiness of data over its entire life
cycle.
Data must not be changed in transit, and steps
must be taken to ensure that data cannot be
altered by unauthorized people (for example, in a
breach of confidentiality).
INTEGRITY
Slide 2
This goal defines how we avoid our data from
being altered. MiTM (Man in the middle attacks)
is the example threat for this goal.
is about making sure that everything is as it is
supposed to be, and in the context of computer
security, the prevention of unauthorized
modification of information.
 INTEGRITY
Slide 2
In Computer security, integrity means that data cannot be
modified undetectably. This is not the same thing as
referential integrity in databases, although it can be viewed
as a special case of Consistency as understood in the classic
ACID model of transaction processing.
Integrity is violated when a message is actively modified in
transit. Computer/ Information security systems typically
provide message integrity in addition to data confidentiality
Guarding against improper information modification or
destruction, and includes ensuring information
nonrepudiation and authenticity.