Information

Assurance and
Security 1
RODEL M. ANTANG
 The
Information
Assurance and
Security 1

Needs for
Security
 The The primary goal of
an information
security program is
Needs for to ensure that
systems and their
Security contents remain the
same.
 The general management
The or IT management are
responsible for

Needs for implementing information

security that protects the
organization’s ability to

Security function.
 Today’s organizations are
The under immense pressure to
acquire and operate
integrated, efficient, and
Needs for capable applications. A
modern organization needs to
create an environment that
Security safeguards these applications,
 Without data, an
Protecting the organization loses its
record of transactions
data, and/or its ability to
the deliver value to its
customers.
organization
Safeguarding To perform effectively,
organizations must employ
Technology secure infrastructure
services appropriate to the
size and scope of the
enterprise.
Assets in
Organizations
 To perform effectively,
organizations must employ
secure infrastructure
services appropriate to the
size and scope of the

Threat enterprise.
Categories • Compromises to
Intellectual Property
• Deliberate software
• Deviations in Quality of
Service

of Threat
• Espionage or trespass
• Forces of Nature
• Information Extortion
• Theft
 an act that takes advantage of a
vulnerability to
compromise a controlled system. It
is accomplished by a threat
agent that damages or steals an

Attacks
organization’s information or
physical asset.
 Major • The malicious code attack
• A bot (an abbreviation of
robot)
Types • Spyware
• Adware

of Attacks • Hoaxes
• Back Doors
 Major • Password Crack
• Brute Force
• Denial-of-Service (DoS)

Types • Spoofing
• Man-in-the-Middle

of Attacks
• Spam
• Mail Bombing
• Sniffers
• Social Engineering
 Software
Systems consist of hardware,
software, networks, data,
procedures, and people using

Development
the system. Many of the
information security issues
described in this module have

Security their root cause in the

software elements of the
system.

Problems
 • Buffer Overruns
• Cross-site Scripting
Software • Failure to Handle Errors
• Failure to Protect Network
Development Traffic
• Failure to Store and Protect
Problem Data Securely
 • Failure to Use

Software Cryptographically
• Strong Random

Development
Numbers
• Format String Problems

Problem • Neglecting Change

Control Developers
• Improper File Access
 • Improper Use of SSL

Software Programmers
• Information Leakage

Development • Integer Bugs

(Overflows/Underflows
)
Problem • Race Conditions
• SQL Injection
 • Trusting Network
Address Resolution
Software • Unauthenticated Key
Exchange
Development • Use of Magic URLs
and Hidden Form
Problem • Use of Weak
Password-Based
Systems
• Poor Usability
THANK YOU !