Chapter One

Introduction to Information Assurance and Security(ITEC4143)

1
What is Information Assurance?
 Information Assurance is defined as the set of
measures intended to protect and defend
information and information systems by ensuring
their availability, integrity, authentication,
confidentiality, and non repudiation.
 This includes providing for restoration of
information systems by incorporating protection,
detection, and reaction capabilities.

2
Cont’d…
 Information assurance (IA) is the practice of assuring
information and managing risks related to the use,
processing, storage, and transmission of information or
data and the systems and processes used for those
purposes.
 Information assurance includes protection of the
integrity, availability, authenticity, non-repudiation and
confidentiality of user data.
 It uses physical, technical and administrative controls to
accomplish these tasks.
3
IA vs InfoSec vs CoSec

 IA: Measures that protect and defend

information and information systems by
ensuring their availability, integrity,
authentication, confidentiality, and non-
repudiation,
 Reasons for assurance that information is
protected.
 InfoSec: is the protection of information and
information systems from unauthorized
access, use, disclosure, disruption,
modification, or destruction concerned with
the CIA of data.
4
Cont’d…
Computer security
 focus on ensuring the availability and
correct operation of a computer system
without concern for the information stored
or processed by the computer.

5
Information Assurance strategy
 Cyber security awareness and education
 Strong cryptography
 Good security-enabled commercial
information technology
 An enabling global Security Management
Infrastructure and
 A civil defense infrastructure equipped with
an attack sensing and warning capability
and coordinated response mechanism

6
 Why Security?
 Computer security is required because most
organizations can be damaged by Virus software or
intruders.
 There may be several forms of damage which are
obviously interrelated. These include:
 Damage or destruction of computer systems, and internal
data.
 Loss of sensitive information to hostile parties.
 Use of sensitive information to steal items of monitory value.
 Use of sensitive information against the organization's
customers which may result in legal action by customers
against the organization and loss of customers.
 Damage to the reputation of an organization.
 Monitory damage due to loss of sensitive information,
destruction of data, hostile use of sensitive data, or damage to
7the organization's reputation
Information Assurance pillars

 The five information assurance (IA) pillars are

availability, integrity, authentication,
confidentiality, and no repudiation.
 These pillars and any measures taken to
protect and defend information and
information systems.

8
Principles of Security
 These three concepts form what is often
referred to as the CIA triad (Figure 1).
 The three concepts embody the fundamental
security objectives for both data and for
information and computing services.

9
Confidentiality
 It is a set of rules that limits access to information.
 Confidentiality is the term used to prevent the
disclosure of information to unauthorized
individuals or systems.
 Measures undertaken to ensure confidentiality are
designed to prevent sensitive information from
reaching the wrong people, while making sure that
the right people can in fact get it.

10
Cont’d…
 For example, a credit card transaction on the
Internet requires the credit card number to be
transmitted from the buyer to the merchant
and from the merchant to a transaction
processing network.
 The system attempts to enforce
confidentiality by encrypting the card number
during transmission, by limiting the places
where it might appear (in databases, log files,
backups, printed receipts, and so on), and by
restricting access to the places where it is
stored.
 If
11 an unauthorized party obtains the card
Integrity
 Integrity is the assurance that the information is
trustworthy and accurate.
 Integrity involves maintaining the
consistency, accuracy, and trustworthiness
of data over its entire life cycle.
 Data must not be changed in transit, and steps
must be taken to ensure that data cannot be
altered by unauthorized people (for example, in
a breach of confidentiality).
 This goal defines how we avoid our data from
being altered. MiTM (Man in the middle attacks)
is the example threat for this goal.
12
Cont’d…

13
Cont’d…
 Integrity is about making sure that everything
is as it is supposed to be, and in the context
of computer security, the prevention of
unauthorized modification of information.
 However, additional qualifications like “being
authorized to do what one does” or following
the correct procedures” have also been
included under the term integrity, so that
users of a system, even if authorized, are not
permitted to modify data items in such a way
that assets or accounting records of the
company are lost or corrupted.
14
Availability
 It means that assets are accessible to
authorized parties at appropriate times.
 Availability is very much a concern
beyond the traditional boundaries of
computer security.
 We want to ensure that a malicious
attacker cannot prevent legitimate users
from having reasonable access to their
systems.

15
Cont’d…
Privacy: The right of the individual to be
protected against intrusion into his personal
life or affairs, or those of his family, by direct
physical means or by publication of
information.
Security/Privacy Threat: that poses a
security/privacy.
Any person, act, or object danger to
16
computer
Cont’d…
Security in in general is about protection of assets.
This implies that in order to protect our assets, we
must know the assets and their values.
Protection measures includes:
 Prevention: to take measures to prevent the damage.
E.g. locks on the door, guards, hidden places.
 Detection: when, how and who of the damage. e.g. thief
alarm
 Reaction: to take measures to recover from damage.
e.g.. calling the police.
17
Threats and vulnerabilities
A threat is a potential violation of security.
A threat to a computing system is a set of
circumstances that has the potential to
cause loss or harm.
The violation might occur, means that
those actions that could cause it to occur
must be guarded. Those actions are called
attacks.
Those who execute such actions, or
cause them to be executed, are called
attackers
18
Cont’d…
Categories of Attacks:
 Interruption: An attack on availability
 Interception: An attack on confidentiality
 Modification: An attack on integrity
 Fabrication: An attack on authenticity

19
Cont’d…
Interruption: An asset of the system is
destroyed or becomes unavailable or
unusable.
Examples:

 Destruction of hardware, cutting of a

communication line
Interception: An unauthorized party gains
access to an asset. Unauthorized party could
be a person, a program or a computer.
Examples: Capture data in the network Illegal
copying of files.
20
Cont’d…
Modification: When an unauthorized party
gains access and alters an asset.
Examples: Changing data file
 Altering a program and the contents of a message

Fabrication: An unauthorized party inserts a

fake object into the system.
Example: Insertion of records in data files , Insertion of
false messages in a network

21
Cont’d…
 We have two types of attacks:

22
 Active attacks
Active attacks involve some modification of
the data stream or the creation of a false
stream. These are:
 Masquerade,
 Replay,
 Modification of messages, and
 Denial of service.

23
Cont’d…
 Masquerade: Here, an entity pretends to be
some other entity. It usually includes one of
the forms of active attack.

24
Cont’d…
Replay: It involves capture of a data unit and
its subsequent retransmission to produce an
unauthorized effect. Can take place by sending
the same message twice.

25
Cont’d…
 Modification of messages: It means that
some portion of a legitimate message is
altered, to produce an unauthorized effect.
 Ex: “John’s acc no is 2346” is modified as “John’s
acc no is 7892”

26
Cont’d…
Denial of service: This attack prevents the
normal use of communication facilities.
 Ex: a: Disruption of entire network by
disabling it.

27
Passive attacks
 Reading the message content: A Passive
attack attempts to learn or make use of
information from the system, but does not
affect system resources.
 Passive attacks are very difficult to detect
because they do not involve any alternation of
the data.

28
Cont’d…
 Traffic analysis: It help passive attacker
to observe the frequency & length of
encrypted messages being exchanged
there by guessing the nature of
communication taking place.
 The number, size, frequency and times of
messages sent, their sources and their
destination can be leaked from these types of
analysis.

29
Vulnerabilities
Weakness or fault that can lead to an
exposure.
A particular system may be vulnerable to
unauthorized data manipulation because the
system does not verify a user’s identity
before allowing data access.
When we design, code, or test a secure
system, we try to imagine the vulnerabilities
30
that prevent us from reaching three security
Cont’d…
General categories of vulnerabilities of a
computer system or network asset:
 It can be corrupted, so that it does the wrong
thing or gives wrong answers.
 E.g., stored data values may differ from what they
should be because they have been improperly
modified.
 It can become leaky.
 E.g., someone who should not have access to some or
all of the information available through the network
obtains such access.
 It can become unavailable or very slow. That
is, using the system or network becomes
31
impossible or impractical.
Cont’d…
 Vulnerabilities are apply to all three parts of
computer system (Hardware, Software, and
Data)
 Hardware Vulnerabilities
 Hardware is more visible than software,
largely because it is composed of physical
objects.
 Hardware can be vulnerable for:-
 Adding devices,
 Changing device,
 Removing device ,
 Intercepting the traffic to them, or flooding them

with traffic until they can no longer function, and

 Hardware can be attacked physically
32
Cont’d…
 Software Vulnerabilities
 Software can be replaced, changed, or
destroyed maliciously, or it can be
modified, deleted, or misplaced
accidentally.
 Software Deletion
 Software Modification
 Software Theft

33
Cont’d…
 Data Vulnerabilities
 For example, confidential data leaked to
a competitor may narrow a competitive
edge.
 Data incorrectly modified can cost
human lives.
 Finally, inadequate security may lead to
financial liability if certain personal data
34
are made public.
Cont’d…
 A successful organization should have the following
multiple layers of security in place to protect its
operations:
 Physical security: to protect physical items, objects, or
areas from unauthorized access and misuse.
 Personnel security: to protect the individual or group of
individuals who are authorized to access the organization
and its operations.
 Operations security: to protect the details of a
particular operation or series of activities.
 Communications security: to protect communications
media, technology, and content.
 Network security: to connections, and contents.
protect networking components,
 Information security: to protect the CIA of information
assets, whether in storage, processing, or transmission.
35
What is Enterprise security?
 Enterprise: includes multiple internal networks,
internal various devices and systems, applications,
and a diverse user presence as a single collective
unit.
 As a discipline, it focuses on the tools, processes,
and methods needed to design, implement, and
test complete systems, and to adapt existing
systems as their environment evolves.
 Enterprise security requires cross-disciplinary
expertise, ranging from cryptography and computer
security through hardware tamper-resistance and
formal methods to knowledge of economics, applied
psychology, organizations and the law.

36
Enterprise Security Architecture

Architecture :The highest level concept of

a system in its environment.
ESA: It Defines the information security
strategy that consists of layers of policy,
standards, and procedures and the way they
are linked across an enterprise

37
Cont’d…
 In practice, ES within an EA Context denote:
 a product or component, such as a cryptographic protocol,
a smart card or the hardware of a PC;
 plus an operating system, communications and other
things that go to make up an organization’s
infrastructure;
 plus one or more applications (media player, browser,
word processor, accounts or payroll package)
 plus IT staff;
 plus internal users and management;
 plus customers and other external users.
38
Cont’d…
 Good Enterprise security requires four
things to come together.
 Policy: what you’re supposed to do
 Mechanism: the ciphers, access controls,
hardware tamper-resistance and other machinery
that you assemble in order to implement the
policy.
 Assurance: the amount of confidence you can
place on each particular mechanism.
 Incentive: the motive that the people guarding
and maintaining the system have to do their job
properly and also the motive that the attackers
have to try to defeat your policy.
39
Cont’d…
Security Policy: is a formal statement of
rules and practices that specify or regulate
how a system or organization provides
security services to protect sensitive and
critical system resources.
 In developing a security policy, a security
needs to consider the following factors:
 The value of the assets being
protected
 The vulnerabilities of the
system
 Potential manager threats and
40
the possibility of attacks.
Security Mechanism
Security mechanism involves four complementary
courses of action:
 Prevention: An ideal security scheme is one in
which no attack is successful. Although this is
not practical in all cases, there is a wide range of
threats in which prevention is a reasonable goal.
 For example, consider the transmission of
encrypted data.
 If a secure encryption algorithm is used, and if
measures are in place to prevent unauthorized
access to encryption keys, then attacks on
confidentiality of the transmitted data will be
prevented.
41
Cont’d…
 Detection: In a number of cases, absolute
protection is not feasible, but it is practical
to detect security attacks.
 For example, there are intrusion detection
systems designed to detect the presence of
unauthorized individuals logged onto a
system.
 Another example is detection of a denial of
service attack, in which communications or
processing resources are consumed so that
they are unavailable to legitimate users.

42
Cont’d…
 Response: If security mechanisms detect an
ongoing attack, such as a denial of service
attack, the system may be able to respond in
such a way as to halt the attack and prevent
further damage.
 Recovery:: An example of recovery is the
use of backup systems, so that if data
integrity is compromised, a prior, correct
copy of the data can be reloaded.

43
Cont’d…
Assurance: is the degree of confidence one
has that the security measures, both technical
and operational, work as intended to protect
the system and the information it processes.
 This encompasses both system design and
system implementation. Thus, assurance
deals with the questions, “Does the
 security system design meet its
requirements?” and “Does the security
system implementation meet its
specifications?”

44
Cont’d…
Evaluation: is the process of examining a
computer product or system with respect to
certain criteria.
 Evaluation involves testing and may also
involve formal analytic or mathematical
techniques.
 The central thrust of work in this area is
the development of evaluation criteria
that can be applied to any security system
and that are broadly supported for making
product comparisons.

45
Countermeasures
 How do we address these problems? We use a
control as a protective measure
 In computer security a countermeasure/a control
is an action, device, procedure, or technique that
removes or reduces a vulnerability.
 To consider the controls or countermeasures that
attempt to prevent exploiting a computing system’s
vulnerabilities, we begin by thinking about
traditional ways to enhance physical security.
46
Cyber defense
 What does Cyber Defense mean?
 Cyber defense is a computer network
defense mechanism which includes response
to actions and critical infrastructure
protection and information assurance for
organizations, government entities and other
possible networks.
 Cyber defense focuses on:
 preventing, detecting and providing timely
responses to attacks or threats
 Prevent with the growth in volume as well as
complexity of cyber-attacks,
47
Cont’d…
 It is essential for most entities in order to
protect sensitive information as well as to
safeguard assets.
 It helps in devising and driving the strategies
necessary to counter the malicious attacks or threats.
 It reducing the appeal of the environment to the
possible attackers,
 Cyber defense also carries out technical analysis to
identify the Threat
 It helps in enhancing the security strategy utilizations
and resources in the most effective fashion.
 Cyber Defense protects your most important business
assets against attack.
48
 End of chapter

Thank You!!

49