Information Assurance and Security

How does information differ from data?

- Information is data endowed with relevance and purpose.
And what characteristics should information possess to be useful?
- accurate, timely, complete, verifiable, consistent, available
What about “assurance”? What does that mean?
- Actions taken that protect and defend information and information systems by
ensuring their availability, integrity, authentication, confidentiality and non-repudiation.
What is Information Assurance?
- is the study of how to protect your information assets from destruction, degradation,
manipulation and exploitation. But also, how to recover should any of those happen.
Notice that it is both proactive and reactive

ISO STANDARD
ISO/IEC Standard 9126-1 (Software Engineering—Product Quality), the following are all
aspects of system quality:
● functionality
○ adequacy
○ interoperability
○ correctness
○ security
● reliability
● usability
● efficiency
● maintainability
● Portability

CONCEPTUAL RESOURCES (RAGGAD)

Noise: raw facts with an unknown coding system
Data: raw facts with a known coding system
Information: processed data
Knowledge: accepted facts, principles, or rules of thumb that are useful for specific
domains. Knowledge can be the result of inferences and implications produced from simple
information facts.

Information needing protection according to DOD

Availability: timely, reliable access to data and information services for authorized users;
Integrity: protection against unauthorized modification or destruction of information;
Confidentiality: assurance that information is not disclosed to unauthorized persons;
Authentication: security measures to establish the validity of a transmission, message, or
originator.
Non-repudiation: assurance that the sender is provided with proof of a data delivery and
recipient is provided with proof of the sender’s identity, so that neither can later deny having
processed the data.
Four Major Categories of IA (According to Debra Herrmann)
IA should be viewed as spanning four security engineering domains:
● physical security
● personnel security
● IT security
● operational security

Examples:
Into which of these would you put the following?
● enforcing hard-to-guess passwords -
● encrypting your hard drive -
● locking sensitive documents in a safe -
● stationing a marine guard outside an embassy -
● assigning security clearances to staffers -
● using SSL for data transfers -
● having off-site backup of documents -

Physical Security - refers to the protection of hardware, software, and data against physical
threats
Personnel Security - as the result of action or inaction by insiders and known outsiders
IT Security - is the inherent technical features and functions that collectively contribute to an
IT infrastructure
Operational Security - involves the implementation of standard operational security
procedures that define the nature and frequency of the interaction between users, systems,
and system resources, the purpose of which is to
1. achieve and sustain a known secure system state at all times, and;
2. prevent accidental or intentional theft, release, destruction, alteration, misuse, or
sabotage of system resources.

Taxonomy of Information Security (According to Raggad)

According to Raggad’s taxonomy of information security, a computing environment is
made up of five continuously interacting components:
● Activities
● People
● Data
● Technology
● Networks

3 AI Levels (According to Blyth and Kovacich)

According to Blyth and Kovacich, IA can be thought of as protecting information at
three distinct levels:
physical: data and data processing activities in physical space;
information infrastructure: information and data manipulation abilities in cyberspace;
perceptual: knowledge and understanding in human decision space.
physical level
- Lowest level focus of IA
- computers, physical networks, etc.

Desired Effects: to affect the technical performance and the capability of physical systems,
to disrupt the capabilities of the defender.
Attacker’s Operations: physical attack and destruction, including: electromagnetic attack,
visual spying, intrusion, scavenging and removal, wiretapping, interference, and
eavesdropping.
Defender’s Operations: physical security, OPSEC, TEMPEST.

Information structure level

- second level focus of IA
- covers information and data manipulation ability maintained in cyberspace, including:
data structures, processes and programs, protocols, data content and databases.

Desired Effects: to influence the effectiveness and performance of information functions

supporting perception, decision making, and control of physical processes.
Attacker’s Operations: impersonation, piggybacking, spoofing, network attacks, malware,
authorization attacks, active misuse, and denial of service attacks.
Defender’s Operations: information security technical measures such as: encryption and
key management, intrusion detection, anti-virus software, auditing, redundancy, firewalls,
policies and standards.

Perceptual level
- third level focus of IA
- also called social engineering
- concerned with the management of perceptions of the target, particularly those
persons making security decisions.

Desired Effects: to influence decisions and behaviors.

Attacker’s Operations: psychological operations such as: deception, blackmail, bribery and
corruption, social engineering, trademark and copyright infringement, defamation, diplomacy,
creating distrust.
Defender’s Operations: personnel security including psychological testing, education, and
screening such as biometrics, watermarks, keys, passwords.

Thus, IA includes aspects of:

● COMPSEC: computer security;
● COMSEC: communications and network security;
● ITSEC: (which includes both COMPSEC and COMSEC);
● OPSEC: operations security.
Threat
A threat is a category of entities, or a circumstance, that poses a potential danger to
an asset
Types of Information Warfare
● Type I involves managing an opponent’s perception through deception and
psychological operations. In military circles, this is called Truth Projection.
● Type II involves denying, destroying, degrading, or distorting the opponent’s
information flows to disrupt their ability to carry out or co-ordinate operations.
● Type III gathers intelligence by exploiting the opponent’s use of information systems.

6 Types of Offensive Players in Information Warfare

● Insiders: consists of employees, former employees and contractors.
● Hackers: one who gains unauthorized access to or breaks into information
systems for thrills, challenge, power, or profit.
● Criminals: target information that may be of value to them: bank accounts,
credit card information, intellectual property, etc.
● Corporations: actively seek intelligence about competitors or steal trade
secrets.
● Governments and agencies: seek the military, diplomatic, and economic
secrets of foreign governments, foreign corporations, and adversaries. May
also target domestic adversaries.
● Terrorists: usually politically motivated and may seek to cause maximal
damage to information infrastructure as well as endanger lives and property.

Asset
- is the resource being protected

physical assets: devices, computers, people;

logical assets: information, data (in transmission, storage, or processing), and intellectual
property;
system assets: any software, hardware, data, administrative, physical, communications, or
personnel resource within an information system.

Assets have value so are worth protecting.

Examples of Threats
Interruption: an asset becomes unusable, unavailable, or lost.
Interception: an unauthorized party gains access to an information asset.
Modification: an unauthorized party tampers with an asset.
Fabrication: an asset has been counterfeit.

Examples:
Interruption: a denial of service attack on a website
Interception: compromise of confidential data, e.g., but packet sniffing
Modification: hacking to deface a website
Fabrication: spoofing attacks in a network