Information Assurance vs.

Information Security

•Digital information is an important asset to every individual or organization.

•It is always under constant threat or theft, exploitation and unexpected deletion. There are
professionals who specialize in either information assurance or information security, that delivers
services to protect the data.
•Although both specialties guard computer systems and digital networks, the techniques taught and
practiced in each discipline are often different.

What is Information Assurance?

•According to Norwich University, it is a field the process the safeguarding of the integrity of data use by
individuals or organizations.
•It involves managing the risk related with using, storing, processing, and transferring data. Information
assurance is a complex task which involves handling data in both digital and physical forms.

What is Information Security?

•A practice that prevents unwanted access to private information.
•It focuses on the development and implementation of tools and techniques for keeping data safe.
•Included here is the designing of defense mechanism software the ward off threats.

Similarities of Information Assurance and Security

•both fields involve protecting the digitally stored information
•at a deeper level, professionals in both fields use physical, technical, and administrative means to
achieve their objectives
•information assurance and information security professionals both seek the most secure physical data
infrastructure possible to protect an organization’s information

CNSS Security Model

•This information security model was created by John McCumber called McCumberCube.
•The cube was originally seen as a Rubik•type cubic model used to assess and evaluate information
security
•The intersection of data integrity, storage, and technology indicates the need to utilize technology to
ensure the integrity of the data as it is stored. Its three dimensions are Confidentiality, Integrity,
Availability, Policy, Education, Technology, Storage, Processing, and Transmission (Aplontech, n.d.).

Components of Information System

•The computer age introduced a new element to businesses, universities, and a multitude of other
organizations: a set of components called the information system, which deals with collecting and
organizing data and information

Computer Hardware
• can be as small as a smartphone that fits in a pocket or as large as a supercomputer
• includes the peripheral devices, such as keyboards, external disk drives, and routers

Computer Software
• The role of software is to let hardware knows what to do.
• It’s like our brain is the software and our body are the hardware.
• It sends signals and tasks.
• It is divided by two application software and system software.

Telecommunications
• This component connects the hardware together to form a network.
• A network is a set of a computers that is connected by wired or wireless.
• There is a local area network (LAN) and wide area network (WAN).

Databases and Data Warehouses

• This component is where the “material” that the other components work with resides.
• A database is a place where data is collected and from which it can be retrieved by querying it using
one or more specific criteria. A data warehouse contains all of the data in whatever form that an
organization needs.

Human Resources and Procedures

- the final, and possibly most important, component of information systems is the human element
- people that are needed to run the system and the procedures

SDLC is used by analysts to develop an information system. SDLC includes the following activities
•Requirements
•Design
•Implementation
•Testing
•Deployment
•Operations
•Maintenance

Phases of SDLC
Systems Development Life Cycle is a systematic approach which explicitly breaks down the work into
phases that are required to implement either new or modified Information System.

Planning: obtain approval of project, initiate, plan, schedule.

Analysis: understand business needs and processing needs.
Design: define solution system based on requirement and analysis decision.
Implementation: construct, test, train users, install new system.
Maintenance: keep system healthy and improve.
Security System Development Life Cycle
•Security System Development Life Cycle (SecSDLC) is defined as the set of procedures that are
executed in a sequence in the software development cycle (SDLC).
•It is designed such that it can help developers to create software and applications in a way that reduces
the security risks at later stages significantly from the start.
• System Investigation: This process is started by the officials/directives working at the top-level
management in the organization.
•System Analysis: In this phase detailed document analysis of the documents from the System
Investigation phase are done.
•Logical Design: The Logical Design phase deal with the development of tools and the following
blueprints that are involved in various information security policies their applications and software.
•Physical Design: The technical teams acquire the tools and blueprints needed for the implementation
of the software and application of the system security.
•Implementation: Implementation and the integration process of the project are carried out with the
help of various teams aggressively testing whether the product meets the system requirements
specified in the system documentations.
•Maintenance: The security program must be kept up to date accordingly in order to counter new
threats that can be left unseen at the time of design.

Security Professional and Its Organization

Below are list of Security Organizations and Associations:

•Information Systems Security Association - ISSA International

•ASIS International
•GIAC Certifications: Cyber Security Certifications
•Security Industry Association
•Institute of Information Security Professionals
•Cloud Security Alliance

Information Security: Is an Art or Science

•As an Art, it analyzes threats to information assets and their risk. It employs countermeasures to
reduce risks, such as shutting down unneeded services and strengthening the operating system.
Strengthen the network perimeter with firewalls.
•As a Science, it is the discovery and knowing of something which can be demonstrated and verified
within a community. For example, modern cryptography, defining what security is and making verifiable
statements that algorithms are secure.
 Cryptography
Algorithm
• According to Kathleen Richards, Cryptography is a method of protecting information and
communications through the use of codes, so that only those for whom the information is intended can
read and process it. The prefix "crypt-" means "hidden" or "vault" -- and the suffix "-graphy" stands for
"writing."

Terminology
• Algorithm: a finite list of well-defined instructions for accomplishing some task that, given an initial
state, will terminate in a defined end state.
• Cipher: the core algorithm used to encrypt data. A cipher transforms plaintext into ciphertext that is
not reversible without a key.
• Ciphertext: text in encrypted form, as opposed to the plain text
• Codes: a list of equivalences (a codebook) allows the substitution of meaningful text for words,
phrases, or sentences in an innocuous message;
• for example, “Okay, OTW na ako.” might be decoded to mean “Just woke up.”
• Decrypt/Decipher: the process of retrieving the plaintext from the ciphertext.
• Encrypt/Encipher: to alter plaintext using a secret code so as to be unintelligible to unauthorized
parties.
• Key: a word or system for solving a cipher or code.
• Plaintext: the original message to be encoded or enciphered.

Encryption
• ability to transform data.
• authorized persons are just one of the many valuable services performed by the technology commonly
referred to as encryption.
• encryption technology in basic terms and to describe its application in areas such as file encryption,
message scrambling, authentication, and secure Internet transactions to communicate securely and to
store information safely.
Diagram of Cryptographic Terms
Encrypting a Message

Key
• scramble the contents of a file or message using some form of shared secret as a key
• the scrambled data remain hidden and cannot be unscrambled or decrypted.
Keyspace
• total number of possible keys for an encryption algorithm
• a function of the length of the key and the number of possible values in each position of the key
• For a keylength of n positions, with each position having v possible values, then the keyspace for that
key would be vn.
• For example, with three positions and two values per position (e.g., 0 or 1), the possible keys would be
000, 001, 010, 011, 100, 101, 110, and 111 for a total keyspace of 8. v = 2 (0,1) n = 3 positions

Countries Using Cryptography

• as a field of intellectual activity, cryptology goes back many millennia
• used in ancient Egyptian, China, and India
• it was discussed by the Greeks and regularly employed by the Romans.
• The first European treatise in cryptography appeared in the 14th century.
• it has immense historic importance during both world wars
• The British success in breaking codes that the Germans used to protect military communications in
World War II was a major factor in both the outcome of the war and in the development of the first
electronic computer systems.

Applying Cryptography to Computer Security

• When applying cryptography to computer security, it is sometimes appropriate to substitute the term
“files” for “messages.”
• For example, hard drive encryption programs protect data files stored on a hard drive.
• However, data files take the form of messages when they are transferred from one computer to
another, across a network, the Internet, or via phone lines.
• Practically speaking, data being transferred in this manner are exposed to a different set of dangers
from those that threaten data residing on a computer in an office.
• Thus, the use of encryption to render files useless to anyone other than an authorized user is
relevant both to files in transit and to those that reside on a server or a stand-alone computer,
particularly when the latter is a laptop, or notebook.

Confidentiality
• The role of encryption in protecting confidentiality can be seen in a classic definition of encryption:
“Encryption is a special computation that operates on messages, converting them into a
representation that is meaningless for all parties other than the intended receiver.”
Integrity
• integrity of data is often as important as keeping them confidential
• When writing checks, people take pains to thwart alteration of the payee or the amount.
• integrity is more important than confidentiality
• Changing the contents of a company press release as it passes from the company to the press could
have serious consequences.
• It is not only human actions that threaten data integrity; mechanical failures and logical errors can also
change data.

Authentication
• the ability to confirm the identity of users
• For example, many computers now ask users to log on before they can access data. By requesting a
user name and password, systems attempt to assure themselves that only authentic users can gain
access.
• However, this form of authentication is limited, it merely assures that the person logging on is
someone who knows a valid user name and password pair.

Nonrepudiation
• An aspect of computer security that has increased greatly in significance, due to the growth in
internetwork transactions, is nonrepudiation.
• For example, if someone places an electronic order to sell stocks that later increase in value, it is
important to prove that the order definitely originated with the individual who placed it.
• Made possible by public key cryptography, nonrepudiation helps ensure that the parties to a
communication cannot deny having participated in all or part of the communication.

Limitations
• One role that cryptography cannot fill is defense against data destruction.
• Although encryption does not assure availability, it does represent a very valuable extra line of defense
for computer information when added to physical security, system access controls, and secure channels
of communication.

SECURITY MANAGEMENT
BUSINESS NEED FIRST

According Business News Daily, there 6 things to do before starting a business.

1. Do your research and make sure you understand the industry that is in involved.
2. Take care of the legal aspects.
3. Map your finances, because starting a business require money.
4. Understand the risk.
5. Time it right
6. Hire help.
ATTACKS AND THREATS
•A cyberattack, in layman’s term, is digital assault on a computer network.
•However, a cyber threat is malicious act that attempts to damage data, steal data, or destroy life in
general.
•Cyber threats include computer viruses, data breaches and denial of service.
•Business operations connectivity to the internet improves operational tasks dramatically, but increased
connectivity also leads to new security vulnerabilities.
•Organizations need to be better aware of and prepared for the cyber impact of increased connectivity.
•Cyber risk is a top concern, says the 2016 Travelers Risk Index. According to them about 19% of
business surveyed cited their worries are about cyber, computer and technology risks and data
breaches.

Here are 8 biggest threats to businesses:

1. Financial Issues
2. Laws and Regulation
3. Broad Economic Uncertainty
4. Attracting and Retaining Talent
5. Legal Liability
6. Cyber, Computer, Technology Risk/Data Breaches
7. Increasing Employee Benefits Cost
8. Medical Cost Inflation

Let’s focus in Cyber, Computer, Technology Risk/Data Breaches. As new technology emerges, new
threats are highly plausible to come too. Below are the threats and vulnerabilities.

Ransomware – extortion of money in exchange of files

Malware – unauthorized access
Social Engineering – to trick a user in giving sensitive information
Phishing – sending fraudulent e-mails
Crypting services – encrypting malware
Crimeware – buying and selling of malware on the Dark Web
Remote administration tools – hacker’s control over the device
Keyloggers – malwares that records keyboard strokes

SECURE SOFTWARE DEVELOPMENT

•Security is very essential, because when a company ignores that, it exposes itself to risk.
•Huge amount of data can be stolen at any time.
•Few businesses don’t take this seriously and end up with financial loses and bruised reputation.
What are the benefits of SDL?
The most important reasons to adopt SDL practices are:

Higher security. In SDL, continuous monitoring for vulnerabilities results in better application quality and
mitigation of business risks.
Cost reduction. In SDL, early attention to flaws significantly reduces the effort required to detect and fix
them.

SECURITY DEVELOPMENT LIFECYCLE

•Regulatory compliance. SDL encourages a conscientious attitude toward security-related laws and
regulations. Ignoring them may result in fines and penalties, even if no sensitive data is lost.

SDL also provides a variety of side benefits, such as:

•Development teams get continuous training in secure coding practices.
•Security approaches become more consistent across teams.
•Customers trust you more, because they see that special attention is paid to their security.
•Internal security improves when SDL is applied to in-house software tools.

Implementing Law and Ethics in Information Security

Law and Ethics in Information Security

● In general, people elect to trade some aspects of personal freedom for social order.
● As Jean Jacques Rousseau explains in The Social Contract, or Principles of Political Right, the rules the
members of a society create to balance the individual rights to self-determination against the needs of
the society as a whole are called laws.
● Laws are rules that mandate or prohibit certain behavior; they are drawn from ethics, which define
socially acceptable behaviors.

Organizational Liability and the Need for Counsel

•These policies are guidelines that describe acceptable and unacceptable employee behaviors in the
workplace, function as organizational laws, complete with penalties, judicial practices, and sanctions to
require compliance.
● Dissemination (distribution) – The organization must be able to demonstrate that the relevant policy
has been made readily available for review by the employee.
● Review (reading) - The organization must be able to demonstrate that it disseminated the document
in an intelligible form, including versions for illiterate, non-English reading, and reading-impaired
employees.
● Comprehension (understanding) -The organization must be able to demonstrate that the employee
understood the requirements and content of the policy.
● Compliance (agreement) - The organization must be able to demonstrate that the employee agreed
to comply with the policy through act or affirmation.
● Uniform enforcement - The organization must be able to demonstrate that the policy has been
uniformly enforced, regardless of employee status or assignment.

Types of Law
● Civil law comprises a wide variety of laws that govern a nation or state.
● Criminal law addresses activities and conduct harmful to society, and is actively enforced by the state.
● Private law encompasses family law, commercial law, and labor law, and regulates the relationship
between individuals and organizations.
● Public law regulates the structure and administration of government agencies and their relationships
with citizens, employees, and other governments.

Relevant US Law
● Historically, the United States has been a leader in the development and implementation of
information security legislation to prevent misuse and exploitation of information and information
technology.

General Computer Crime Laws

● The Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related
federal laws and enforcement efforts. The severity of the penalty depends on the value of the
information obtained and whether the offense is judged to have been committed:
1. For purposes of commercial advantage
2. For private financial gain
3. In furtherance of a criminal act

Privacy
● Many organizations are collecting, swapping, and selling personal information as a commodity, and
many people are looking to governments for protection of their privacy.

Privacy of CustomerInformation
● The Privacy of Customer Information Section of the common carrier regulation states that any
proprietary information shall be used explicitly for providing services.

Identity Theft
● The Federal Trade Commission (FTC) describes identity theft as “occurring when someone uses your
personally identifying information, like your name without permission.

International Laws and Legal Bodies

● It is important for IT professionals and information security practitioners to realize that when their
organizations do business on the Internet, they do business globally.
● As a result, these professionals must be sensitive to the laws and ethical values of many different
cultures, societies, and countries.

Council of Europe Convention on Cybercrime

● It created an international task force to oversee a range of security functions associated with Internet
activities for standardized technology laws across international borders.

Agreement on Trade-Related Aspects of Intellectual Property Rights

● The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by the World
Trade Organization (WTO)

Digital Millennium Copyright Act (DMCA)

● The Digital Millennium Copyright Act (DMCA) is the American contribution to an international effort by
the World Intellectual Properties Organization (WIPO).

Ethics and Information Security

● Many Professional groups have explicit rules governing ethical behavior in the workplace.
● For example, doctors and lawyers who commit egregious violations of their professions’ canons of
conduct can be removed from practice.
● The information technology field in general, and the information security field in particular, do not
have a binding code of ethics.

Ethical Differences Across Cultures

● Cultural differences can make it difficult to determine what is and is not ethical—especially when it
comes to the use of computers.

Software License Infringement

● The topic of software license infringement, or piracy, is routinely covered by the popular press.
● Among study participants, attitudes toward piracy were generally similar; however, participants from
the United States and the Netherlands showed statistically significant differences in attitudes from the
overall group.

Illicit Use
● The study respondents unilaterally condemned viruses, hacking, and other forms of system abuse.

Misuse of Corporate Resources

● The scenarios used to examine the levels of tolerance for misuse of corporate resources each
presented a different degree of noncompany use of corporate assets without specifying the company’s
policy on personal use of company resources.

Deterring Unethical and Illegal Behavior

There are three general causes of unethical and illegal behavior:
● Ignorance: Ignorance of the law is no excuse;
● Accident: Careful planning and control, helps prevent accidental modification to systems and data.
● Intent: Criminal or unethical intent goes to the state of mind of the person performing the act;
● Many security professionals understand the technology aspect of protection but underestimate the
value of policy. However, laws and policies and their associated penalties only deter if three conditions
are present:

● Fear of penalty - Potential offenders must fear the penalty. Threats of informal reprimand may not
have the same impact as the threat of imprisonment or forfeiture of pay.
● Probability of being caught - Potential offenders must believe there is a strong possibility of being
caught. Penalties will not deter illegal or unethical behavior unless there is reasonable fear of being
caught.
● Probability of penalty being administered - Potential offenders must believe that the penalty will in
fact be administered.

Code of Ethics and Professional Organization

● A number of professional organizations have established codes of conduct or codes of ethics that
members are expected to follow. Codes of ethics can have a positive effect on people’s judgment
regarding computer use.
MajorIT Professional Organizations
● The International Information Systems Security Certification Consortium, Inc. (ISC) (www.isc2.org) is
a nonprofit organization that focuses on the development and implementation of information security
certifications and credentials.
● The System Administration, Networking, and Security Institute (SANS) (www.sans.org), which was
founded in 1989, is a professional research and education cooperative organization with a current
membership of more than 156,000 security professionals, auditors, system administrators, and network
administrators.
● The Information Systems Security Association (ISSA) (www.issa.org) is a nonprofit society of
information security professionals