Information Assurance and Security

Course Description
An overview of techniques for ensuring and managing information security. Topics include administrative and
technical security controls to prevent, detect, respond to, and recover from cyber-attacks; risk and vulnerability
analysis to select security controls; security planning; security architecture; security evaluation and assessment;
and legal, ethical, and privacy aspects of information assurance. Discussion also covers information security
fundamentals, such as cryptography, authentication, and access control techniques, and their use in network,
operating system, database, and application layers. Security issues of current importance are stressed.

Course Outcomes
1. Apply risk assessment methodology for selecting security controls to protect information assets.
2. Develop elements of information security management artifacts including plans, policies and technical
and physical control requirements and specifications.
3. Apply layered and defense-in-depth security architecture strategy to deny, deter, deflect, delay and
detect attacks.
4. Assess information security techniques in application, operating system, database and network
components of information systems for an effective layered defense.
5. Prioritize often conflicting confidentiality, integrity and availability (CIA) requirements for an application
and choose a right mix of access control tools and techniques for implementing the selected
requirements in a cost effective manner.
6. Examine legal, ethical and privacy aspects associated with information systems and information
assurance.
7. Compare and contrast various information assurance techniques including testing, validation,
verification and certification toward judiciously applying them to a given security evaluation context.

Section 1:
 What is Information Assurance
 What constitutes information security
 Overview of threats attacks, vulnerabilities
 Risks and control

Section 2:
 Security Management
 Risk Assessment
 IT security Controls and planning

Section 3:
 Security architecture framework
 Assurance

Section 4:
 Security Technology basic tools and technologies
 Cryptography

Section 5:
 Security Technology basic tools and technologies: Authentication and Access Control

Section 6:
 Malicious software
  Software vulnerabilities
 Secure Software Development

Section 7:
 Operating System Security

Section 8:
 Database and cloud security

Section 9:
 Network and web security

Section 10:
 Legal and ethical Issues
 Privacy
Lesson 1 IAS 101
What is Information Assurance and Security?
End of Chapter Learning Outcomes

 Describe the key security requirements of confidentiality, integrity, and availability.

 Discuss the types of security threats and attacks that must be dealt with and give examples of the types
of threats and attacks that apply to different categories of computer and network assets.
 Summarize the functional requirements for computer security.
 Explain the fundamental security design principles.
 Discuss the use of attack surfaces and attack trees.
 Understand the principle aspects of a comprehensive security strategy.

Introduction
Suppose you visit an e-commerce website such as your bank, stockbroker, etc. Before you type in highly sensitive
information, you’d like to have some assurance that your information will be protected. Do you (have such
assurance)? How can you know? What security-relevant things do you want to happen, or not happen when you
use such a website?

You might want:

Privacy of your data
Protection against phishing
Integrity of your data
Authentication
Authorization
Confidentiality
Non-repudiation
Availability
Which of these do you think fall under Information Assurance?

According to ISO/IEC Standard 9126-1 (Software Engineering—Product Quality), the following

are all aspects of system quality:
Functionality
Adequacy
Interoperability
Correctness
Security
Reliability
Usability
Efficiency
Maintainability
Portability
Which of these do you think fall under Information Assurance?

What is Information how does information differ from data?

“Information is data endowed with relevance and purpose. Converting data into information thus requires
knowledge. Knowledge by definition is specialized.
Characteristics of Useful Information
Accurate
Timely
Complete Verifiable
Consistent
Available

The following are all distinct conceptual resource.

Noise: raw facts with an unknown coding system
Data: raw facts with a known coding system
Information: processed data
Knowledge: accepted facts, principles, or rules of thumb that are useful for specific domains.
Knowledge can be the result of inferences and implications produced from simple
information facts.

What about “assurance”? What does that mean? Assurance from what or to do what? Is it context-
dependent?

According to the U.S. Department of Defense, IA involves:

Actions taken that protect and defend information and information systems by ensuring their availability,
integrity, authentication, confidentiality and non-repudiation. This includes providing for restoration of
information systems by incorporating protection, detection and reaction capabilities.

Information Assurance(IA) is the study of how to protect your information assets from destruction, degradation,
manipulation and exploitation. But also, how to recover should any of those happen.

According to the DoD definition, these are some aspects of information needing protection:
Availability: timely, reliable access to data and information services for authorized users;
protection against unauthorized modification or destruction of information;
Confidentiality: assurance that information is not disclosed to unauthorized persons;
Authentication: security measures to establish the validity of a transmission, message, or originator.
Non-repudiation: assurance that the sender is provided with proof of a data delivery and recipient is
provided with proof of the sender’s identity, so that neither can later deny having
processed the data

What is Information Assurance

Information assurance and security is the management and protection of knowledge, information,
and data.
Information assurance, which focuses on ensuring the availability, integrity, authentication,
confidentiality, and non-repudiation of information and systems. These measures may include
providing for restoration of information systems by incorporating protection, detection, and
reaction capabilities.
Information security, which centers on the protection of information and information systems
from unauthorized access, use, disclosure, disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability.
Four Security Domains
“Physical security refers to the protection of hardware, software, and data against physical threats to reduce or
prevent disruptions to operations and services and loss of assets.”

“Personnel security is a variety of ongoing measures taken to reduce the likelihood and severity of accidental
and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution,
and unavailability of an organization’s logical and physical assets, as the result of action or inaction by insiders
and known outsiders, such as business partners.

“IT security is the inherent technical features and functions that collectively contribute to an IT infrastructure
achieving and sustaining confidentiality, integrity, availability, accountability, authenticity, and reliability.”

“Operational security involves the implementation of standard operational security procedures that define the
nature and frequency of the interaction between users, systems, and system resources, the purpose of which is
to

 achieve and sustain a known secure system state at all times,

 and prevent accidental or intentional theft, release, destruction, alteration, misuse, or sabotage of
system resources.”

Computer security concepts

Computer Security: The protection afforded to an automated information system in order to attain the applicable
objectives of preserving the integrity, availability, and confidentiality of information system resources (includes
hardware, software, firmware, information/data, and telecommunications).

This definition introduces three key objectives that are at the heart of computer security:
• Confidentiality: This term covers two related concepts:
— Data confidentiality:1 Assures that private or confidential information is not made available or disclosed to
unauthorized individuals.
— Privacy: Assures that individuals control or influence what information related to them may be collected and
stored and by whom and to whom that information may be disclosed.
• Integrity: This term covers two related concepts:
— Data integrity: Assures that information and programs are changed only in a specified and authorized
manner.
— System integrity: Assures that a system performs its intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the system.
• Availability: Assures that systems work promptly and service is not denied to authorized users.

These three concepts form what is often referred to as the CIA triad. The three concepts embody the fundamental
security objectives for both data and for information and computing services. For example, the NIST standard FIPS
199 (Standards for Security Categorization of Federal Information and Information Systems) lists confidentiality,
integrity, and availability as the three security objectives for information and for information systems. FIPS 199
provides a useful characterization of these three objectives in terms of requirements and the definition of a loss
of security in each category:

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure
of information.
• Integrity: Guarding against improper information modification or destruction, including ensuring information
nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of
information.
• Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption
of access to or use of information or an information system.

Although the use of the CIA triad to define security objectives is well established, some in the security field feel
that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are
as follows:

• Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity
of a transmission, a message, or message originator. This means verifying that users are who they say they are
and that each input arriving at the system came from a trusted source.

• Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely
to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and
after-action recovery and legal action. Because truly secure systems are not yet an achievable goal, we must be
able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later
forensic analysis to trace security breaches or to aid in transaction disputes.

Note that FIPS 199 includes authenticity under integrity.