Information Assurance & Security InfoSec

1. IT security is sometimes referred to as

information security applied to technology
NOISE: raw facts with an unknown coding system
DATA: raw facts with a known coding system
2. IT security specialists are responsible for
INFORMATION: processed data
keeping all of the technology within the
KNOWLEDGE: accepted facts, principles, or rules company
of thumb that are useful for specific domains.
Principle in promoting belief in the power of
hope and collective resilience
INFORMATION ASSURANCE
“…the practice of assuring information and
managing risks related to the use, processing, CPA
storage, and transmission of information or data and Cognitive Competence
the systems and processes used for those
purposes.” Positive Self-image
-US Digital Forensic and Cyber Security Center Active, constructive Coping Style
(DFCSC)

Why information assurance is needed?

“IA increases the utility of information to authorized
users and reduces the utility of information to those
unauthorized.”

IA PROCESS

• Enumeration and classification of the information

assets to be protected.
• Conduct of risk assessment for those information
assets (to be done by IA practitioners).
• Enumerate possible threats capable of assets
exploitation by determining vulnerabilities in the
information assets.
• Consider the probability of a threat exploiting
vulnerability in an asset
• Determine the effect and impact of a threat-
exploiting vulnerability in an asset, with impact
usually measured in terms of cost to the asset's
stakeholders. INFORMATION ASSURANCE
• Summarizing the products of the threats' impact
• enforcing hard-to-guess passwords
and the probability of their occurrence in the
• encrypting your hard drive
information asset.
• locking sensitive documents in a safe
• stationing a marine guard outside an embassy
• assigning security clearances to staffers
• using SSL for data transfers
IA DEFINED • having off-site backup of documents

Information Assurance (IA) is the study of how to
protect your information assets from destruction,
degradation, manipulation and exploitation. But also,
how to recover should any of those happen.
How about information security?
“the practice of defending information from
unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or
destruction.”
Four Security Engineering Domains
1. Physical security
• refers to the protection of hardware, software,
and data against physical threats to reduce or
prevent disruptions to operations and services
and loss of assets.
2. Personnel security
• a variety of ongoing measures taken to reduce
the likelihood and severity of accidental and
intentional alteration, destruction,
misappropriation, misuse, misconfiguration,
 unauthorized distribution, and unavailability of
an organization’s logical and physical assets, as
the result of action or inaction by insiders and
known outsiders, such as business partners. Security Breach

3. IT security • happens when an attacker or intruder gains

• the inherent technical features and functions access without the permission of the asset’s
that collectively contribute to an IT infrastructure owner or keeper.
achieving and sustaining confidentiality, Security Breaches
integrity, availability, accountability, authenticity,
and reliability. 1. Denial of service
2. Distributed denial of service
3. Unacceptable web browsing
4. Wiretapping
5. Backdoors
6. Data modification

4. Operational security
• involves the implementation of standard
operational security procedures that define the
nature and frequency of the interaction between
users, systems, and system resources, the
purpose of which is to:
✓ achieve and sustain a known secure system
state at all times
✓ prevent accidental or intentional theft,
release, destruction, alteration, misuse, or
sabotage of system resources.

Information Assurance
1. Business enabler
2. Cost effective and cost beneficial
3. Protects the fabric of an organization’s systems
Three key attributes of information systems:
4. Shared responsibilities
5. Restricted by social obligations 1. Processing capacity – speed
6. 2. Convenience – user friendliness
• Assets 3. Secure – reliable operations
• refers to any pieces of information, device or
some other parts related to them that supports
business activities. 3 views of Security

• Data Breach 1. Defense – protects assets first

• information is accessed without the consent of 2. Deterrence – reduce the frequency of security
the authorized. compromises
3. Detection – sound the alarm

Information Assurance protects the following:

1. Customer Data
2. IT and Network Infrastructure
3. Intellectual Property
4. Finances and Financial Data
5. Service Availability and Productivity 3 Views of Security
6. Reputation
1. Defensive controls – firewalls, access lists
in routers, spam filters, virus filters, etc.
Tools used by attackers:
2. Deterrent controls – email messages to
1. Protocol analyzers employees, posting of internet sites visited,
2. Port scanner display of IP addresses to external visitors,
3. Finger scanning etc.
4. Vulnerability scanning tools 3. Detective controls – audit trails, log files,
5. Exploit software intrusion detection systems, summary
6. Wardialers reports, etc.
7. Password cracker
8. Keystroke loggers
Common Body of Knowledge
1. Access control systems and methodology
2. Applications and systems development
security
3. Business continuity planning and disaster
4. recovery planning
5. Cryptography
6. Information security and risk management
7. Legal, regulations, compliance, and
investigations
8. Operations security
9. Physical security
10. Security architecture and models
11. Telecommunications and network security
Common Body of Knowledge
Legal, regulations, compliance, and investigations
Legal evidence can be classified into the following
types:
• Best evidence - original or primary evidence
rather than a copy.
• Secondary evidence - copy of the evidence.
• Direct evidence - information gathered through
the witness.
• Conclusive evidence - incontrovertible
evidence.
• Expert opinion.
• Circumstantial evidence - inference of
information from other facts.
• Hearsay evidence - computer-generated
records.
Common Body of Knowledge
Legal, regulations, compliance, and investigations
Incident planning addresses the handling of
malicious attacks through technical means and
should address the following questions:
• What is the incident?
• How should it be reported?
• To whom it should be reported?
• When should management be informed of
the incident?
• What action to take if an incident is detected?
• Who handles the response to an incident?
• How much damage was caused by the
incident?
• What information was damaged or
compromised by the incident?
• Hoe are follow-up and review after the
incident handled?
• What additional safeguards can be instituted
as a result?
What are the Threats to your computer?
• Worms
• Trojan Horses
• Spyware
• DoS attacks
• Social Engineering
• Program flaws
• Poor passwords
• Poor security practices
As a user, what should you do?
• Use anti-virus software
• Careful when downloading programs
• Use anti-spyware tools
• Be suspicious when sharing sensitive info
• Update programs
• Use strong passwords and do not share
• Disconnect system, remove unnecessary
programs or enable/install firewall
Recommendations:
• “one has to understand what (assets)
needs to be protected, where these assets
are located and their value to the
organization;
• who/what has to be protected against,
namely who has to be defended against;
• what level(s) of protection make(s)
economic sense or are required by
legislation or regulation;
• within the deployment environment, what
security issues exist; and
• what constitutes acceptable risks (e.g.,
how much damage or loss can be
considered an acceptable cost of doing
business.”
Recommendations:
• Assets
• Risks
• Protections
• Tools/mechanisms
• Priorities
Lecture 5
TOPIC: CONTROL IN THE SECURITY AND
ASSURANCE OF INFORMATION
- Access control is a security technique that
regulates who or what can view or use
resources in a computing environment. It is
a fundamental concept in security that
minimizes risk to the business or
organization.

2 types of Access Control
Physical
- Physical access control limits access to
campuses, buildings, roomsand physical IT assets.
Logical
- Logical access control limits connections to
computer networks, system files and data.
What is Access Control?
Access control is the process through which
systems decide when and how a person can be
allowed into an organization's protected area.
Access control is accomplished by a blend of laws,
services, and technologies. Access controls can be
compulsory, nondiscretionary, or optional.
Four Parts/Mechanism of Access Control
Identification
Identification is a process through which an
unverified entity – called a supplicant – who wants
access to a resource sets out a mark through which
the system recognizes them? Each supplicant has
a unique label called ID, which is used to track one
part within the security range.
Authentication
Authentication is the mechanism by which a
supposed identity of a supplicant is confirmed.
Authorization
- Authorization - is the matching of an authorized
person to a list of information assets and
acceptable rates of access. Authorization within
each authenticated person, wherein the program
performs an authentication procedure to confirm
each individual and then only that entity allows
access to services.
Accountability
Accountability means that an authenticated
identity can be traced to all activities on a system
whether authorized or unauthorized. Accountability
is most commonly done by machine reports and
database papers, and the auditing of these
documents. Systems logs document relevant
information, such as failed attempts to login, and
system changes.
Something a supplicant knows
This authentication factor is dependent on what the
petitioner knows and can recall – for example, a
password, passphrase, or other special
authentication code, such as PIN.
Something a supplicant has
This element of authentication is based on
something which a supplicant has and can produce
when appropriate. For example, cards such as ID
cards or ATM cards with magnetic strips containing
the digital (and sometimes encrypted) use PIN,
compared to the number of user inputs. The smart
card incorporates a computer chip capable of
checking and validating a variety of pieces of
information rather than just a PIN. Another popular
tool is the token, a card or key fob with a computer
chip and a liquid crystal display displaying a
computer-generated number used to enable
authentication of remote logins. Tokens are
synchronous or asynchronous.
Something a supplicant is or can produce
This authentication factor depends on individual
features such as fingerprints, palm prints, hand
topography, hand anatomy, or retina and iris scans,
or something that a supplicant may generate on
demand, such as speech patterns, signatures, or
kinetic measurements on the keyboard. Any of
those apps, collectively known as biometrics.
Logical Access Controls
Logical access controls are methods and
procedures used in computer information systems
to define, authenticate, approve and assume
responsibility. Logical access is often necessary for
remote hardware access, and is often compared
with the term "physical access".
Biometric Access Controls
Biometric Access Control is focused over the use of
some observable human characteristic or attribute
to verify the identity of a potential user (a
supplicant) of the systems. Fingerprint comparison,
Palm print comparison, Hand geometry, Facial
recognition, Retinal print comparison are useful
biometric authentication tools.
Minutiae
are unique point of reference in one’s biometric that
is stored as image to be verified upon a requested
access. Each single attempt at access results in a
calculation that is compared to the encoded value
to decide if the consumer is who he or she claims
to be. A concern with this approach is that is
changes as our body develops over time.
For authentication during a transaction, retail
stores use signature capture. The customer shall
sign a digital tab with a special pen recording the
signature. The signature will be stored for future
reference, or compared for validation to a
signature on a database.
Voice recognition operates in a similar manner by
recording the user 's initial voiceprint reciting a
word. Later, the authentication mechanism allows
the user to utter the same phrase when the user
tries to access the device so that the algorithm can
match the actual voiceprint to the stored value.
Effectiveness of Biometrics • Data Access – Users constantly accessing data
on the network resource. Users accessing and
Biometrics are assessed using parameters such
modifying files, documents, and databases. Any
as; the false rejection rate, which is the rate of
data that is being accessed should be restricted,
supplicants who are in fact approved users but who
protected, and monitored.
are denied access;
Data integrity can be protected by granting access
to the resources on a need-to-know and need-to-do
Access control is considered the most important
basis. Various types of users need different levels
aspect of information security and is an important of access.
pillar of information security. Access control can be
implemented in various ways depending on the Authentication and Authorization
environment.
Authentication is the first step in granting access
Access control has two components – to a user for the resources. It is the process of
authentication and authorization. identifying a user and verifying whether he/she is
authorized to enter into the organizational network
Authentication is verifying the identity of a user or
and access the resources.
a host that is accessing the system or network
resource. The goal of authentication is also Authentication and authorization technologies
determining from where and how the resource is involve:
being accessed – whether the system is being
• Proving who you are (identity card, smartcard)
accessed from a private computer or public
• Verifying who you are (password, finger prints,
computer (internet café) or if it is being accessed
etc.)
during normal working hours or after working hours.
Authentication and Access Control Layers
Authorization is permitting or restricting access to
the information based on the type of users and their Access control provides limits on who can access
roles – employee, contractor, administrator, or which resources and what he or she can do with it.
manager. The user needs to be identified before he can be
given access to the organizational information.
Examples of access control:
There are various authentication techniques that
• Entering into a server room or data center using
physical key or finger print authentication or by organizations can implement and are broadly
classified under three layers –administrative,
keying in the access code technical, and physical.
• User prompted to provide username and
password when accessing computing resources
• Remote user prompted to provide user name and
password when accessing network from outside of
the organization
• User denied access while accessing confidential
documents related to the company or a client
• User denied access while accessing personnel
related details

An access control is a security feature that

controls access to systems and resources in the
network. The goal of an access control is to protect
information from being lost, stolen, deleted, or
modified either intentionally or accidently by those
who are not authorized to access it.
There are three methods of access:
• Network Access – Users on a network can
access all the resources on the network. Hence,
network access also needs to be restricted,
protected, and monitored. For example, users who
can access the HR and finance department LAN
can be restricted. transmission.
• System Access – Users accessing the systems
on the network. It can be one of the servers,
printers, or any other shared device on the network.
The access to these devices should be restricted,
protected, and monitored continuously.
Administrative Access Controls (Layer)
These controls are administrative in nature and are
required to prevent the risk of improper or
inappropriate access control or detect such
improper or inappropriate access controls.
Access Control Policy
Each organization has to clearly specify its
philosophy of access control which becomes the
basis for all access control activities. The policy
provides absolute clarity as to the access control
models the organization believes in, such as
“discretionary,” “mandatory,” “non-discretionary,” or
“hybrid”.
Personnel related – jobs, responsibilities, and
authorities
Ideally, each job in the organization may require
access to information for different purposes.
Certain information must be only “read” by people
so that they are aware of the information and/or for
executing the information. Some others may
require not only to “read” the information, but also
to further “update” or “modify” it.
Segregation of duties
One of the important organizational requirements is
to avoid fraud, such as that with financial
connotation or frauds due to the violation of the
organizational policies.
Supporting policies and procedure
The organization also needs to ensure
complementary controls through other supporting
policies like the following: a) Hiring Policies, b)
Disciplinary Policies, c) Employee Termination
Policy, and d) User registration for computer
access. These policies provide clear direction to the
organizational personnel.
Control Over Information Access to Trade
Restricted Persons
If you consider U.S. export laws, a few of the
employees or contractors of these organizations
may be from trade restricted countries or working in
trade restricted countries. Some of the high-end
technology and related technical
documentation/information may not be shared with
such personnel unless a specific license to share
such information is obtained from the competent
authorities.
Technical (Logical) Controls
Technical controls are usually introduced through or
on technological products, tools, or utilities. These
again help the organization to either prevent or
detect or contain inappropriate and improper
access controls.
Passwords
Traditionally, passwords were the only form of
access control. However, passwords were also
easily prone to being guessed or cracked either
because of the ignorance of the users or because
of the inappropriate implementation of these on the
networks or operating systems or on the
applications.
Smartcards
Smartcards normally complement password
controls. These provide an additional layer of
security by adding another layer to gain access.
These may be implemented through various
technologies like HID, RFID, or Chip-based smart
cards.
Encryption
Data encryption protects information from the loss
of confidentiality and integrity because it requires a
key to decipher the encrypted information and this
key is available only with the intended recipient.
Network Access
A network has many components like routers,
switches, and cables. Network components are
required to be hardened. Default passwords on
them have to be changed.
System Access
There are various levels of access possible to
operating systems as well as to applications. These
need to be set up appropriately on a need-to-know
and a need-to-do basis.
Physical Access Controls
Physical access controls are again one of the
important layers of either preventive or detective
controls which supplement or complement other
forms of control in mitigating the risk of
inappropriate or improper access and modifications
to the information.
Network Segregation
For ease of understanding, let us assume that you
are an IT service provider organization and you
work for two competing banks.
Perimeter Security
Clearly identifying the organizational boundaries
and ensuring that the perimeter is secured, restricts
improper and inappropriate access to the
organizational resources.
Security Guards
Security guards are the traditional sources of
preventive and detective physical controls. Even
today, these security guards provide the assurance
of physical access controls by ensuring that the
entry and exit controls are appropriately provided
for and monitored.
Badge Systems
Badges/identification cards are the traditional
mechanisms used to control access and are still the
popular means of providing access. Special/secure
areas may require special types of badges or other
complementary authentication mechanisms like
smart cards, passwords, or biometric controls.
Biometric Access Controls
Biometric access controls use some physiological
features/aspects of the human body to provide
access to human beings. The features used to
provide access differ from person to person such
as finger print scans, iris scans, retina scans, palm
scans, facial scans, and voice.
Access Control Strategies
Access control models are based on requirements,
technology, and implementations. Different types of
access control models exist. The most popular
access control models are a Discretionary Access
Control (DAC), Mandatory Access Control (MAC),
Role Based Access Control (RBAC), and Attribute
Based Access Control (ABAC).
Discretionary Access Control (DAC)
In this model, the access control is based on the
owner’s discretion. The owner of the resource can
decide to whom he/she should grant permission to
access, and exactly what they are allowed to
access. This is the most common model used in
most of the file sharing utilities both in the Microsoft
operating system and in UNIX.
Mandatory Access Control (MAC)
In the Mandatory Access Control (MAC) model,
shown in figure below, usually a group or a set of
people are provided access based on the clearance
given to a specific level of access depending on the
classification of information/data.

Role-Based Access Control (RBAC)

As the name suggests, access control is granted
based on the roles and responsibilities of an
individual working in the organization, that is, on a
“need-to-do” or a “need-to-use” basis as shown in
figure below.
Attribute Based Access Control
Access can be granted using attributes – subject
attributes like identity, roles; object attributes like
device name, file, record, table, applications,
programs, and network; environment conditions like
location, time, and the like as shown in figure
below.